Issues with Permissions, Malware maybe involved!

Evan Omo · 2008/03/27

Hi. On my dad's computer which is running Windows XP Professional, the problem was that Windows Explorer wouldn't load. I tried every possible solution I could think of and I couldn't get Windows Explorer to start up. My dad and I went to Bestbuy and bought a Windows XP Professional CD. I then got home and made a repair install of the OS. Everything went fine and when I logged on, Windows Explorer started up normally. I then proceeded to go to windows update to install all of the latest patches. The website wouldn't load and it hung on "Checking if your computer has the latest windows updating software for use with the website." The website would never load past that point and I don't recieve the prompt to load the ActiveX control. Anyway I recieved a lot of updates that were downloaded by Automatic Updates. When I tried to install them, they try to install but I get a notification that all of the updates failed to install. I've also tried to install Adobe Flash Player and Windows Media Player 11 but they both failed to install. I really have no idea as to why every update I try seems to fail? I have tried various solutions to reset the permissions to the defaults all without success. I have tried Dail a Fix, Microsoft Knowledge base Articles on resetting permossions, and follwing instructions from http://adobe.com/go/tn_19166 and http://windowssecrets.com/2007/09/27/03-Stealth-Windows-update-prevents-XP-repair. I don't know what else to try. If I can't solve this problem then I may as well just format the machine and start over.

Here is the Deckard Log.

Deckard's System Scanner v20071014.68
Run by Robert Omo on 2008-03-27 15:49:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
18: 2008-03-27 23:50:18 UTC - RP18 - Deckard's System Scanner Restore Point
17: 2008-03-27 23:26:45 UTC - RP17 - Software Distribution Service 3.0
16: 2008-03-27 23:25:25 UTC - RP16 - Software Distribution Service 3.0
15: 2008-03-27 21:04:51 UTC - RP15 - Installed Windows Resource Kit Tools - SubInAcl.exe
14: 2008-03-27 20:40:45 UTC - RP14 - Installed Windows XP KB926239.

-- First Restore Point --
1: 2008-03-27 19:21:51 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Robert Omo.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:30 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Common Files\AOL\1103495592\ee\AOLSoftware.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Robert Omo\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Robert Omo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {BED5E28A-2A6A-01C6-3EEC-20807C4E0095} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {3464B9E7-2150-0FAE-0612-2F00CAB78F98} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65D70B12-91A1-EC53-A448-9A2B28E18CC9} - (no file)
O2 - BHO: (no name) - {E297D808-40EE-6A4E-BD5C-4B76621F0DC6} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103495592\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O20 - Winlogon Notify: Extensions - C:\WINDOWS\
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\
O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 7179 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 sp_rsdrv2 (Spyware Terminator Driver 2) - c:\windows\system32\drivers\sp_rsdrv2.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 sp_rssrv (Spyware Terminator Realtime Shield Service) - "c:\program files\spyware terminator\sp_rsser.exe" <Not Verified; Crawler.com; Crawler Spyware Terminator>

S3 sp_clamsrv (Spyware Terminator Clam Service) - "c:\program files\winclamavshield\sp_clamsrv.exe" <Not Verified; Crawler.com; Spyware Terminator>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-27 15:00:00 278 --ah----- C:\WINDOWS\Tasks\BDCDA72C91364728.job
2008-03-27 15:00:00 276 --ah----- C:\WINDOWS\Tasks\BC6C25F691E7C8F2.job
2008-03-27 15:00:00 276 --ah----- C:\WINDOWS\Tasks\B4FF56CD9134C1D1.job
2008-03-27 15:00:00 280 --ah----- C:\WINDOWS\Tasks\AE4AA6E791895F0B.job
2008-03-27 15:00:00 276 --ah----- C:\WINDOWS\Tasks\AB3827FB9183DDF7.job
2008-03-27 15:00:00 276 --ah----- C:\WINDOWS\Tasks\AACB1CB0918490B8.job
2008-03-27 15:00:00 276 --ah----- C:\WINDOWS\Tasks\A9F3FDE391847523.job
2008-03-27 15:00:00 276 --ah----- C:\WINDOWS\Tasks\A6AE74A591EDEBA1.job
2008-03-27 12:48:35 428 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{754D0594-BE19-4EA4-B2FB-CF8418844CB2}.job

-- Files created between 2008-02-27 and 2008-03-27 -----------------------------

6137-61-37 13:76:09 0 dr------- C:\Documents and Settings\Evan Omo\My Documents
2008-03-27 15:52:11 0 d-------- C:\Program Files\Trend Micro
2008-03-27 15:19:57 0 d-------- C:\WINDOWS\LastGood
2008-03-27 13:16:50 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-27 13:16:24 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-27 13:13:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-03-27 13:04:56 0 d-------- C:\Program Files\Windows Resource Kits
2008-03-27 12:38:29 0 d-------- C:\Program Files\Windows Media Connect 2
2008-03-27 12:33:36 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-27 12:12:20 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-27 11:55:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-03-27 11:17:00 0 d-------- C:\WINDOWS\Prefetch
2008-03-27 10:36:21 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-27 02:18:06 0 d-------- C:\WINDOWS\Provisioning
2008-03-27 02:18:06 0 d-------- C:\WINDOWS\PeerNet
2008-03-27 02:18:06 0 d-------- C:\WINDOWS\ehome
2008-03-24 19:41:25 0 d-------- C:\Program Files\Auslogics
2008-03-24 19:12:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-17 18:22:27 0 dr-h----- C:\Documents and Settings\Robert Omo\Recent
2008-03-14 21:12:27 0 d-------- C:\Documents and Settings\Evan Omo\Application Data\Malwarebytes
2008-03-12 20:38:33 0 d-------- C:\Documents and Settings\Robert Omo\LimeWire Store Purchased
2008-03-12 19:31:11 0 d-------- C:\Program Files\SpywareBlaster
2008-03-11 18:25:31 0 dr-h----- C:\Documents and Settings\Evan Omo\Recent
2008-03-10 20:53:15 0 d-------- C:\Documents and Settings\Robert Omo\Application Data\Malwarebytes
2008-03-10 20:52:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

-- Find3M Report ---------------------------------------------------------------

2008-03-27 15:47:18 0 d-------- C:\Documents and Settings\Robert Omo\Application Data\SiteAdvisor
2008-03-27 15:19:22 0 d-------- C:\Program Files\WinClamAVShield
2008-03-27 12:06:19 0 d-------- C:\Program Files\Spyware Terminator
2008-03-27 11:43:10 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-27 11:38:05 0 d-------- C:\Program Files\Common Files\AOL
2008-03-27 11:37:57 0 d-a------ C:\Program Files\Common Files
2008-03-27 11:37:50 0 d-------- C:\Program Files\Common Files\aolshare
2008-03-27 10:54:50 0 d-------- C:\Program Files\Movie Maker
2008-03-27 10:52:09 23348 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2008-03-27 10:50:20 0 d-------- C:\Program Files\Messenger
2008-03-27 10:50:14 0 d-------- C:\Program Files\Windows NT
2008-03-24 20:11:33 0 d-------- C:\Documents and Settings\Robert Omo\Application Data\DeepBurner
2008-03-19 18:16:32 0 d-------- C:\Documents and Settings\Robert Omo\Application Data\WeatherBug
2008-03-17 17:51:17 0 d-------- C:\Documents and Settings\Robert Omo\Application Data\Spyware Terminator
2008-03-12 20:39:10 0 d-------- C:\Documents and Settings\Robert Omo\Application Data\LimeWire
2008-03-10 20:51:07 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-20 18:01:25 3932 --a----c- C:\Documents and Settings\Robert Omo\Application Data\LMLayout.dat
2008-02-20 18:01:25 268 --a----c- C:\Documents and Settings\Robert Omo\Application Data\LMCPaper.dat
2008-02-08 12:25:26 1632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-02-05 16:14:54 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-02 21:01:06 1744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-30 09:23:01 22576 --a----c- C:\Documents and Settings\Robert Omo\Application Data\GDIPFONTCACHEV1.DAT
2008-01-15 18:11:12 618 --a------ C:\Documents

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3464B9E7-2150-0FAE-0612-2F00CAB78F98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D70B12-91A1-EC53-A448-9A2B28E18CC9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E297D808-40EE-6A4E-BD5C-4B76621F0DC6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager "= "C:\Program Files\Common Files\AOL\1103495592\ee\AOLSoftware.exe" [09/25/2006 04:52 PM]
"SpywareTerminator "= "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [02/14/2008 07:33 PM]
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [08/24/2007 01:57 PM]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"MP10_EnsureFileVer "= "C:\WINDOWS\inf\unregmp2.exe" [02/28/2006 04:00 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 04:00 AM]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" []
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"CheckRegDefragService "=" " []
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]
"AOL Fast Start "= "C:\Program Files\America Online 9.0a\AOL.exe" [07/12/2005 06:17 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [10/31/2004 4:38:16 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop "=00000000
"NoSaveSettings "=00000000
"ClearRecentDocsOnExit "=00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Extensions]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ShellCompatibility]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages "= scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice "

-- Hosts -----------------------------------------------------------------------

127.0.0.1 babe.the-killer.bz
127.0.0.1 www.babe.the-killer.bz
127.0.0.1 babe.k-lined.com
127.0.0.1 www.babe.k-lined.com
127.0.0.1 did.i-used.cc
127.0.0.1 www.did.i-used.cc
127.0.0.1 coolwwwsearch.com
127.0.0.1 www.coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 www.coolwebsearch.com

8347 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-03-27 15:53:40 ------------

noahdfear · 2008/03/27

Hi Evan

Download SmitfraudFix by S!Ri, saving it to the desktop.

Restart the computer in Safe Mode and Logon to your account.

Double-click SmitfraudFix.exe to start the tool and press 2, then hit Enter.

You will be prompted 'Do you want to clean the registry?' answer Y (yes) and hit Enter.

If prompted to replace the infected wininet.dll file (if found), answer Y (yes) and hit Enter to restore a clean file.

Reboot to normal mode when the tool completes.

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometime interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post the ComboFix log, the C:\rapport.txt log from SmitfraudFix and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Evan Omo · 2008/03/27

Hey Dave, thanks. Here are the logs you requested!

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:05 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {BED5E28A-2A6A-01C6-3EEC-20807C4E0095} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6579 bytes

ComboFix Log

ComboFix 08-03-26.3 - Robert Omo 2008-03-27 20:57:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.290 [GMT -8:00]
Running from: C:\Documents and Settings\Robert Omo\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Karen Omo\Application Data\APPATC~1
C:\Documents and Settings\Karen Omo\Application Data\ASKS~1
C:\Documents and Settings\Karen Omo\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Karen Omo\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Karen Omo\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Robert Omo\Application Data\FNTS~1
C:\Documents and Settings\Robert Omo\Application Data\Sskdmns.dll
C:\Documents and Settings\Robert Omo\Application Data\TSKS~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\scurit~1
C:\WINDOWS\stem~1
C:\WINDOWS\system32\components
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\sembly~1
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~1\m?hta.exe
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\winsysupd71.dat
C:\WINDOWS\ymbols~1
C:\WINDOWS\ymbols~1\scanregw.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 20:28 . 2008-03-27 20:28 1,980 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-27 20:26 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-27 20:26 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-27 20:26 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-27 20:26 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-27 20:26 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-27 20:26 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-27 20:26 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-27 20:11 . 2003-01-10 13:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-03-27 20:06 . 2008-03-27 20:06 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-03-27 18:14 . 2008-03-27 18:14 <DIR> d-------- C:\Documents and Settings\Robert Omo\Application Data\acccore
2008-03-27 18:09 . 2008-03-27 18:09 <DIR> d-------- C:\Documents and Settings\Evan Omo\Application Data\acccore
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Program Files\Viewpoint
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-27 17:35 . 2008-03-27 20:12 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-27 17:34 . 2008-03-27 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-27 17:31 . 2008-03-27 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-27 15:52 . 2008-03-27 15:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 13:20 . 2008-03-27 13:22 7,348,224 --a------ C:\WINDOWS\sectest.db
2008-03-27 13:16 . 2008-03-27 20:11 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-03-27 13:04 . 2008-03-27 13:04 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-03-27 12:39 . 2008-03-27 19:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-27 12:39 . 2008-03-27 19:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-27 12:38 . 2008-03-27 12:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-27 12:33 . 2008-03-27 19:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-27 12:17 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-27 11:35 . 2008-03-27 11:35 0 --a------ C:\WINDOWS\system32\REN41.tmp
2008-03-27 11:35 . 2008-03-27 11:35 0 --a------ C:\WINDOWS\system32\REN40.tmp
2008-03-27 11:19 . 2008-03-27 11:19 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-27 11:12 . 2006-02-28 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-03-27 11:10 . 2006-02-28 04:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-03-27 11:09 . 2006-02-28 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-03-27 11:08 . 2006-02-28 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-03-27 11:07 . 2006-02-28 04:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-03-27 11:06 . 2006-02-28 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-27 11:05 . 2006-02-28 04:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-03-27 11:04 . 2006-02-28 04:00 369,664 --a--c--- C:\WINDOWS\system32\dllcache\asp51.dll
2008-03-27 11:03 . 2006-02-28 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-03-27 10:56 . 2008-03-27 10:56 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-27 10:55 . 2006-02-28 04:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-27 10:50 . 2006-02-28 04:00 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll
2008-03-27 10:50 . 2006-02-28 04:00 60,928 --a--c--- C:\WINDOWS\system32\dllcache\iisclex4.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a--c--- C:\WINDOWS\system32\dllcache\iismui.dll
2008-03-27 10:41 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-27 10:41 . 2004-08-03 22:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a------ C:\WINDOWS\system32\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-03-27 10:34 . 2006-02-28 04:00 1,086,058 -ra------ C:\WINDOWS\SET8C.tmp
2008-03-27 10:34 . 2006-02-28 04:00 1,042,903 -ra------ C:\WINDOWS\SET8B.tmp
2008-03-27 02:18 . 2008-03-27 02:18 <DIR> d-------- C:\WINDOWS\Provisioning
2008-03-27 02:18 . 2008-03-27 02:28 <DIR> d-------- C:\WINDOWS\PeerNet
2008-03-27 02:18 . 2008-03-27 02:29 <DIR> d-------- C:\WINDOWS\ehome
2008-03-27 02:18 . 2008-03-27 15:17 536,428,544 --a------ C:\WINDOWS\MEMORY.DMP
2008-03-26 19:47 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-26 19:47 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-24 19:41 . 2008-03-24 19:44 <DIR> d-------- C:\Program Files\Auslogics
2008-03-14 21:12 . 2008-03-14 21:12 <DIR> d-------- C:\Documents and Settings\Evan Omo\Application Data\Malwarebytes
2008-03-12 19:31 . 2008-03-27 12:12 <DIR> d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 05:04 --------- d-----w C:\Program Files\WinClamAVShield
2008-03-28 04:23 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\SiteAdvisor
2008-03-28 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-28 02:28 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\SiteAdvisor
2008-03-28 01:22 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-28 01:22 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\Spyware Terminator
2008-03-28 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-27 23:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2008-03-27 20:06 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Spyware Terminator
2008-03-27 19:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-25 03:41 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Auslogics
2008-03-15 22:55 --------- d-----w C:\Documents and Settings\Karen Omo\Application Data\Spyware Terminator
2008-02-21 02:01 3,932 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMLayout.dat
2008-02-21 02:01 268 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMCPaper.dat
2008-02-15 03:33 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-07 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 06:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 17:23 22,576 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\GDIPFONTCACHEV1.DAT
2008-01-16 02:33 3,932 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMLayout.dat
2008-01-16 02:33 268 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMCPaper.dat
2007-10-13 02:51 3,932 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMLayout.dat
2007-10-13 02:51 268 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMCPaper.dat
2006-08-08 02:48 50,371 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_08_07_15_39_31_small.dmp.zip
2005-09-21 16:49 120,996 -c-ha-w C:\Documents and Settings\Robert Omo\Application Data\ptads.bin
2005-09-15 20:37 94,939 -c-ha-w C:\Documents and Settings\Evan Omo\Application Data\ptads.bin
2005-09-05 02:50 79,712 -c-ha-w C:\Documents and Settings\Karen Omo\Application Data\ptads.bin
2004-11-30 02:15 23,040 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\GDIPFONTCACHEV1.DAT
2002-01-18 14:52 3,932 -c----w C:\Documents and Settings\LocalService\Application Data\LMLayout.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3464B9E7-2150-0FAE-0612-2F00CAB78F98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D70B12-91A1-EC53-A448-9A2B28E18CC9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E297D808-40EE-6A4E-BD5C-4B76621F0DC6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"CheckRegDefragService "=" " []
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator "= "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-14 19:33 2957824]
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MP10_EnsureFileVer "= "C:\WINDOWS\inf\unregmp2.exe" [2006-02-28 04:00 208896]
"HostManager "= "C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe" [2007-10-08 13:50 41824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2004-10-31 16:38:16 1990656]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Extensions]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ShellCompatibility]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntivirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\aolsoftware.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\AOLDesktop.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-02-14 19:33]
R3 SMC55T;SMC EZ Card 10/100 (SMC1255TX);C:\WINDOWS\system32\DRIVERS\SMC55T51.sys [2002-07-05 15:31]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 12:58]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\A6AE74A591EDEBA1.job "
- c:\docume~1\evanom~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\A9F3FDE391847523.job "
- c:\docume~1\evanom~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\AACB1CB0918490B8.job "
- c:\docume~1\evanom~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\AB3827FB9183DDF7.job "
- c:\docume~1\evanom~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\AE4AA6E791895F0B.job "
- c:\docume~1\robert~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\B4FF56CD9134C1D1.job "
- c:\docume~1\evanom~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\BC6C25F691E7C8F2.job "
- c:\docume~1\evanom~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-28 05:00:00 C:\WINDOWS\Tasks\BDCDA72C91364728.job "
- c:\docume~1\kareno~1\applic~1\longsl~1\Corn meow amok.exe
"2008-03-27 20:48:35 C:\WINDOWS\Tasks\User_Feed_Synchronization-{754D0594-BE19-4EA4-B2FB-CF8418844CB2}.job "
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 21:04:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLDesktop.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
.
**************************************************************************
.
Completion time: 2008-03-27 21:08:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 05:07:29
Pre-Run: 68,332,752,896 bytes free
Post-Run: 68,258,512,896 bytes free

Evan Omo · 2008/03/27

SmitFraudFix Log

SmitFraudFix v2.309

Scan done at 20:27:28.03, Thu 03/27/2008
Run from C:\Documents and Settings\Robert Omo\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously "= "{03413bf7-e34c-445b-bfc0-a2b127255871} "

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

Evan Omo · 2008/03/27

SmitFraudFix Log Continued

noahdfear · 2008/03/27

Skip the entire HOSTS File section and post what remains, please.

Evan Omo · 2008/03/27

Sorry about that Dave. I didn't know that you didn't want me to post the hosts file.

Here is the remainder of the SmitFraudFix log without the hosts file included

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{C169E8AF-F2E2-4209-9B4E-CEE5C4E31811}: DhcpNameServer=64.85.239.20 64.85.239.21
HKLM\SYSTEM\CS1\Services\Tcpip\..\{C169E8AF-F2E2-4209-9B4E-CEE5C4E31811}: DhcpNameServer=64.85.239.20 64.85.239.21
HKLM\SYSTEM\CS2\Services\Tcpip\..\{C169E8AF-F2E2-4209-9B4E-CEE5C4E31811}: DhcpNameServer=64.85.239.20 64.85.239.21
HKLM\SYSTEM\CS3\Services\Tcpip\..\{C169E8AF-F2E2-4209-9B4E-CEE5C4E31811}: DhcpNameServer=64.85.239.20 64.85.239.21
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.85.239.20 64.85.239.21
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.85.239.20 64.85.239.21
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=64.85.239.20 64.85.239.21
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=64.85.239.20 64.85.239.21

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

noahdfear · 2008/03/28

No problem RE: posting the HOSTS file entries. No way you could have known, nor would I have known they would be present.

You should disable Spybot's TeaTimer until after we're done, as it can prevent some of the registry changes that need to be made.

Open Spybot Search & Destroy.

In the Mode menu click "Advanced mode" if not already selected.

Choose "Yes" at the Warning prompt.

Expand the "Tools" menu.

Click "Resident ".

Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

In the File menu click "Exit" to exit Spybot Search & Destroy.

Reboot.

Scan again with HijackThis and place a check next to the following entries, then click Fix Checked.

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {BED5E28A-2A6A-01C6-3EEC-20807C4E0095} - (no file)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) -O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in) -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) -O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in) -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -

Close HijackThis.

Copy and paste each of the following bolded commands into the Start>Run dialog then hit enter.

c:\docume~1\evanom~1\applic~1\longsl~1

c:\docume~1\robert~1\applic~1\longsl~1

c:\docume~1\kareno~1\applic~1\longsl~1

If each command opens the corresponding longsl~1 folder (I don't know what the folder's actual name is), use the Menu 'up one folder' icon to go up to the app data folder then delete the longsl~1 folder(s).

Next, once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\Tasks\A6AE74A591EDEBA1.job
C:\WINDOWS\Tasks\A9F3FDE391847523.job
C:\WINDOWS\Tasks\AACB1CB0918490B8.job
C:\WINDOWS\Tasks\AB3827FB9183DDF7.job
C:\WINDOWS\Tasks\AE4AA6E791895F0B.job
C:\WINDOWS\Tasks\B4FF56CD9134C1D1.job
C:\WINDOWS\Tasks\BC6C25F691E7C8F2.job
C:\WINDOWS\Tasks\BDCDA72C91364728.job
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3464B9E7-2150-0FAE-0612-2F00CAB78F98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D70B12-91A1-EC53-A448-9A2B28E18CC9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E297D808-40EE-6A4E-BD5C-4B76621F0DC6}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "CheckRegDefragService "=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Extensions]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ShellCompatibility]
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Evan Omo · 2008/03/28

Here are the logs!

ComboFix

ComboFix 08-03-26.3 - Robert Omo 2008-03-28 9:46:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.283 [GMT -8:00]
Running from: C:\Documents and Settings\Robert Omo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Omo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Tasks\A6AE74A591EDEBA1.job
C:\WINDOWS\Tasks\A9F3FDE391847523.job
C:\WINDOWS\Tasks\AACB1CB0918490B8.job
C:\WINDOWS\Tasks\AB3827FB9183DDF7.job
C:\WINDOWS\Tasks\AE4AA6E791895F0B.job
C:\WINDOWS\Tasks\B4FF56CD9134C1D1.job
C:\WINDOWS\Tasks\BC6C25F691E7C8F2.job
C:\WINDOWS\Tasks\BDCDA72C91364728.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000218_.tmp.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\Tasks\A6AE74A591EDEBA1.job
C:\WINDOWS\Tasks\A9F3FDE391847523.job
C:\WINDOWS\Tasks\AACB1CB0918490B8.job
C:\WINDOWS\Tasks\AB3827FB9183DDF7.job
C:\WINDOWS\Tasks\AE4AA6E791895F0B.job
C:\WINDOWS\Tasks\B4FF56CD9134C1D1.job
C:\WINDOWS\Tasks\BC6C25F691E7C8F2.job
C:\WINDOWS\Tasks\BDCDA72C91364728.job

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 20:28 . 2008-03-27 20:28 1,980 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-27 20:26 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-27 20:26 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-27 20:26 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-27 20:26 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-27 20:26 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-27 20:26 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-27 20:26 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-27 20:11 . 2003-01-10 13:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-03-27 20:06 . 2008-03-27 20:06 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-03-27 18:14 . 2008-03-27 18:14 <DIR> d-------- C:\Documents and Settings\Robert Omo\Application Data\acccore
2008-03-27 18:09 . 2008-03-27 18:09 <DIR> d-------- C:\Documents and Settings\Evan Omo\Application Data\acccore
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Program Files\Viewpoint
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-27 17:35 . 2008-03-27 20:12 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-27 17:34 . 2008-03-27 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-27 17:31 . 2008-03-27 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-27 15:52 . 2008-03-27 15:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 13:20 . 2008-03-27 13:22 7,348,224 --a------ C:\WINDOWS\sectest.db
2008-03-27 13:16 . 2008-03-27 21:55 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-03-27 13:04 . 2008-03-27 13:04 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-03-27 12:39 . 2008-03-27 19:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-27 12:39 . 2008-03-27 19:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-27 12:38 . 2008-03-27 12:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-27 12:33 . 2008-03-27 19:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-27 12:17 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-27 11:35 . 2008-03-27 11:35 0 --a------ C:\WINDOWS\system32\REN41.tmp
2008-03-27 11:35 . 2008-03-27 11:35 0 --a------ C:\WINDOWS\system32\REN40.tmp
2008-03-27 11:19 . 2008-03-27 11:19 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-27 11:12 . 2006-02-28 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-03-27 11:10 . 2006-02-28 04:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-03-27 11:09 . 2006-02-28 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-03-27 11:08 . 2006-02-28 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-03-27 11:07 . 2006-02-28 04:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-03-27 11:06 . 2006-02-28 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-27 11:05 . 2006-02-28 04:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-03-27 11:04 . 2006-02-28 04:00 369,664 --a--c--- C:\WINDOWS\system32\dllcache\asp51.dll
2008-03-27 11:03 . 2006-02-28 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-03-27 10:56 . 2008-03-27 10:56 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-27 10:55 . 2006-02-28 04:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-27 10:50 . 2006-02-28 04:00 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll
2008-03-27 10:50 . 2006-02-28 04:00 60,928 --a--c--- C:\WINDOWS\system32\dllcache\iisclex4.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a--c--- C:\WINDOWS\system32\dllcache\iismui.dll
2008-03-27 10:41 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-27 10:41 . 2004-08-03 22:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a------ C:\WINDOWS\system32\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-03-27 10:34 . 2006-02-28 04:00 1,086,058 -ra------ C:\WINDOWS\SET8C.tmp
2008-03-27 10:34 . 2006-02-28 04:00 1,042,903 -ra------ C:\WINDOWS\SET8B.tmp
2008-03-27 02:18 . 2008-03-27 02:18 <DIR> d-------- C:\WINDOWS\Provisioning
2008-03-27 02:18 . 2008-03-27 02:28 <DIR> d-------- C:\WINDOWS\PeerNet
2008-03-27 02:18 . 2008-03-27 02:29 <DIR> d-------- C:\WINDOWS\ehome
2008-03-27 02:18 . 2008-03-27 15:17 536,428,544 --a------ C:\WINDOWS\MEMORY.DMP
2008-03-26 19:47 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-26 19:47 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-24 19:41 . 2008-03-24 19:44 <DIR> d-------- C:\Program Files\Auslogics
2008-03-24 19:09 . 2006-02-28 04:00 2,804,224 --a------ C:\WINDOWS\system32\msi.dll
2008-03-24 19:09 . 2006-02-28 04:00 2,804,224 --a------ C:\WINDOWS\system32\dllcache\msi.dll
2008-03-24 19:09 . 2006-02-28 04:00 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2008-03-24 19:09 . 2006-02-28 04:00 884,736 --a------ C:\WINDOWS\system32\dllcache\msimsg.dll
2008-03-24 19:09 . 2006-02-28 04:00 331,264 --a------ C:\WINDOWS\system32\msihnd.dll
2008-03-24 19:09 . 2006-02-28 04:00 331,264 --a------ C:\WINDOWS\system32\dllcache\msihnd.dll
2008-03-24 19:09 . 2006-02-28 04:00 77,312 --a------ C:\WINDOWS\system32\msiexec.exe
2008-03-24 19:09 . 2006-02-28 04:00 77,312 --a------ C:\WINDOWS\system32\dllcache\msiexec.exe
2008-03-24 19:09 . 2006-02-28 04:00 44,032 --a------ C:\WINDOWS\system32\msisip.dll
2008-03-24 19:09 . 2006-02-28 04:00 44,032 --a------ C:\WINDOWS\system32\dllcache\msisip.dll
2008-03-12 19:31 . 2008-03-27 12:12 <DIR> d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 17:51 --------- d-----w C:\Program Files\WinClamAVShield
2008-03-28 17:32 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\SiteAdvisor
2008-03-28 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-28 02:28 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\SiteAdvisor
2008-03-28 01:22 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-28 01:22 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\Spyware Terminator
2008-03-28 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-27 23:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2008-03-27 20:06 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Spyware Terminator
2008-03-27 19:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-25 03:41 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Auslogics
2008-03-15 22:55 --------- d-----w C:\Documents and Settings\Karen Omo\Application Data\Spyware Terminator
2008-02-21 02:01 3,932 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMLayout.dat
2008-02-21 02:01 268 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMCPaper.dat
2008-02-15 03:33 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-07 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 06:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 17:23 22,576 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\GDIPFONTCACHEV1.DAT
2008-01-16 02:33 3,932 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMLayout.dat
2008-01-16 02:33 268 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMCPaper.dat
2007-10-13 02:51 3,932 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMLayout.dat
2007-10-13 02:51 268 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMCPaper.dat
2006-08-08 02:48 50,371 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_08_07_15_39_31_small.dmp.zip
2005-09-21 16:49 120,996 -c-ha-w C:\Documents and Settings\Robert Omo\Application Data\ptads.bin
2005-09-15 20:37 94,939 -c-ha-w C:\Documents and Settings\Evan Omo\Application Data\ptads.bin
2005-09-05 02:50 79,712 -c-ha-w C:\Documents and Settings\Karen Omo\Application Data\ptads.bin
2004-11-30 02:15 23,040 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\GDIPFONTCACHEV1.DAT
2002-01-18 14:52 3,932 -c----w C:\Documents and Settings\LocalService\Application Data\LMLayout.dat
2006-08-01 23:39 410,096 -csha-w C:\WINDOWS\system32\kmllm.bak1
2006-08-22 20:08 910,123 -csha-w C:\WINDOWS\system32\kmllm.bak2
2006-08-22 23:25 526,351 -csha-w C:\WINDOWS\system32\kmllm.ini2
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_21.07.01.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-04 22:45:26 13,536 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator "= "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-14 19:33 2957824]
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MP10_EnsureFileVer "= "C:\WINDOWS\inf\unregmp2.exe" [2006-02-28 04:00 208896]
"HostManager "= "C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe" [2007-10-08 13:50 41824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2004-10-31 16:38:16 1990656]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntivirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\aolsoftware.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\AOLDesktop.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-02-14 19:33]
R3 SMC55T;SMC EZ Card 10/100 (SMC1255TX);C:\WINDOWS\system32\DRIVERS\SMC55T51.sys [2002-07-05 15:31]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 12:58]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 20:48:35 C:\WINDOWS\Tasks\User_Feed_Synchronization-{754D0594-BE19-4EA4-B2FB-CF8418844CB2}.job "
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 09:51:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLDesktop.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
.
**************************************************************************
.
Completion time: 2008-03-28 9:55:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 17:55:18
ComboFix2.txt 2008-03-28 05:08:24
Pre-Run: 68,198,899,712 bytes free
Post-Run: 68,186,361,856 bytes free

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:09 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLDesktop.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5484 bytes

noahdfear · 2008/03/28

Looking much better. Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\kmllm.bak2
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\REN41.tmp
C:\WINDOWS\system32\REN40.tmp
C:\WINDOWS\SET8C.tmp
C:\WINDOWS\SET8B.tmp
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Evan Omo · 2008/03/28

The computer seems faster and it isn't locking up as much as it used to. Thanks.

ComboFix Log

ComboFix 08-03-27.1 - Robert Omo 2008-03-28 12:01:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.272 [GMT -8:00]
Running from: C:\Documents and Settings\Robert Omo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Omo\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SET8B.tmp
C:\WINDOWS\SET8C.tmp
C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\kmllm.bak2
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\REN40.tmp
C:\WINDOWS\system32\REN41.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\SET8B.tmp
C:\WINDOWS\SET8C.tmp
C:\WINDOWS\system32\_000109_.tmp.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\kmllm.bak1
C:\WINDOWS\system32\kmllm.bak2
C:\WINDOWS\system32\kmllm.ini2
C:\WINDOWS\system32\REN40.tmp
C:\WINDOWS\system32\REN41.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-28 10:37 . 2006-02-28 04:00 2,804,224 --a------ C:\WINDOWS\system32\msi.dll
2008-03-28 10:37 . 2006-02-28 04:00 2,804,224 --a------ C:\WINDOWS\system32\dllcache\msi.dll
2008-03-28 10:37 . 2006-02-28 04:00 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2008-03-28 10:37 . 2006-02-28 04:00 884,736 --a------ C:\WINDOWS\system32\dllcache\msimsg.dll
2008-03-28 10:37 . 2006-02-28 04:00 331,264 --a------ C:\WINDOWS\system32\msihnd.dll
2008-03-28 10:37 . 2006-02-28 04:00 331,264 --a------ C:\WINDOWS\system32\dllcache\msihnd.dll
2008-03-28 10:37 . 2006-02-28 04:00 77,312 --a------ C:\WINDOWS\system32\msiexec.exe
2008-03-28 10:37 . 2006-02-28 04:00 77,312 --a------ C:\WINDOWS\system32\dllcache\msiexec.exe
2008-03-28 10:37 . 2006-02-28 04:00 44,032 --a------ C:\WINDOWS\system32\msisip.dll
2008-03-28 10:37 . 2006-02-28 04:00 44,032 --a------ C:\WINDOWS\system32\dllcache\msisip.dll
2008-03-27 20:28 . 2008-03-27 20:28 1,980 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-27 20:26 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-27 20:26 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-27 20:26 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-27 20:26 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-27 20:26 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-27 20:26 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-27 20:26 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-27 20:11 . 2003-01-10 13:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-03-27 20:06 . 2008-03-27 20:06 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-03-27 18:14 . 2008-03-27 18:14 <DIR> d-------- C:\Documents and Settings\Robert Omo\Application Data\acccore
2008-03-27 18:09 . 2008-03-27 18:09 <DIR> d-------- C:\Documents and Settings\Evan Omo\Application Data\acccore
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Program Files\Viewpoint
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-27 17:35 . 2008-03-27 20:12 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-27 17:34 . 2008-03-27 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-27 17:31 . 2008-03-27 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-27 15:52 . 2008-03-27 15:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 13:20 . 2008-03-27 13:22 7,348,224 --a------ C:\WINDOWS\sectest.db
2008-03-27 13:16 . 2008-03-28 11:53 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-03-27 13:04 . 2008-03-27 13:04 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-03-27 12:39 . 2008-03-27 19:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-27 12:39 . 2008-03-27 19:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-27 12:38 . 2008-03-27 12:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-27 12:33 . 2008-03-27 19:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-27 12:17 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-27 11:19 . 2008-03-27 11:19 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-27 11:12 . 2006-02-28 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-03-27 11:10 . 2006-02-28 04:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-03-27 11:09 . 2006-02-28 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-03-27 11:08 . 2006-02-28 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-03-27 11:07 . 2006-02-28 04:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-03-27 11:06 . 2006-02-28 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-27 11:05 . 2006-02-28 04:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-03-27 11:04 . 2006-02-28 04:00 369,664 --a--c--- C:\WINDOWS\system32\dllcache\asp51.dll
2008-03-27 11:03 . 2006-02-28 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-03-27 10:56 . 2008-03-27 10:56 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-27 10:55 . 2006-02-28 04:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-27 10:50 . 2006-02-28 04:00 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll
2008-03-27 10:50 . 2006-02-28 04:00 60,928 --a--c--- C:\WINDOWS\system32\dllcache\iisclex4.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a--c--- C:\WINDOWS\system32\dllcache\iismui.dll
2008-03-27 10:41 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-27 10:41 . 2004-08-03 22:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a------ C:\WINDOWS\system32\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-03-27 02:18 . 2008-03-27 02:18 <DIR> d-------- C:\WINDOWS\Provisioning
2008-03-27 02:18 . 2008-03-27 02:28 <DIR> d-------- C:\WINDOWS\PeerNet
2008-03-27 02:18 . 2008-03-27 02:29 <DIR> d-------- C:\WINDOWS\ehome
2008-03-27 02:18 . 2008-03-27 15:17 536,428,544 --a------ C:\WINDOWS\MEMORY.DMP
2008-03-26 19:47 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-26 19:47 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-24 19:41 . 2008-03-24 19:44 <DIR> d-------- C:\Program Files\Auslogics
2008-03-12 19:31 . 2008-03-27 12:12 <DIR> d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 20:07 --------- d-----w C:\Program Files\WinClamAVShield
2008-03-28 19:54 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\SiteAdvisor
2008-03-28 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-28 02:28 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\SiteAdvisor
2008-03-28 01:22 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-28 01:22 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\Spyware Terminator
2008-03-28 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-27 23:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2008-03-27 20:06 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Spyware Terminator
2008-03-27 19:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-25 03:41 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Auslogics
2008-03-15 22:55 --------- d-----w C:\Documents and Settings\Karen Omo\Application Data\Spyware Terminator
2008-02-21 02:01 3,932 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMLayout.dat
2008-02-21 02:01 268 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMCPaper.dat
2008-02-15 03:33 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-07 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 06:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 17:23 22,576 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\GDIPFONTCACHEV1.DAT
2008-01-16 02:33 3,932 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMLayout.dat
2008-01-16 02:33 268 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMCPaper.dat
2007-10-13 02:51 3,932 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMLayout.dat
2007-10-13 02:51 268 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMCPaper.dat
2006-08-08 02:48 50,371 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_08_07_15_39_31_small.dmp.zip
2005-09-21 16:49 120,996 -c-ha-w C:\Documents and Settings\Robert Omo\Application Data\ptads.bin
2005-09-15 20:37 94,939 -c-ha-w C:\Documents and Settings\Evan Omo\Application Data\ptads.bin
2005-09-05 02:50 79,712 -c-ha-w C:\Documents and Settings\Karen Omo\Application Data\ptads.bin
2004-11-30 02:15 23,040 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\GDIPFONTCACHEV1.DAT
2002-01-18 14:52 3,932 -c----w C:\Documents and Settings\LocalService\Application Data\LMLayout.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_21.07.01.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-02-28 12:00:00 8,384,000 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-12-04 00:39:18 112,016 ----a-w C:\WINDOWS\system32\Macromed\Download\Download.dll
+ 2007-12-04 00:39:18 59,717 ----a-w C:\WINDOWS\system32\Macromed\Download\Install.exe
- 2006-02-28 12:00:00 8,384,000 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-02-01 00:28:24 16,384 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3464B9E7-2150-0FAE-0612-2F00CAB78F98}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D70B12-91A1-EC53-A448-9A2B28E18CC9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E297D808-40EE-6A4E-BD5C-4B76621F0DC6}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator "= "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-14 19:33 2957824]
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MP10_EnsureFileVer "= "C:\WINDOWS\inf\unregmp2.exe" [2006-02-28 04:00 208896]
"HostManager "= "C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe" [2007-10-08 13:50 41824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2004-10-31 16:38:16 1990656]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Extensions]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ShellCompatibility]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntivirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\aolsoftware.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\AOLDesktop.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-02-14 19:33]
R3 SMC55T;SMC EZ Card 10/100 (SMC1255TX);C:\WINDOWS\system32\DRIVERS\SMC55T51.sys [2002-07-05 15:31]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 12:58]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-27 20:48:35 C:\WINDOWS\Tasks\User_Feed_Synchronization-{754D0594-BE19-4EA4-B2FB-CF8418844CB2}.job "
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 12:06:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLDesktop.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
.
**************************************************************************
.
Completion time: 2008-03-28 12:12:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 20:11:24
ComboFix2.txt 2008-03-28 17:56:00
ComboFix3.txt 2008-03-28 05:08:24
Pre-Run: 68,065,361,920 bytes free
Post-Run: 68,051,968,000 bytes free
.
2008-03-28 19:36:25 --- E O F ---

noahdfear · 2008/03/28

Well, progress has been made, but there's also been a backslide somehow. Please make sure Spybot's TeaTimer is disabled as previously instructed, then create yet another CFScript.txt with the contents of the code box below.
Code:
KillAll::
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3464B9E7-2150-0FAE-0612-2F00CAB78F98}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{65D70B12-91A1-EC53-A448-9A2B28E18CC9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E297D808-40EE-6A4E-BD5C-4B76621F0DC6}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Extensions]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmk]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ShellCompatibility]
Drag-n-drop CFScript.txt onto ComboFix.exe and post the new ComboFix.txt when it completes. I'd like to see a fresh HijackThis log after running ComboFix too.

Evan Omo · 2008/03/28

Hey Dave. I got a BSOD after I disabled Spybots Team Timer which was Bad_Pool_Header Stop 0x000000c2. I restarted the machine without a problem. Its just strange why I got a BSOD from doing that. Anyway here are the logs!

ComboFix

ComboFix 08-03-27.1 - Robert Omo 2008-03-28 14:40:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.305 [GMT -8:00]
Running from: C:\Documents and Settings\Robert Omo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Omo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\guard.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-28 10:37 . 2006-02-28 04:00 2,804,224 --a------ C:\WINDOWS\system32\msi.dll
2008-03-28 10:37 . 2006-02-28 04:00 2,804,224 --a------ C:\WINDOWS\system32\dllcache\msi.dll
2008-03-28 10:37 . 2006-02-28 04:00 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2008-03-28 10:37 . 2006-02-28 04:00 884,736 --a------ C:\WINDOWS\system32\dllcache\msimsg.dll
2008-03-28 10:37 . 2006-02-28 04:00 331,264 --a------ C:\WINDOWS\system32\msihnd.dll
2008-03-28 10:37 . 2006-02-28 04:00 331,264 --a------ C:\WINDOWS\system32\dllcache\msihnd.dll
2008-03-28 10:37 . 2006-02-28 04:00 77,312 --a------ C:\WINDOWS\system32\msiexec.exe
2008-03-28 10:37 . 2006-02-28 04:00 77,312 --a------ C:\WINDOWS\system32\dllcache\msiexec.exe
2008-03-28 10:37 . 2006-02-28 04:00 44,032 --a------ C:\WINDOWS\system32\msisip.dll
2008-03-28 10:37 . 2006-02-28 04:00 44,032 --a------ C:\WINDOWS\system32\dllcache\msisip.dll
2008-03-27 20:28 . 2008-03-27 20:28 1,980 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-27 20:26 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-27 20:26 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-27 20:26 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-27 20:26 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-27 20:26 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-27 20:26 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-27 20:26 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-27 20:11 . 2003-01-10 13:13 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2008-03-27 20:06 . 2008-03-27 20:06 <DIR> d-------- C:\Program Files\Common Files\aolshare
2008-03-27 18:14 . 2008-03-27 18:14 <DIR> d-------- C:\Documents and Settings\Robert Omo\Application Data\acccore
2008-03-27 18:09 . 2008-03-27 18:09 <DIR> d-------- C:\Documents and Settings\Evan Omo\Application Data\acccore
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Program Files\Viewpoint
2008-03-27 17:36 . 2008-03-27 17:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-27 17:35 . 2008-03-27 20:12 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-27 17:34 . 2008-03-27 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-27 17:31 . 2008-03-27 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-27 15:52 . 2008-03-27 15:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-27 13:20 . 2008-03-27 13:22 7,348,224 --a------ C:\WINDOWS\sectest.db
2008-03-27 13:16 . 2008-03-28 14:33 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-03-27 13:04 . 2008-03-27 13:04 <DIR> d-------- C:\Program Files\Windows Resource Kits
2008-03-27 12:39 . 2008-03-27 19:45 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-03-27 12:39 . 2008-03-27 19:45 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-03-27 12:38 . 2008-03-27 12:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-27 12:33 . 2008-03-27 19:15 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-27 12:17 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-27 11:19 . 2008-03-27 11:19 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-03-27 11:12 . 2006-02-28 04:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-03-27 11:10 . 2006-02-28 04:00 571,392 --a--c--- C:\WINDOWS\system32\dllcache\tintlgnt.ime
2008-03-27 11:09 . 2006-02-28 04:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-03-27 11:08 . 2006-02-28 04:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-03-27 11:07 . 2006-02-28 04:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-03-27 11:06 . 2006-02-28 04:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-27 11:05 . 2006-02-28 04:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-03-27 11:04 . 2006-02-28 04:00 369,664 --a--c--- C:\WINDOWS\system32\dllcache\asp51.dll
2008-03-27 11:03 . 2006-02-28 04:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-03-27 10:56 . 2008-03-27 10:56 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-27 10:55 . 2006-02-28 04:00 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-27 10:55 . 2008-03-27 10:55 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-27 10:50 . 2006-02-28 04:00 169,984 --a--c--- C:\WINDOWS\system32\dllcache\iisui.dll
2008-03-27 10:50 . 2006-02-28 04:00 60,928 --a--c--- C:\WINDOWS\system32\dllcache\iisclex4.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 19,968 --a--c--- C:\WINDOWS\system32\dllcache\inetsloc.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 7,168 --a--c--- C:\WINDOWS\system32\dllcache\wamregps.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2008-03-27 10:50 . 2006-02-28 04:00 3,584 --a--c--- C:\WINDOWS\system32\dllcache\iismui.dll
2008-03-27 10:41 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-03-27 10:41 . 2004-08-03 22:29 1,897,408 --a------ C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a--c--- C:\WINDOWS\system32\dllcache\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 66,082 --a------ C:\WINDOWS\system32\c_28603.nls
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-03-27 10:36 . 2006-02-28 04:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-03-27 02:18 . 2008-03-27 02:18 <DIR> d-------- C:\WINDOWS\Provisioning
2008-03-27 02:18 . 2008-03-27 02:28 <DIR> d-------- C:\WINDOWS\PeerNet
2008-03-27 02:18 . 2008-03-27 02:29 <DIR> d-------- C:\WINDOWS\ehome
2008-03-27 02:18 . 2008-03-28 14:30 536,428,544 --a------ C:\WINDOWS\MEMORY.DMP
2008-03-26 19:47 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-03-26 19:47 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-03-26 19:47 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-03-24 19:41 . 2008-03-24 19:44 <DIR> d-------- C:\Program Files\Auslogics
2008-03-12 19:31 . 2008-03-27 12:12 <DIR> d-------- C:\Program Files\SpywareBlaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 22:46 --------- d-----w C:\Program Files\WinClamAVShield
2008-03-28 20:40 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\SiteAdvisor
2008-03-28 04:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-28 02:28 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\SiteAdvisor
2008-03-28 01:22 --------- d-----w C:\Program Files\Spyware Terminator
2008-03-28 01:22 --------- d-----w C:\Documents and Settings\Robert Omo\Application Data\Spyware Terminator
2008-03-28 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-03-27 23:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\SiteAdvisor
2008-03-27 20:06 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Spyware Terminator
2008-03-27 19:43 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 04:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-25 03:41 --------- d-----w C:\Documents and Settings\Evan Omo\Application Data\Auslogics
2008-03-15 22:55 --------- d-----w C:\Documents and Settings\Karen Omo\Application Data\Spyware Terminator
2008-02-21 02:01 3,932 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMLayout.dat
2008-02-21 02:01 268 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\LMCPaper.dat
2008-02-15 03:33 138,752 ----a-w C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-02-07 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-07 06:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-30 17:23 22,576 -c--a-w C:\Documents and Settings\Robert Omo\Application Data\GDIPFONTCACHEV1.DAT
2008-01-16 02:33 3,932 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMLayout.dat
2008-01-16 02:33 268 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\LMCPaper.dat
2007-10-13 02:51 3,932 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMLayout.dat
2007-10-13 02:51 268 -c--a-w C:\Documents and Settings\Karen Omo\Application Data\LMCPaper.dat
2006-08-08 02:48 50,371 -c--a-w C:\WINDOWS\Internet Logs\zlclient_2nd_2006_08_07_15_39_31_small.dmp.zip
2005-09-21 16:49 120,996 -c-ha-w C:\Documents and Settings\Robert Omo\Application Data\ptads.bin
2005-09-15 20:37 94,939 -c-ha-w C:\Documents and Settings\Evan Omo\Application Data\ptads.bin
2005-09-05 02:50 79,712 -c-ha-w C:\Documents and Settings\Karen Omo\Application Data\ptads.bin
2004-11-30 02:15 23,040 -c--a-w C:\Documents and Settings\Evan Omo\Application Data\GDIPFONTCACHEV1.DAT
2002-01-18 14:52 3,932 -c----w C:\Documents and Settings\LocalService\Application Data\LMLayout.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-27_21.07.01.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-28 22:34:32 5,986 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{BB398CD8-6CAA-4A98-A60E-64D265F0F83B}.bin
- 2006-02-28 12:00:00 8,384,000 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 -c--a-w C:\WINDOWS\system32\dllcache\shell32.dll
+ 2007-12-04 00:39:18 112,016 ----a-w C:\WINDOWS\system32\Macromed\Download\Download.dll
+ 2007-12-04 00:39:18 59,717 ----a-w C:\WINDOWS\system32\Macromed\Download\Install.exe
- 2006-02-28 12:00:00 8,384,000 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\system32\shell32.dll
+ 2007-03-06 01:22:33 14,048 ------w C:\WINDOWS\system32\spmsg.dll
- 2006-02-01 00:28:24 16,384 ----a-w C:\WINDOWS\system32\xpsp3res.dll
+ 2007-10-29 10:26:53 115,712 ----a-w C:\WINDOWS\system32\xpsp3res.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"Weather "= "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [ ]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpywareTerminator "= "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-02-14 19:33 2957824]
"SiteAdvisor "= "C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"MP10_EnsureFileVer "= "C:\WINDOWS\inf\unregmp2.exe" [2006-02-28 04:00 208896]
"HostManager "= "C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe" [2007-10-08 13:50 41824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Lexmark X125 Settings Utility.lnk - C:\Program Files\Lexmark X125\LEX125SU.exe [2004-10-31 16:38:16 1990656]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntivirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\aolsoftware.exe "=
"C:\\Program Files\\Common Files\\AOL\\1206677203\\ee\\AOLDesktop.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\System32\drivers\sp_rsdrv2.sys [2008-02-14 19:33]
R3 SMC55T;SMC EZ Card 10/100 (SMC1255TX);C:\WINDOWS\system32\DRIVERS\SMC55T51.sys [2002-07-05 15:31]
S2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys [2001-08-17 12:58]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 22:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 22:48:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{754D0594-BE19-4EA4-B2FB-CF8418844CB2}.job "
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 14:46:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLDesktop.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
.
**************************************************************************
.
Completion time: 2008-03-28 14:50:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 22:50:17
ComboFix2.txt 2008-03-28 20:12:02
ComboFix3.txt 2008-03-28 17:56:00
ComboFix4.txt 2008-03-28 05:08:24
Pre-Run: 68,000,075,776 bytes free
Post-Run: 67,989,532,672 bytes free
.
2008-03-28 20:42:47 --- E O F ---

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:08 PM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\1206677203\ee\AOLDesktop.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206677203\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: AOL Desktop.lnk = C:\Program Files\Common Files\AOL\Launch\aollaunch.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 6257 bytes

noahdfear · 2008/03/28

Very odd you would BSOD like that

With TeaTimer disabled, fix the following entries with HijackThis.

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} -
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.0) -
O16 - DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} (Java Plug-in 1.4.2_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} -
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} -

That guard.tmp file has reared up 3 times now. Lets run another tool just in case. Download VundoFix by Atribune, saving it to your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HijackThis log in a reply here.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Evan Omo · 2008/03/29

VundoFix Log

VundoFix V7.0.3

Scan started at 10:42:10 AM 3/29/2008

Listing files found while scanning....

No infected files were found.

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:28 AM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\AOL\1206762463\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {3464B9E7-2150-0FAE-0612-2F00CAB78F98} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {65D70B12-91A1-EC53-A448-9A2B28E18CC9} - (no file)
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {E297D808-40EE-6A4E-BD5C-4B76621F0DC6} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206762463\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O20 - Winlogon Notify: Extensions - C:\WINDOWS\
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5411 bytes

noahdfear · 2008/03/29

OK, something is restoring these registry entires. Since it appears TeaTimer is indeed disabled, maybe it's Spyware Terminator. Please disable it's protection(s) and fix the following with HijackThis.

O2 - BHO: (no name) - {3464B9E7-2150-0FAE-0612-2F00CAB78F98} - (no file)
O2 - BHO: (no name) - {65D70B12-91A1-EC53-A448-9A2B28E18CC9} - (no file)
O2 - BHO: (no name) - {E297D808-40EE-6A4E-BD5C-4B76621F0DC6} - (no file)
O20 - Winlogon Notify: Extensions - C:\WINDOWS\
O20 - Winlogon Notify: mllmk - C:\WINDOWS\
O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\

Reboot and create a fresh HijackThis log then post it here.

Evan Omo · 2008/03/29

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:49:32 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Common Files\AOL\1206762463\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe "
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1206762463\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.38/WinSSWebAgent.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://scan.safety.live.com/resource/download/scanner/wlscbase5059.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 5122 bytes

At this point, I've tried to install some windows Updates such as Windows installer 3.1, and some other applications such as AOL 9.1. I get an access is denied error when trying to install windows installer 3.1 and I get that same error message when trying to install any windows update for Windows XP. Adobe Flash Player won't install correctly, AOL won't start up correctly and neither will Microsoft Office XP. So I think a reformat is in order since things haven't really improved. Malware may have played a part in the access is denied errors but there are probably some corrupted files that the repair installation didn't fix which is causing all of the updates that I try to fail to install or run properly. I have already backed up all the valuable data on the machine to my USB Flash Drive. If you have any other suggesstions before I format the machine let me know. I greatly appreciate your help Dave.

noahdfear · 2008/03/29

We could probably spend at least twice the amount of time troubleshooting permissions problems as it would take to format and clean install.

Evan Omo · 2008/03/30

Hey Dave. Just wanted to let you know that I formatted the machine and I spent the last few hours reinstallnig all of the Windows updates and my security software. Everything looks good and is running great. Again thank you so much for helping me out and being patient with me. I am very grateful for your help.

noahdfear · 2008/03/30

Happy to help ....... you're welcome. Glad to hear you're up and running again.

Log in or Sign up

Issues with Permissions, Malware maybe involved!

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

Evan Omo Computer Support Technician Staff Thread Starter

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Issues with Permissions, Malware maybe involved!

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

Evan Omo Computer Support Technician Staff Thread Starter

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Evan Omo Computer Support Technician Staff Thread Starter

noahdfear Inactive

Share This Page

Useful Searches