PDA

View Full Version : Need help with Trojan.Win32 plus others



MFrost
2008-01-21, 02:17
Hello Team Spybot,

Just got this computor (used). I thought I made a good deal, it appeared to be clean ran it played around with it everything worked. I got home with it, started installing firewall, Antivirus, spybot and removing programs that was not needed, found a programs called AntiSpywareShield, not knowing what this really was ran it and then :eek: it was to late the computor has not been the same since. Several hours into it last night and today trying to get control, running real slow, had to unistall Firewall diable other items just to work and run scans.

Thanks in advance for any help you can give me.

Here is HJT I will post Kaspersky on next. Text too long.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:31 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ALCXMNTR.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\MFrost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AntiSpywareShield] C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE

--
End of file - 5417 bytes

MFrost
2008-01-21, 02:25
Now the Kaspersky scan
I need to split this up text to long

KASPERSKY ONLINE SCANNER REPORT
Saturday, January 19, 2008 9:36:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524225
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 82201
Number of viruses found: 65
Number of infected objects: 144
Number of suspicious objects: 0
Duration of the scan process: 01:26:24

Infected Object Name / Virus Name / Last Action
C:\80.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\80.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\80.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\80.tmp NSIS: infected - 3 skipped
C:\cd1041.nls Infected: SpamTool.Win32.Agent.u skipped
C:\cd1334.nls Infected: SpamTool.Win32.Agent.u skipped
C:\cd1467.nls Infected: SpamTool.Win32.Agent.u skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12fc5213d9182dc4358fe6f9197ab5d1_a48038d6-33c4-4e90-96ee-b13925bdac47 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\44624b08f9a2dba29575cab6059ad4d4_14d9ca27-8d50-4b00-8a65-324a34b7285f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Win Body Phone Media\eachanti.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\Documents and Settings\Compaq_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\History\History.IE5\MSHist012008011920080120\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVNUDHC4\m2_31_07_07_0[1].exe Infected: Trojan.Win32.Inject.em skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVNUDHC4\m2_31_07_07_0[2].exe Infected: Trojan.Win32.Inject.em skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVNUDHC4\m2_31_07_07_0[3].exe Infected: Trojan.Win32.Inject.em skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVNUDHC4\m2_31_07_07_0[4].exe Infected: Trojan.Win32.Inject.em skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVNUDHC4\m2_31_07_07_0[5].exe Infected: Trojan.Win32.Inject.em skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\XVNUDHC4\m2_31_07_07_0[6].exe Infected: Trojan.Win32.Inject.em skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\mssync20.exe Object is locked skipped
C:\Program Files\ApplePie\ie-improver.dll Infected: Trojan-Downloader.Win32.BHO.bw skipped
C:\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\ISM\BndDrive.dll Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\Program Files\ISM\bndloader.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\Program Files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Online Add-on\ictmdl.dll Infected: Trojan-Downloader.Win32.Zlob.eix skipped
C:\Program Files\Online Add-on\ictun.exe Infected: Trojan-Downloader.Win32.Zlob.ewl skipped
C:\Program Files\Online Add-on\isfmdl.dll Infected: Trojan-Downloader.Win32.Zlob.ezj skipped
C:\Program Files\Online Add-on\isfmm.exe Infected: Trojan-Downloader.Win32.Zlob.elm skipped
C:\Program Files\Online Add-on\isfmntr.exe Infected: Trojan-Downloader.Win32.Zlob.ezk skipped
C:\Program Files\Online Add-on\isfun.exe Infected: Trojan-Downloader.Win32.Zlob.ezl skipped
C:\Program Files\Seekmo\bin\10.0.314.0\CoreSrv.dll Infected: not-a-virus:AdWare.Win32.180Solutions.bl skipped
C:\Program Files\Seekmo\bin\10.0.314.0\HostOL.dll Infected: not-a-virus:AdWare.Win32.HotBar.ch skipped
C:\Program Files\Seekmo\bin\10.0.314.0\SeekmoUnInstaller.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\Program Files\Seekmo\bin\10.0.314.0\SeekmoUnInstaller.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions.bj skipped
C:\Program Files\Seekmo\bin\10.0.314.0\SeekmoUnInstaller.exe NSIS: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1BD.tmp Infected: Trojan-Downloader.Win32.Agent.esx skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1BE.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1BE.tmp NSIS: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1BE.tmp CryptFF.b: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1BF.tmp Infected: Trojan-Proxy.Win32.Pixoliz.lt skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C0.tmp Infected: Trojan-PSW.Win32.LdPinch.bdr skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C1.tmp Infected: Trojan-Proxy.Win32.Xorpix.ar skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C2.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C3.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C4.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C5.tmp Infected: Trojan-Downloader.Win32.Zlob.bni skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C6.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C7.tmp Infected: Trojan-Downloader.Win32.Zlob.bno skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C8.tmp Infected: Trojan-Downloader.Win32.Zlob.bni skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1C9.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1CA.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1CB.tmp Infected: Trojan-Downloader.Win32.Zlob.btq skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1CC.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1CD.tmp Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1CE.tmp Infected: Trojan-Proxy.Win32.Xorpix.ar skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1CF.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D0.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D1.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D2.tmp Infected: Trojan-Downloader.Win32.Zlob.bni skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D3.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D4.tmp Infected: Trojan-Downloader.Win32.Zlob.bno skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D5.tmp Infected: Trojan-Downloader.Win32.Zlob.bni skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D6.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D7.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D8.tmp Infected: Trojan-Downloader.Win32.Zlob.btq skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1D9.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1DA.tmp Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1DB.tmp Infected: Trojan-Proxy.Win32.Xorpix.ar skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1DC.tmp Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1DD.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1DE.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1DF.tmp Infected: Trojan-Downloader.Win32.Zlob.bni skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E0.tmp Infected: Trojan-Downloader.Win32.Zlob.bov skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E1.tmp Infected: Trojan-Downloader.Win32.Zlob.bno skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E2.tmp Infected: Trojan-Downloader.Win32.Zlob.bni skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E3.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E4.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E5.tmp Infected: Trojan-Downloader.Win32.Zlob.btq skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E6.tmp Infected: Trojan-Downloader.Win32.Zlob.bvp skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E7.tmp Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E9.tmp/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E9.tmp/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E9.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E9.tmp/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E9.tmp NSIS: infected - 4 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1E9.tmp CryptFF.b: infected - 4 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EA.tmp Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EB.tmp Infected: not-a-virus:AdWare.Win32.180Solutions.ae skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EC.tmp Infected: Backdoor.Win32.Small.or skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1ED.tmp Infected: Backdoor.Win32.Small.or skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp/instbb.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp/instbb.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp/instbb.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp/inviteexact.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.al skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp CAB: infected - 4 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp MimarSinan: infected - 4 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp UPX: infected - 4 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1EF.tmp CryptFF.b: infected - 4 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F0.tmp Infected: Trojan-Downloader.Win32.Small.emd skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F1.tmp Infected: Backdoor.Win32.Small.or skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F2.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F4.tmp/invnexus.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.al skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F4.tmp/nexus272.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F4.tmp CAB: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F4.tmp MimarSinan: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F4.tmp UPX: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F4.tmp CryptFF.b: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F5.tmp/invnexus.exe Infected: not-a-virus:AdWare.Win32.SurfSide.s skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F5.tmp/nexus272.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F5.tmp CAB: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F5.tmp MimarSinan: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F5.tmp UPX: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F5.tmp CryptFF.b: infected - 2 skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F6.tmp Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F7.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F8.tmp Infected: Email-Worm.Win32.Zhelatin.gm skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1F9.tmp Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\Program Files\Trend Micro\Internet Security\Quarantine\1FA.tmp Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\Program Files\Trend Micro\Internet Security\Trusted.dat Object is locked skipped
C:\Program Files\Video ActiveX Access\iesbpl.dll Infected: not-a-virus:AdWare.Win32.Agent.cu skipped
C:\Program Files\Video Add-on\ictmdl.dll Infected: Trojan-Downloader.Win32.Zlob.dsa skipped
C:\Program Files\Video Add-on\ictun.exe Infected: Trojan-Downloader.Win32.Zlob.dsb skipped
C:\Program Files\Video Add-on\icun.exe Infected: Trojan-Downloader.Win32.Zlob.drj skipped
C:\Program Files\Video Add-on\isfmdl.dll Infected: Trojan-Downloader.Win32.Zlob.drk skipped
C:\Program Files\Video Add-on\isfmm.exe Infected: Trojan-Downloader.Win32.Zlob.drl skipped
C:\Program Files\Video Add-on\isfmntr.exe Infected: Trojan-Downloader.Win32.Zlob.drm skipped
C:\Program Files\Video Add-on\isfun.exe Infected: Trojan-Downloader.Win32.Zlob.dsc skipped
C:\System Volume

Part one of two

MFrost
2008-01-21, 02:26
Part two of Kaspersky scan

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002707.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002708.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002709.EXE Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002710.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002711.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002712.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002713.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002714.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002715.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002716.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002717.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002718.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002719.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002720.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002721.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002722.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002723.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002724.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002725.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002726.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002727.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002728.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002729.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002730.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002731.SCR Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002732.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002733.EXE Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002734.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002735.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002736.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002737.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002738.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002739.EXE Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002740.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002741.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002742.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002743.EXE Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002744.EXE Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002745.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002746.EXE Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002747.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002748.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002749.DLL Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002750.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002751.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002752.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002753.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002754.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002755.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002756.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002757.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002758.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002759.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002760.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002761.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002762.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002763.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002764.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002765.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002766.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002767.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002768.dll Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002769.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002770.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002771.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002772.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002773.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002774.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002775.exe Object is locked skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002810.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002814.exe Infected: Trojan-Downloader.Win32.Zlob.drg skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002815.exe Infected: Trojan-Downloader.Win32.Zlob.drh skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002817.exe Infected: Trojan-Downloader.Win32.Small.goz skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002827.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.j skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\A0002876.exe Infected: not-a-virus:FraudTool.Win32.AntiVirGear.e skipped
C:\System Volume Information\_restore{2466A83D-1B81-456E-9766-38C2B7E48210}\RP5\change.log Object is locked skipped
C:\WINDOWS\adsp.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\WINDOWS\adsp.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\WINDOWS\adsp.exe NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\distro_SelectRebatesSetup_um1001.exe Infected: Trojan-Spy.Win32.Agent.aan skipped
C:\WINDOWS\dxdiag.dll Infected: not-a-virus:AdWare.Win32.Agent.ek skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\svchost.exe Infected: Backdoor.Win32.Hupigon.bft skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\startdrv.exe Infected: Trojan-Downloader.Win32.Agent.esx skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\zgbinvite.exe/gb.exe Infected: Trojan-Downloader.Win32.Small.asf skipped
C:\WINDOWS\zgbinvite.exe CAB: infected - 1 skipped
C:\WINDOWS\zgbinvite.exe MimarSinan: infected - 1 skipped
C:\WINDOWS\zgbinvite.exe UPX: infected - 1 skipped
D:\I386\Apps\APP14734\src\HPSummer2005.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
D:\I386\Apps\APP14734\src\HPSummer2005.exe WiseSFX: infected - 1 skipped
D:\I386\Apps\APP14734\src\HPSummer2005.exe WiseSFXDropper: infected - 1 skipped

Scan process completed.

Thanks in advance for any help you can give me.

ken545
2008-01-21, 11:50
Mark,

I closed your other thread so we will just work this one. AntiSpywareShield is a rogue program and actually a trojan.


Download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) to your desktop.
http://i24.photobucket.com/albums/c30/ken545/SmitfraudZip.jpg

Extract the content (a folder named SmitfraudFix) to your Desktop.
http://i24.photobucket.com/albums/c30/ken545/SMFolder.jpg


Open the SmitfraudFix folder and double-click smitfraudfix.cmd
http://i24.photobucket.com/albums/c30/ken545/SmitfraudCMD.jpg

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.





Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Let me see the Smitfraud log, the Combofix log and a New HJT log

MFrost
2008-01-21, 19:01
Hi Ken

This computor is really SLOOOOOOOOOW.

I will post each seperate frist Smitfraud

SmitFraudFix v2.274

Scan done at 9:49:43.92, Mon 01/21/2008
Run from C:\Documents and Settings\Compaq_Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Compaq_Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\COMPAQ~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.94.156.1
DNS Server Search Order: 68.94.157.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{EEA5365B-DB06-40B8-8358-FCB6E48C2E7C}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{EEA5365B-DB06-40B8-8358-FCB6E48C2E7C}: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.94.156.1 68.94.157.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

MFrost
2008-01-21, 19:09
Now the ComboFix

Note: Ran into problem with this, during creating log @ find 3M

Do not run any programs untill ComboFix has finished.
Findstr: Search string too long.

Error came up - Windows. No Dsik
Exception processing message c0000013 parameters 75b6bf9c 4 75b6bf9c 75b6bfc9

Then another window pop up Asked to continue, try again or cancel. neither one would work. It took several attemps just to close.

Here's the log

ComboFix 08-01-20.1 - Compaq_Owner 2008-01-21 9:56:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.173 [GMT -6:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\All Users\Application Data\Starware406
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\1270_button_1b_def.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\1271_button_1b_def.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\1271_button_1b_over.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\Button_50.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\Button_60.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\Button_70.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\WeatherHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware406\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware406\contexts\Related.xml
C:\Documents and Settings\All Users\Application Data\Starware406\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware406\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware406\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware406\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware406\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware406\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware406\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware406\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Program Files\Common Files\mantec~1
C:\Program Files\downloadmanager\p2pl.exe
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule2.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mediapipe
C:\Program Files\mediapipe\Agent.dll
C:\Program Files\mediapipe\altpayments_terms.txt
C:\Program Files\mediapipe\api.exe
C:\Program Files\mediapipe\DownloadManager.exe
C:\Program Files\mediapipe\ErrorLog.txt
C:\Program Files\mediapipe\install.log
C:\Program Files\mediapipe\ItBill_terms.txt
C:\Program Files\mediapipe\MediaPipe.exe
C:\Program Files\mediapipe\MediaPipe.ini
C:\Program Files\mediapipe\MPTray.exe
C:\Program Files\mediapipe\MPUpdate.exe
C:\Program Files\mediapipe\p2pl.exe
C:\Program Files\mediapipe\uninst.exe
C:\Program Files\outerinfo
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\AlConfig.xml
C:\Program Files\p2pnetworks\alp2plib.log
C:\Program Files\p2pnetworks\alp2plib.log.bak
C:\Program Files\p2pnetworks\bak\mpp2pl.exe
C:\Program Files\p2pnetworks\install.log
C:\Program Files\p2pnetworks\p2pnetworks.exe
C:\Program Files\p2pnetworks\sp2p.cache
C:\Program Files\p2pnetworks\uninst.exe
C:\Program Files\SoftwareOnline
C:\Program Files\Starware406
C:\Program Files\Starware406\bin\Starware406.dll
C:\Program Files\Starware406\Starware406Config.xml
C:\Program Files\Starware406\Starware406Uninstall.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\search_res.txt
D:\Autorun.inf

----- Unknown downloads made by BITS: ----
http://javadl.sun.com
.
((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
.

2008-01-21 10:00 . 2008-01-21 10:00 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Starware406
2008-01-21 09:56 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-21 09:49 . 2008-01-21 09:49 1,748 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-20 17:06 . 2008-01-20 17:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-20 15:02 . 2008-01-20 15:02 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-01-20 14:42 . 2008-01-20 14:42 <DIR> d-------- C:\Program Files\Brownie
2008-01-20 14:42 . 2008-01-20 14:42 <DIR> d-------- C:\Program Files\Brother
2008-01-19 23:58 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-19 21:45 . 2008-01-19 22:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-19 19:47 . 2008-01-19 19:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-19 19:47 . 2008-01-19 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-19 15:22 . 2008-01-20 14:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-01-19 14:15 . 2008-01-19 14:16 4 --a------ C:\WINDOWS\msoffice.ini
2008-01-19 13:38 . 2008-01-19 13:38 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-18 20:58 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-18 20:53 . 2008-01-18 20:53 <DIR> d---s---- C:\Documents and Settings\Compaq_Owner\UserData
2008-01-18 19:12 . 2008-01-18 19:12 36,864 --a------ C:\WINDOWS\DBNAMES.CFG
2008-01-18 19:11 . 2008-01-18 19:11 <DIR> d-------- C:\Program Files\Common Files\Pervasive Software
2008-01-18 19:11 . 2008-01-18 19:11 52 --a------ C:\WINDOWS\WUCADMIN.INI
2008-01-18 19:11 . 2008-01-18 19:11 52 --a------ C:\WINDOWS\W32UCADM.INI
2008-01-18 19:10 . 2008-01-18 19:10 <DIR> d-------- C:\pvswarch
2008-01-18 19:10 . 1998-10-19 20:34 37,062 --a------ C:\WINDOWS\system32\ODBCINST.HLP
2008-01-18 19:10 . 1998-10-19 20:34 324 --a------ C:\WINDOWS\system32\ODBCINST.CNT
2008-01-18 19:09 . 1998-11-30 15:41 1,646,592 --a------ C:\WINDOWS\system32\og70as.dll
2008-01-18 19:09 . 1998-11-01 14:11 1,204,224 --a------ C:\WINDOWS\system32\ot60as.dll
2008-01-18 19:09 . 1998-11-01 14:08 167,936 --a------ C:\WINDOWS\system32\osc60as.dll
2008-01-18 19:09 . 1997-10-07 06:12 43,760 --a------ C:\WINDOWS\system\nwlocale.dll
2008-01-18 18:34 . 2008-01-18 20:09 <DIR> d-------- C:\ISTS
2008-01-18 18:27 . 2008-01-18 19:12 <DIR> d-------- C:\PVSW
2008-01-18 18:27 . 2008-01-18 18:27 <DIR> d-------- C:\Program Files\Common Files\Pervasive Software Shared
2008-01-18 18:27 . 2008-01-18 18:27 544,816 --a------ C:\WINDOWS\system32\pscl.dll
2008-01-18 18:27 . 2008-01-18 18:27 254,002 --a------ C:\WINDOWS\system32\pscore.dll
2008-01-18 18:27 . 2002-07-20 10:36 251,016 --a------ C:\WINDOWS\system32\keyhelp.ocx
2008-01-18 18:27 . 2008-01-18 18:27 146,976 --a------ C:\WINDOWS\system32\mfcoleui.dll
2008-01-18 18:27 . 2008-01-18 18:27 43,760 --a------ C:\WINDOWS\system32\nwlocale.dll
2008-01-18 18:27 . 2002-06-30 09:40 19,456 --a------ C:\WINDOWS\keyhh.exe
2008-01-18 18:27 . 2008-01-18 19:11 184 --a------ C:\WINDOWS\BTI.INI
2008-01-18 18:13 . 2008-01-18 18:13 137,728 --a------ C:\WINDOWS\system32\zipdll.dll
2008-01-18 18:13 . 2008-01-18 18:13 119,808 --a------ C:\WINDOWS\system32\unzdll.dll
2008-01-17 23:04 . 2008-01-17 23:04 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Sonic
2008-01-17 23:04 . 2008-01-17 23:04 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Leadertech
2008-01-17 22:23 . 2008-01-19 13:57 3,120 --a------ C:\WINDOWS\system32\HAF9SE8J.ocx
2008-01-17 22:22 . 2004-08-04 06:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-17 22:21 . 2005-04-21 10:01 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\WINDOWS
2008-01-17 22:21 . 2005-04-21 10:24 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2008-01-17 22:21 . 2005-04-21 10:16 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SampleView
2008-01-17 22:21 . 2005-04-21 10:20 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\InterMute
2008-01-17 22:21 . 2005-04-21 10:00 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Apple Computer
2008-01-17 22:21 . 2008-01-17 22:22 1,850 -rahs---- C:\WINDOWS\system32\drivers\103C_HP_CPC_PX790AA-ABA SR1511NX NA530_YC_0Pres_QCNH519_E53NAheRED1_47_ISalmon_SASUSTek Computer INC._V1.04_B3.12_T050420_WXH2_L409_M384_J100_7AMD_8Sempron_91.81_#050917_N10390900_Z10573052_G10396330.MRK
2008-01-17 22:20 . 2005-04-21 10:01 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-01-17 21:54 . 2008-01-20 13:50 <DIR> dr-hs---- C:\WINDOWS\system32\dllcache
2008-01-01 21:47 . 2008-01-01 21:47 92,392 --a------ C:\mssync20.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 253,952 2004-10-14 20:54:32 C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
----a-w 253,952 2004-10-14 20:54:32 C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

----a-r 313,472 2006-03-30 22:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
----a-r 313,472 2006-03-30 21:45:08 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

----a-w 57,344 2005-06-07 05:46:24 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe

----a-w 180,269 2005-04-21 15:49:57 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 180,269 2005-04-21 15:49:57 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 58,992 2005-03-23 20:34:32 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 245,760 2005-02-26 05:34:02 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
----a-w 245,760 2005-02-26 05:34:02 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

----a-w 57,344 2004-01-16 10:04:08 C:\Program Files\Lexmark 4200 Series\bak\lxbmbmgr.exe
----a-w 57,344 2004-01-16 10:04:08 C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe

----a-w 98,304 2005-04-21 16:00:27 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 98,304 2005-04-21 16:00:27 C:\Program Files\QuickTime\qttask.exe

----a-w 4,530,176 2005-08-22 22:20:00 C:\Program Files\Registry Cleaner Trial\bak\RegClean.exe

----a-w 4,662,776 2006-12-01 03:49:04 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 114,688 2006-03-11 00:24:38 C:\QooBox\Quarantine\C\Program Files\p2pnetworks\bak\mpp2pl.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AntiSpywareShield"="C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-01-04 17:54 49152 C:\WINDOWS\system32\SiSPower.dll]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 23:34 245760]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 14:54 253952]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-04-21 09:49 180269]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SMSERIAL"=sm56hlpr.exe

R2 Pervasive.SQL 2000 (relational);Pervasive.SQL 2000 (relational);"C:\PVSW\BIN\W3SQLMGR.EXE" [2001-03-21 22:40]
R2 Pervasive.SQL 2000 (transactional);Pervasive.SQL 2000 (transactional);"C:\PVSW\BIN\NTBTRV.EXE" [2001-03-21 23:38]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-20 06:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-13 17:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-21 16:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-13 19:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-12 20:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-12 21:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 20:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 21:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 22:00:01 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 23:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-21 00:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-13 09:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-21 01:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 02:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 03:00:01 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-13 06:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-18 05:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 06:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 09:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 10:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 11:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 12:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 10:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-13 13:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-15 12:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-15 13:02:38 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 16:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 17:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-21 16:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 19:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-12 20:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-12 21:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-20 20:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 11:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-20 21:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-20 22:00:01 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-20 23:00:01 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-21 00:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-21 01:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-20 02:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-20 03:00:01 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 06:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-18 05:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\Hh1y30tI.exe
"2008-01-13 12:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-13 13:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-15 12:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-15 13:02:38 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-13 16:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\wEPx4qSI.exe
"2008-01-18 04:27:33 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-21 10:00:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-21 10:07:25
ComboFix-quarantined-files.txt 2008-01-21 16:07:23
.
2008-01-20 19:51:52 --- E O F ---

MFrost
2008-01-21, 19:18
OK now the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:55 AM, on 1/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PVSW\BIN\W3SQLMGR.EXE
C:\PVSW\BIN\NTBTRV.EXE
C:\PVSW\BIN\NTDBSMGR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\MFrost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AntiSpywareShield] C:\Program Files\AntiSpywareShield\AntiSpywareShield.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE
O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE

--
End of file - 5083 bytes

Im going to shut down and restart. I'll be back later. It only took me about 25 minutes just to post.


Mark

ken545
2008-01-21, 19:47
Mark,


You have some major issues going on with this computer, you have a trojan that has replaced legit windows files with there own infected version.


My thinking if it was me, I would take this computer back to who you bought it from and get my money back, its so heavily infected that it will leave this computer compromised, what that means even after we clean you up I would be reluctant to do any online transactions with this system. If this computer was mine I would do a reformat and a clean install of windows. But its your call if you want to proceed



We still have some major work to do with Combofix, and also this.


You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder


Let me know if you want to proceed , I am at work at the moment and will post to you this later this afternoon.

MFrost
2008-01-22, 04:28
Ken

Thank you for taking a look at this form me.

I going with option 1
I'm in the process right know trying to get in touch with that person, and once I do I am going to go off on a TANGET on him. I asked him straight up if there was or is any promblems I need to know about on this computor. :devil:

I'll get back with you with the results.

Thanks again you have been a big help for me.

Mark

ken545
2008-01-22, 04:58
Mark,

This is what you can do, look at the Combofix log you posted, all the programs in the AWF are infected by the Downloader.Agent.awf or Downloader.Agent.ayy. , your also infected with the Smitfraud Trojan along with a few other goodies thrown in for good measure. Your more than welcome to print out the logs and my comments if needed.

Sorry for all your troubles but I will be here if you need me in the future, if this thread is closed just PM me and we can reopen it

Ken