PDA

View Full Version : Infected!



snowbourn
2008-05-17, 21:51
I got a few bugs from a bad video codec (I'm trying to get my soundcard to work with XP). Can you help me please? I thought I got with the spybot scan, but it all came back.
Here's the Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, May 17, 2008 10:50:41 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/05/2008
Kaspersky Anti-Virus database records: 779981
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 129351
Number of viruses found: 19
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 06:49:14

Infected Object Name / Virus Name / Last Action
C:\Program Files\Honda\setiathome.exe Infected: not-a-virus:NetTool.Win32.Calc-SETI@Home.a skipped
C:\Program Files\Triumph\setiathome.exe Infected: not-a-virus:NetTool.Win32.Calc-SETI@Home.a skipped
C:\Program Files\Enigma Software Group\SpyHunter\Backup\WEBInstaller.dll.bak Infected: not-a-virus:AdWare.Win32.Sahat.bw skipped
C:\Program Files\StreamCast\Morpheus Ultra\Downloads\sysex.zip/setup.exe Infected: Trojan-Downloader.Win32.IstBar.nk skipped
C:\Program Files\StreamCast\Morpheus Ultra\Downloads\sysex.zip ZIP: infected - 1 skipped
C:\Program Files\StreamCast\Morpheus Ultra\Downloads\voyetra multimedia.zip/setup.exe/stream Infected: Trojan-Downloader.Win32.IstBar.no skipped
C:\Program Files\StreamCast\Morpheus Ultra\Downloads\voyetra multimedia.zip/setup.exe Infected: Trojan-Downloader.Win32.IstBar.no skipped
C:\Program Files\StreamCast\Morpheus Ultra\Downloads\voyetra multimedia.zip ZIP: infected - 2 skipped
C:\Program Files\New Folder\setup.exe/data0011/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\Program Files\New Folder\setup.exe/data0011/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\Program Files\New Folder\setup.exe/data0011 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\Program Files\New Folder\setup.exe/data0012/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\Program Files\New Folder\setup.exe/data0012/stream Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\Program Files\New Folder\setup.exe/data0012 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\Program Files\New Folder\setup.exe NSIS: infected - 6 skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip/setup.exe/data0011/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip/setup.exe/data0011/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip/setup.exe/data0011 Infected: not-a-virus:AdWare.Win32.TrafficSol.m skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip/setup.exe/data0012/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip/setup.exe/data0012/stream Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip/setup.exe/data0012 Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip/setup.exe Infected: not-a-virus:AdWare.Win32.BHO.jj skipped
C:\My Downloads\[Full] bounce the game with Bonus.zip ZIP: infected - 7 skipped
C:\unzipped\hackers utilties, password cracker\Huc.exe Infected: HackTool.Win32.Agent.ag skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\ssqOIAsR.dll Infected: Trojan.Win32.Inject.cac skipped
C:\WINDOWS\SYSTEM32\ddcDtQKd.dll Infected: Trojan.Win32.Inject.cac skipped
C:\WINDOWS\mpfanvqg.dll Infected: Trojan.Win32.Vapsup.fdl skipped
C:\WINDOWS\TEMP\mcmsc_6vXPqYUGia18fVg Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_JdI86yba8IIqQfu Object is locked skipped
C:\WINDOWS\TEMP\mcafee_Up1VW4BC0WejaRx Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_REiZzzpNi7bwamS Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_JFSY2jCXg4o5U7b Object is locked skipped
C:\WINDOWS\TEMP\mcafee_v5C1eaQZvpS8Kkg Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\WINDOWS\oadkxrts.exe Infected: Trojan.Win32.Vapsup.fdg skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D269F537-4B4A-4F13-9D3C-B4919FE766C4}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\spybot setup.exe/file3 Infected: not-a-virus:FraudTool.Win32.SpywareBot.g skipped
C:\Documents and Settings\Administrator\My Documents\spybot setup.exe/file4 Infected: not-a-virus:FraudTool.Win32.SpywareBot.j skipped
C:\Documents and Settings\Administrator\My Documents\spybot setup.exe Inno: infected - 2 skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Misti Garner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Misti Garner\Local Settings\Temp\.tt3C.tmp Object is locked skipped
C:\Documents and Settings\Misti Garner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Misti Garner\Local Settings\History\History.IE5\MSHist012008051720080518\index.dat Object is locked skipped
C:\Documents and Settings\Misti Garner\Local Settings\Temporary Internet Files\Content.IE5\45I749EB\installer_125[1].exe Infected: not-a-virus:FraudTool.Win32.SpywareIsolator.t skipped
C:\Documents and Settings\Misti Garner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Misti Garner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Misti Garner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Misti Garner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Misti Garner\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP66\A0002773.dll Infected: Trojan.Win32.Vapsup.fdn skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP66\A0002774.dll Infected: Trojan.Win32.Vapsup.fdm skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP69\A0003084.exe Infected: not-a-virus:FraudTool.Win32.MalWarrior.r skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP69\A0003098.dll Infected: Trojan.Win32.Vapsup.fdn skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP69\A0003099.dll Infected: Trojan.Win32.Vapsup.fdm skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003444.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003444.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003444.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003444.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003444.exe WiseSFXDropper: infected - 3 skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003451.dll Infected: Trojan.Win32.Vapsup.fdp skipped
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP71\change.log Object is locked skipped

Scan process completed.

And the HJC:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:40 PM, on 5/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Administrator\My Documents\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EEDEF161-573C-4CC0-83E5-1F4CD35BB459} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [286d1e4a] rundll32.exe "C:\WINDOWS\System32\mtlmjlha.dll",b
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\MISTIG~1\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [Winnt32RunOnceWarning] user.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210897470509
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5294/mcfscan.cab
O21 - SSODL: vbksrofa - {D9C3C608-D98A-41C6-94A9-29A363064E58} - C:\WINDOWS\vbksrofa.dll (file missing)
O21 - SSODL: mpfanvqg - {ADEC6E0A-FCE8-4FC3-A481-9E08E8443C54} - C:\WINDOWS\mpfanvqg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6886 bytes

Thanks so much,
Misti

shelf life
2008-05-18, 03:17
hi snowbourn

going by the the online scan you should delete everything in the Morpheus Ultra- download folder:

C:\Program Files\StreamCast\Morpheus Ultra\Downloads


then you should remove morpheus ultra (did you pay money for that?)via add/remove programs panel

next: a download to get and run:
Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

post the malware bytes log and a new hjt log please.

snowbourn
2008-05-19, 20:12
Thanks for the reply. I will go ahead and delete morpheus(yes I paid for it...made me feel more legal.) haven't used it in well over a year, just the mp3 files.
Anyway will download and run suggested program, will be back with logs. thanks again
snowbourn

snowbourn
2008-05-20, 00:11
Okay, here's the malwarebyte log:

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Full Scan (C:\|)
Objects scanned: 164373
Time elapsed: 3 hour(s), 31 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 23
Registry Values Infected: 8
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 33

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\cbXNHXOe.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\adjjkrnt.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\ssqOIAsR.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aab12fb6-a2af-4c40-99a1-a8b739ac9b74} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{aab12fb6-a2af-4c40-99a1-a8b739ac9b74} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cablerouting.cablerouting (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cablerouting.cablerouting.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{240a2128-acd4-4124-87af-527124caac38} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{240a2128-acd4-4124-87af-527124caac38} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqoiasr (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Interface\{6c51f7e9-8542-4f25-a30f-2060157752e1} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9d573d0e-663c-435f-bf31-2c4497373c41} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e68d42-02c4-465b-8368-5ed9b732e22d} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{90a52f08-64ac-4dc6-9d7d-4516670275d3} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{90a52f08-64ac-4dc6-9d7d-4516670275d3} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adec6e0a-fce8-4fc3-a481-9e08e8443c54} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pvnsmfor.bgxw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\pvnsmfor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{c95fe080-8f5d-11d2-a20b-00aa003c157a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{240a2128-acd4-4124-87af-527124caac38} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0\Source (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TacOnlyOne\MalWarrior (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mpfanvqg (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vbksrofa (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxnhxoe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxnhxoe -> Delete on reboot.

Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\cbXNHXOe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\eOXHNXbc.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\eOXHNXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\adjjkrnt.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tnrkjjda.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\mtlmjlha.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ahljmltm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssqOIAsR.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP64\A0001650.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP65\A0001680.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP65\A0001688.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP68\A0003000.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP68\A0003005.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP68\A0003014.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP69\A0003020.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP69\A0003051.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP69\A0003084.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003319.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003327.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003330.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003448.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003451.dll (Trojan.FalkeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP70\A0003478.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP71\A0004528.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ddcDtQKd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\oadkxrts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> Delete on reboot.


and the HJT after the fix:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:54 PM, on 5/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Administrator\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {0343AB8C-604F-4CFA-9620-15BB16FBD961} - C:\WINDOWS\System32\urqNFwvV.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\IESDSG.DLL
O2 - BHO: (no name) - {6CB0AE2D-1FBB-46F8-8EB7-22AB38CFF4E1} - C:\WINDOWS\System32\fccccAtR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: McAfee Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {EEDEF161-573C-4CC0-83E5-1F4CD35BB459} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - Global Startup: Microsoft Greetings Reminders.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210897470509
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5294/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 6972 bytes

Misti

shelf life
2008-05-20, 03:18
hi snowbourn,

ok thanks for all the info. if all is good on your end we can do some clean up.


yes I paid for it.
p2p apps for the most part dont cost anything. you got taken iam afraid.

please run malwarebytes once more for a second pass.

shelf life

snowbourn
2008-05-20, 19:08
Here's the newest log for malwarbytes.

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Full Scan (C:\|)
Objects scanned: 190526
Time elapsed: 3 hour(s), 43 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0436c09c-2930-476c-b323-68f69095010e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eeba5092-9abb-44b2-bf6a-874ced0d4279} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\cbXNHXOe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\eOXHNXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\eOXHNXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3750E74C-4C3B-413D-A841-426D30489CB7}\RP72\A0004580.DLL (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ssqOIAsR.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\mpfanvqg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

shelf life
2008-05-22, 01:54
hi snowbourn,


we will get another download to run:

1. Download combofix from any of these links and save it to Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
post the combofix log and a new hjt log please.


once we are done:
you are a service pack behind on windows updates. updates patch vulnerabilities in the OS, browser and applications. You should visit windows update first thing. looks like you have broadband, a good thing because the download/install will be huge.

snowbourn
2008-05-22, 04:53
Thanks so much for your continued help. Between last post and this I was able to get the windows updater to work so I went ahead a grabbed the SP2 update while I could.

Here is the ComboFix log:


ComboFix 08-05-21.2 - Misti Garner 2008-05-21 21:28:42.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.77 [GMT -5:00]
Running from: C:\Documents and Settings\Misti Garner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\SLMSS
C:\Program Files\Common Files\SLMSS\acp1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\start.exe
C:\WINDOWS\system32\adjjkrnt.dll
C:\WINDOWS\system32\jgfvryum.ini
C:\WINDOWS\system32\lfwfifwi.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\nxktbqon.ini
C:\WINDOWS\SYSTEM32\RtAccccf.ini
C:\WINDOWS\SYSTEM32\RtAccccf.ini2
C:\WINDOWS\system32\ujjapabb.ini
C:\WINDOWS\SYSTEM32\VvwFNqru.ini
C:\WINDOWS\SYSTEM32\VvwFNqru.ini2
C:\WINDOWS\system32\ytsshyhq.ini
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-19 20:37 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\dllcache\sysmain.sdb
2008-05-19 20:37 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\SYSTEM32\dllcache\apph_sp.sdb
2008-05-19 20:37 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\SYSTEM32\dllcache\apphelp.sdb
2008-05-19 20:35 . 2008-05-19 20:35 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-19 20:32 . 2008-05-19 20:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-05-19 20:32 . 2008-05-19 20:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-05-19 18:28 . 2008-05-19 18:28 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-19 18:28 . 2008-05-19 18:28 <DIR> d-------- C:\WINDOWS\peernet
2008-05-19 18:21 . 2008-05-19 18:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-19 18:03 . 2008-05-19 18:03 <DIR> d-------- C:\WINDOWS\EHome
2008-05-19 13:15 . 2008-05-19 13:15 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\Malwarebytes
2008-05-19 13:14 . 2008-05-19 13:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 13:14 . 2008-05-19 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 13:14 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-19 13:14 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-16 15:02 . 2008-05-16 15:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-05-16 15:02 . 2008-05-16 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 08:53 . 2008-05-16 13:42 977 --a------ C:\WINDOWS\wininit.ini
2008-05-16 03:29 . 2008-05-16 03:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 03:19 . 2008-05-16 03:19 <DIR> d-------- C:\Program Files\RegistryFix6
2008-05-16 03:02 . 2008-05-16 03:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\FxsTmp
2008-05-16 03:01 . 2008-05-16 03:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 03:01 . 2008-05-16 03:01 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\TmpRecentIcons
2008-05-14 18:35 . 2008-05-14 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-14 18:35 . 2008-05-14 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:55 . 2008-05-13 22:55 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\Lavasoft
2008-05-13 22:54 . 2008-05-13 22:54 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\PC Tools
2008-05-13 18:30 . 2008-05-13 18:30 <DIR> d-------- C:\Program Files\CableRouting
2008-05-13 16:22 . 2008-05-13 16:22 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\AdobeUM
2008-05-13 15:42 . 2008-05-13 15:43 <DIR> d--hs---- C:\Recycled
2008-05-13 14:44 . 2007-09-28 14:27 19,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\StMp3Rec.sys
2008-05-13 14:43 . 2008-05-13 14:43 <DIR> d-------- C:\Program Files\Philips
2008-05-13 14:43 . 2008-05-13 14:43 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\InstallShield
2008-05-12 22:46 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\SYSTEM32\DRIVERS\netwlan5.img
2008-05-12 22:46 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-05-12 22:46 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-05-12 22:46 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-05-12 22:10 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-05-12 21:32 . 2008-05-12 21:32 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-12 21:32 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2008-05-12 21:30 . 2008-05-12 21:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-05-12 21:29 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-05-12 21:29 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-05-12 21:29 . 2004-08-04 02:56 8,192 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2008-05-12 21:29 . 2004-08-04 02:56 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2008-05-12 21:25 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2008-05-12 21:25 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2008-05-12 21:25 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-05-12 21:25 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-05-12 21:25 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-05-12 21:25 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2008-05-12 21:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-05-12 21:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-05-12 21:25 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-05-12 21:23 . 2008-05-12 21:23 <DIR> d---s---- C:\Documents and Settings\Misti Garner\UserData
2008-05-12 18:17 . 2008-05-21 21:36 7,240 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-05-12 18:14 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-05-12 18:11 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\McAfee.com
2008-05-12 18:11 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\McAfee
2008-05-12 18:11 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-12 18:11 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-05-12 18:11 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-05-12 18:11 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-05-12 18:11 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-05-12 18:11 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-05-12 18:11 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-05-12 17:51 . 2008-05-12 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-12 16:43 . 2008-05-12 16:43 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-05-12 16:42 . 2008-05-12 16:43 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-05-12 16:40 . 2008-05-12 16:40 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-05-12 16:35 . 2003-03-31 07:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex
2008-05-12 16:34 . 2003-03-31 07:00 1,158,818 --a------ C:\WINDOWS\SYSTEM32\dllcache\korwbrkr.lex
2008-05-12 16:33 . 2003-03-31 07:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2008-05-12 16:32 . 2003-03-31 07:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\dllcache\chsbrkr.dll
2008-05-12 16:31 . 2008-05-12 16:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
2008-05-12 16:31 . 2008-05-12 16:31 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-12 16:31 . 2001-08-17 22:36 2,134,528 --a------ C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpsnap.dll
2008-05-12 16:31 . 2001-08-17 22:36 175,104 --a------ C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpadm.dll
2008-05-12 16:31 . 2003-03-31 12:00 19,456 --a------ C:\WINDOWS\SYSTEM32\dllcache\agt0401.dll
2008-05-12 16:31 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\dllcache\EXCH_adsiisex.dll
2008-05-12 16:29 . 2008-05-12 16:29 2,560 --a------ C:\WINDOWS\LnkStub.dat
2008-05-12 16:29 . 2008-05-12 16:29 683 --a------ C:\Command.LNK
2008-05-12 16:29 . 2008-05-12 16:29 667 --a------ C:\WINDOWS\COMMAND.LNK
2008-05-12 16:29 . 2008-05-12 16:29 534 --a------ C:\WINDOWS\SYSTEM32\OEMINFO.INI
2008-05-12 16:22 . 2008-05-12 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft Games
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ICQLite
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ICQ
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HP
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HotSync
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Disney Interactive
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Arcsoft
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-12 16:15 . 2008-05-12 16:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-12 16:15 . 2008-05-12 16:15 645,632 --a------ C:\WINDOWS\SYSTEM32\migicons.exe
2008-05-12 16:14 . 2008-05-12 16:14 299,552 --a------ C:\WINDOWS\WMSysPrx.prx
2008-05-12 16:14 . 2008-05-12 15:40 25,065 --a------ C:\WINDOWS\SYSTEM32\wmpscheme.xml
2008-05-12 16:14 . 2008-05-19 20:36 23,392 --a------ C:\WINDOWS\SYSTEM32\nscompat.tlb
2008-05-12 16:14 . 2008-05-19 20:36 16,832 --a------ C:\WINDOWS\SYSTEM32\amcompat.tlb
2008-05-12 16:14 . 2008-05-12 16:21 2,906 --a------ C:\WINDOWS\SYSTEM32\CONFIG.NT
2008-05-12 16:14 . 2008-05-12 16:14 0 --a------ C:\WINDOWS\control.ini
2008-05-12 16:13 . 2008-05-12 16:13 488 -rah----- C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
2008-05-12 16:13 . 2008-05-12 16:13 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-05-12 16:11 . 2004-08-04 02:56 274,944 --a------ C:\WINDOWS\SYSTEM32\mstask.dll
2008-05-12 16:11 . 2004-08-04 02:56 190,976 --a------ C:\WINDOWS\SYSTEM32\schedsvc.dll
2008-05-12 16:11 . 2008-05-12 16:11 21,640 --a------ C:\WINDOWS\SYSTEM32\emptyregdb.dat
2008-05-12 16:11 . 2004-08-04 02:56 12,288 --a------ C:\WINDOWS\SYSTEM32\mstinit.exe
2008-05-12 16:11 . 2008-05-12 16:11 37 --a------ C:\WINDOWS\vbaddin.ini
2008-05-12 16:11 . 2008-05-12 16:11 36 --a------ C:\WINDOWS\vb.ini
2008-05-12 16:08 . 2004-08-04 00:39 142,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aec.sys
2008-05-12 16:08 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\swmidi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 00:53 55,480 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-05-12 20:49 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-11-28 02:04 4 ----a-w C:\Program Files\console_history
2007-11-28 02:04 1,089 ----a-w C:\Program Files\players.cfg
2007-11-28 02:04 0 ----a-w C:\Program Files\banlist.txt
2007-11-28 02:03 687 ----a-w C:\Program Files\rfd3d.id
2007-10-27 22:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-01-25 18:51 266 --sh--w C:\Program Files\desktop.ini
2005-01-25 18:51 11,079 ---h--w C:\Program Files\folder.htt
2004-07-18 09:02 1,173 ----a-w C:\Program Files\INSTALL.LOG
2003-08-23 22:01 35,325 ----a-w C:\Program Files\new dezi.jpg
2003-07-28 02:09 2,966 ----a-w C:\Program Files\DeIsL1.isu
2003-06-30 02:41 12,000 ----a-w C:\Program Files\svrlist.adr
2003-06-30 02:41 0 ----a-w C:\Program Files\favlist.adr
2003-06-29 05:33 144 ----a-w C:\Program Files\motd.txt
2001-12-10 17:01 2,048,000 ----a-w C:\Program Files\RED.exe
2001-12-06 15:23 1,773,568 ----a-w C:\Program Files\RF.exe
2001-10-15 18:06 23,607,296 ----a-w C:\Program Files\ui.vpp
2001-10-15 18:06 1,294,336 ----a-w C:\Program Files\tables.vpp
2001-10-15 17:54 6,447,104 ----a-w C:\Program Files\RedFaction.exe
2001-10-02 20:15 4,052 ------w C:\Program Files\dedicated_server.txt
2001-09-02 21:41 15,736,832 ----a-w C:\Program Files\meshes.vpp
2001-09-02 21:40 246,208,512 ----a-w C:\Program Files\audio.vpp
2001-09-02 21:38 77,332,480 ----a-w C:\Program Files\maps4.vpp
2001-09-02 21:38 16,179,200 ----a-w C:\Program Files\motions.vpp
2001-09-02 21:38 12,421,120 ----a-w C:\Program Files\maps_en.vpp
2001-09-02 21:37 81,369,088 ----a-w C:\Program Files\maps3.vpp
2001-09-02 21:36 81,113,088 ----a-w C:\Program Files\maps2.vpp
2001-09-02 21:36 78,080,000 ----a-w C:\Program Files\maps1.vpp
2001-09-02 21:35 50,063,360 ----a-w C:\Program Files\levelsm.vpp
2001-09-02 21:34 69,818,368 ----a-w C:\Program Files\levels2.vpp
2001-09-02 21:34 62,248,960 ----a-w C:\Program Files\levels3.vpp
2001-09-02 21:33 68,800,512 ----a-w C:\Program Files\levels1.vpp
2001-09-02 21:04 61,530 ------w C:\Program Files\test.wav
2001-09-02 20:51 65,296 ------w C:\Program Files\red.hlp
2001-09-02 20:51 4 ------w C:\Program Files\build.ver
2001-09-02 20:51 38,811 ------w C:\Program Files\README.TXT
2001-09-02 20:51 369,143 ------w C:\Program Files\bluebeard.bty
2001-09-02 20:51 1,266 ------w C:\Program Files\RED.CNT
2001-08-28 23:31 208,900,096 ----a-w C:\Program Files\music.vpp
2001-08-28 22:03 991,232 ----a-w C:\Program Files\UpdateLauncher.exe
2001-05-16 20:31 128 ------w C:\Program Files\Red Faction Home Page.url
2001-05-08 18:44 40,960 ------w C:\Program Files\eax.dll
2001-05-07 15:46 181,760 ------w C:\Program Files\Patchw32.dll
2001-02-17 22:54 290,816 ------w C:\Program Files\binkw32.dll
1996-09-06 07:02 9,264 ----a-w C:\Program Files\CLICK.WAV
1996-09-06 07:02 667,136 ----a-w C:\Program Files\QPICT32.EXE
1996-09-06 07:02 554,496 ----a-w C:\Program Files\QMOVIE32.EXE
1996-09-06 07:02 5,584 ----a-w C:\Program Files\low.wav
1996-09-06 07:02 42,276 ----a-w C:\Program Files\QMOVIE.HLP
1996-09-06 07:02 31,523 ----a-w C:\Program Files\QPICT.HLP
1996-09-06 07:02 161,280 ----a-w C:\Program Files\INVI32.DLL
1996-09-06 07:02 11,156 ----a-w C:\Program Files\high.wav
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0343AB8C-604F-4CFA-9620-15BB16FBD961}]
C:\WINDOWS\System32\urqNFwvV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB0AE2D-1FBB-46F8-8EB7-22AB38CFF4E1}]
C:\WINDOWS\System32\fccccAtR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2006-07-13 08:33 8453632 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ResChanger2004"="C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe" [2004-03-02 16:33 882688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-02-04 13:37 2899968]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-02-04 13:37 46080]
"nwiz"="nwiz.exe" [2004-02-04 13:37 782336 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE" -quiet
"SpywareBot"=C:\PROGRAM FILES\SPYWAREBOT\SpywareBot.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EnsoniqMixer"=starter.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\nvmctray.dll,NvTaskbarInit
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
"LexStart"=lexstart.exe
"B'sCLiP"=C:\PROGRA~1\B'SCLI~1\BSCLIP.exe
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"DXM6Patch_981116"=C:\WINDOWS\p_981116.exe /Q:A
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"Symantec Core LC"=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
"USB Storage Toolbox"=C:\Program Files\USBToolbox\Res.EXE
"SystemTray"=SysTray.ExE
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"LoadQM"=loadqm.exe
"Multi-function Keyboard"=GWHotKey.exe
"AtiCwd32"=Aticwd32.exe
"AtiQiPcl"=AtiQiPcl.exe
"MSWheel"=C:\WINDOWS\SYSTEM32\MSWHEEL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"EnsoniqMixer"=starter.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"NVSvc"=C:\WINDOWS\SYSTEM32\nvsvc.exe -runservice
"KB918547"=C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
"KB891711"=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\audioGnome\\Client4.exe"=

R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 15:57]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 04:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-05-12 23:11:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-05-12 23:11:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 21:38:54
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRAM FILES\COMMON FILES\MCAFEE\MNA\MCNASVC.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCODS.EXE
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN\MCSHIELD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRAM FILES\MCAFEE\MPS\MPS.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\System32\locator.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
.
**************************************************************************
.
Completion time: 2008-05-21 21:44:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 02:43:46

Pre-Run: 22,059,384,832 bytes free
Post-Run: 23,065,231,360 bytes free

337 --- E O F --- 2008-05-19 22:48:37

The HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:04 PM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\CF16034.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\locator.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\Administrator\My Documents\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {0343AB8C-604F-4CFA-9620-15BB16FBD961} - C:\WINDOWS\System32\urqNFwvV.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\IESDSG.DLL
O2 - BHO: (no name) - {6CB0AE2D-1FBB-46F8-8EB7-22AB38CFF4E1} - C:\WINDOWS\System32\fccccAtR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O3 - Toolbar: (no name) - {EEDEF161-573C-4CC0-83E5-1F4CD35BB459} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210897470509
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5294/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7457 bytes

shelf life
2008-05-22, 05:23
hi,

thanks for the info. we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:




File::
C:\WINDOWS\System32\urqNFwvV.dll
C:\WINDOWS\System32\fccccAtR.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0343AB8C-604F-4CFA-9620-15BB16FBD961}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB0AE2D-1FBB-46F8-8EB7-22AB38CFF4E1}]




Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on the desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

also check for updates and rerun malwarebytes and post the log please.

snowbourn
2008-05-22, 22:51
Whew...Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:40 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\locator.exe
C:\WINDOWS\system32\fxssvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\HiJackThis.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\IESDSG.DLL
O2 - BHO: (no name) - {6CB0AE2D-1FBB-46F8-8EB7-22AB38CFF4E1} - C:\WINDOWS\System32\fccccAtR.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O3 - Toolbar: (no name) - {EEDEF161-573C-4CC0-83E5-1F4CD35BB459} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_13\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210897470509
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://chill.comcast.net/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5294/mcfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7426 bytes

The Malwarebytes log:

Malwarebytes' Anti-Malware 1.12
Database version: 775

Scan type: Full Scan (C:\|)
Objects scanned: 183552
Time elapsed: 3 hour(s), 38 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And now the ComboFix Log:

ComboFix 08-05-21.2 - Misti Garner 2008-05-22 0:40:05.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.77 [GMT -5:00]
Running from: C:\Documents and Settings\Misti Garner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Misti Garner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\fccccAtR.dll
C:\WINDOWS\System32\urqNFwvV.dll
.

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-19 20:37 . 2006-10-04 09:06 1,197,294 --------- C:\WINDOWS\SYSTEM32\dllcache\sysmain.sdb
2008-05-19 20:37 . 2006-10-04 09:06 764,868 --------- C:\WINDOWS\SYSTEM32\dllcache\apph_sp.sdb
2008-05-19 20:37 . 2006-10-04 09:06 217,118 --------- C:\WINDOWS\SYSTEM32\dllcache\apphelp.sdb
2008-05-19 20:35 . 2008-05-19 20:35 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-05-19 20:32 . 2008-05-19 20:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-05-19 20:32 . 2008-05-19 20:32 <DIR> d-------- C:\WINDOWS\SYSTEM32\DRIVERS\UMDF
2008-05-19 18:28 . 2008-05-19 18:28 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-19 18:28 . 2008-05-19 18:28 <DIR> d-------- C:\WINDOWS\peernet
2008-05-19 18:21 . 2008-05-19 18:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-19 18:03 . 2008-05-19 18:03 <DIR> d-------- C:\WINDOWS\EHome
2008-05-19 13:15 . 2008-05-19 13:15 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\Malwarebytes
2008-05-19 13:14 . 2008-05-19 13:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-19 13:14 . 2008-05-19 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-19 13:14 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-19 13:14 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-16 15:02 . 2008-05-16 15:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-05-16 15:02 . 2008-05-16 15:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-16 08:53 . 2008-05-16 13:42 977 --a------ C:\WINDOWS\wininit.ini
2008-05-16 03:29 . 2008-05-16 03:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-16 03:19 . 2008-05-16 03:19 <DIR> d-------- C:\Program Files\RegistryFix6
2008-05-16 03:02 . 2008-05-16 03:02 <DIR> d-------- C:\WINDOWS\SYSTEM32\FxsTmp
2008-05-16 03:01 . 2008-05-16 03:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-16 03:01 . 2008-05-16 03:01 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\TmpRecentIcons
2008-05-14 18:35 . 2008-05-14 18:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-14 18:35 . 2008-05-14 18:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-13 22:55 . 2008-05-13 22:55 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\Lavasoft
2008-05-13 22:54 . 2008-05-13 22:54 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\PC Tools
2008-05-13 18:30 . 2008-05-13 18:30 <DIR> d-------- C:\Program Files\CableRouting
2008-05-13 16:22 . 2008-05-13 16:22 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\AdobeUM
2008-05-13 15:42 . 2008-05-13 15:43 <DIR> d--hs---- C:\Recycled
2008-05-13 14:44 . 2007-09-28 14:27 19,840 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\StMp3Rec.sys
2008-05-13 14:43 . 2008-05-13 14:43 <DIR> d-------- C:\Program Files\Philips
2008-05-13 14:43 . 2008-05-13 14:43 <DIR> d-------- C:\Documents and Settings\Misti Garner\Application Data\InstallShield
2008-05-12 22:46 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\SYSTEM32\DRIVERS\netwlan5.img
2008-05-12 22:46 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-05-12 22:46 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-05-12 22:46 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-05-12 22:10 . 2005-10-20 17:20 1,082,368 --a------ C:\WINDOWS\SYSTEM32\esent.dll
2008-05-12 21:32 . 2008-05-12 21:32 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-12 21:32 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2008-05-12 21:30 . 2008-05-12 21:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-05-12 21:29 . 2004-08-04 02:56 351,232 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-05-12 21:29 . 2004-08-04 02:56 18,944 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-05-12 21:29 . 2004-08-04 02:56 8,192 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2008-05-12 21:29 . 2004-08-04 02:56 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2008-05-12 21:25 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2008-05-12 21:25 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2008-05-12 21:25 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-05-12 21:25 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\SYSTEM32\wups2.dll
2008-05-12 21:25 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-05-12 21:25 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2008-05-12 21:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-05-12 21:25 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-05-12 21:25 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui
2008-05-12 21:23 . 2008-05-12 21:23 <DIR> d---s---- C:\Documents and Settings\Misti Garner\UserData
2008-05-12 18:17 . 2008-05-21 21:41 7,240 --a------ C:\WINDOWS\SYSTEM32\Config.MPF
2008-05-12 18:14 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\SYSTEM32\dunzip32.dll
2008-05-12 18:11 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\McAfee.com
2008-05-12 18:11 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\McAfee
2008-05-12 18:11 . 2008-05-12 18:11 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-05-12 18:11 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfehidk.sys
2008-05-12 18:11 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Mpfp.sys
2008-05-12 18:11 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfeavfk.sys
2008-05-12 18:11 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfesmfk.sys
2008-05-12 18:11 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mfebopk.sys
2008-05-12 18:11 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mferkdk.sys
2008-05-12 17:51 . 2008-05-12 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-12 16:43 . 2008-05-12 16:43 <DIR> d--hs---- C:\Documents and Settings\LocalService
2008-05-12 16:42 . 2008-05-12 16:43 <DIR> d--hs---- C:\Documents and Settings\NetworkService
2008-05-12 16:40 . 2008-05-12 16:40 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-05-12 16:35 . 2003-03-31 07:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex
2008-05-12 16:34 . 2003-03-31 07:00 1,158,818 --a------ C:\WINDOWS\SYSTEM32\dllcache\korwbrkr.lex
2008-05-12 16:33 . 2003-03-31 07:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2008-05-12 16:32 . 2003-03-31 07:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\dllcache\chsbrkr.dll
2008-05-12 16:31 . 2008-05-12 16:31 <DIR> d-------- C:\WINDOWS\SYSTEM32\xircom
2008-05-12 16:31 . 2008-05-12 16:31 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-05-12 16:31 . 2001-08-17 22:36 2,134,528 --a------ C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpsnap.dll
2008-05-12 16:31 . 2001-08-17 22:36 175,104 --a------ C:\WINDOWS\SYSTEM32\dllcache\EXCH_smtpadm.dll
2008-05-12 16:31 . 2003-03-31 12:00 19,456 --a------ C:\WINDOWS\SYSTEM32\dllcache\agt0401.dll
2008-05-12 16:31 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\SYSTEM32\dllcache\EXCH_adsiisex.dll
2008-05-12 16:29 . 2008-05-12 16:29 2,560 --a------ C:\WINDOWS\LnkStub.dat
2008-05-12 16:29 . 2008-05-12 16:29 683 --a------ C:\Command.LNK
2008-05-12 16:29 . 2008-05-12 16:29 667 --a------ C:\WINDOWS\COMMAND.LNK
2008-05-12 16:29 . 2008-05-12 16:29 534 --a------ C:\WINDOWS\SYSTEM32\OEMINFO.INI
2008-05-12 16:22 . 2008-05-12 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Viewpoint
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Motive
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft Games
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ICQLite
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ICQ
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HP
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HotSync
2008-05-12 16:19 . 2008-05-12 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Disney Interactive
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Arcsoft
2008-05-12 16:19 . 2008-05-12 16:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DataViz
2008-05-12 16:18 . 2008-05-12 16:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-12 16:15 . 2008-05-12 16:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-12 16:15 . 2008-05-12 16:15 645,632 --a------ C:\WINDOWS\SYSTEM32\migicons.exe
2008-05-12 16:14 . 2008-05-12 16:14 299,552 --a------ C:\WINDOWS\WMSysPrx.prx
2008-05-12 16:14 . 2008-05-12 15:40 25,065 --a------ C:\WINDOWS\SYSTEM32\wmpscheme.xml
2008-05-12 16:14 . 2008-05-19 20:36 23,392 --a------ C:\WINDOWS\SYSTEM32\nscompat.tlb
2008-05-12 16:14 . 2008-05-19 20:36 16,832 --a------ C:\WINDOWS\SYSTEM32\amcompat.tlb
2008-05-12 16:14 . 2008-05-12 16:21 2,906 --a------ C:\WINDOWS\SYSTEM32\CONFIG.NT
2008-05-12 16:14 . 2008-05-12 16:14 0 --a------ C:\WINDOWS\control.ini
2008-05-12 16:13 . 2008-05-12 16:13 488 -rah----- C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
2008-05-12 16:13 . 2008-05-12 16:13 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-05-12 16:11 . 2004-08-04 02:56 274,944 --a------ C:\WINDOWS\SYSTEM32\mstask.dll
2008-05-12 16:11 . 2004-08-04 02:56 190,976 --a------ C:\WINDOWS\SYSTEM32\schedsvc.dll
2008-05-12 16:11 . 2008-05-12 16:11 21,640 --a------ C:\WINDOWS\SYSTEM32\emptyregdb.dat
2008-05-12 16:11 . 2004-08-04 02:56 12,288 --a------ C:\WINDOWS\SYSTEM32\mstinit.exe
2008-05-12 16:11 . 2008-05-12 16:11 37 --a------ C:\WINDOWS\vbaddin.ini
2008-05-12 16:11 . 2008-05-12 16:11 36 --a------ C:\WINDOWS\vb.ini
2008-05-12 16:08 . 2004-08-04 00:39 142,464 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\aec.sys
2008-05-12 16:08 . 2001-08-17 14:00 54,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\swmidi.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 00:53 55,480 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-05-12 20:49 720,896 ----a-w C:\WINDOWS\iun6002.exe
2007-11-28 02:04 4 ----a-w C:\Program Files\console_history
2007-11-28 02:04 1,089 ----a-w C:\Program Files\players.cfg
2007-11-28 02:04 0 ----a-w C:\Program Files\banlist.txt
2007-11-28 02:03 687 ----a-w C:\Program Files\rfd3d.id
2007-10-27 22:10 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2005-01-25 18:51 266 --sh--w C:\Program Files\desktop.ini
2005-01-25 18:51 11,079 ---h--w C:\Program Files\folder.htt
2004-07-18 09:02 1,173 ----a-w C:\Program Files\INSTALL.LOG
2003-08-23 22:01 35,325 ----a-w C:\Program Files\new dezi.jpg
2003-07-28 02:09 2,966 ----a-w C:\Program Files\DeIsL1.isu
2003-06-30 02:41 12,000 ----a-w C:\Program Files\svrlist.adr
2003-06-30 02:41 0 ----a-w C:\Program Files\favlist.adr
2003-06-29 05:33 144 ----a-w C:\Program Files\motd.txt
2001-12-10 17:01 2,048,000 ----a-w C:\Program Files\RED.exe
2001-12-06 15:23 1,773,568 ----a-w C:\Program Files\RF.exe
2001-10-15 18:06 23,607,296 ----a-w C:\Program Files\ui.vpp
2001-10-15 18:06 1,294,336 ----a-w C:\Program Files\tables.vpp
2001-10-15 17:54 6,447,104 ----a-w C:\Program Files\RedFaction.exe
2001-10-02 20:15 4,052 ------w C:\Program Files\dedicated_server.txt
2001-09-02 21:41 15,736,832 ----a-w C:\Program Files\meshes.vpp
2001-09-02 21:40 246,208,512 ----a-w C:\Program Files\audio.vpp
2001-09-02 21:38 77,332,480 ----a-w C:\Program Files\maps4.vpp
2001-09-02 21:38 16,179,200 ----a-w C:\Program Files\motions.vpp
2001-09-02 21:38 12,421,120 ----a-w C:\Program Files\maps_en.vpp
2001-09-02 21:37 81,369,088 ----a-w C:\Program Files\maps3.vpp
2001-09-02 21:36 81,113,088 ----a-w C:\Program Files\maps2.vpp
2001-09-02 21:36 78,080,000 ----a-w C:\Program Files\maps1.vpp
2001-09-02 21:35 50,063,360 ----a-w C:\Program Files\levelsm.vpp
2001-09-02 21:34 69,818,368 ----a-w C:\Program Files\levels2.vpp
2001-09-02 21:34 62,248,960 ----a-w C:\Program Files\levels3.vpp
2001-09-02 21:33 68,800,512 ----a-w C:\Program Files\levels1.vpp
2001-09-02 21:04 61,530 ------w C:\Program Files\test.wav
2001-09-02 20:51 65,296 ------w C:\Program Files\red.hlp
2001-09-02 20:51 4 ------w C:\Program Files\build.ver
2001-09-02 20:51 38,811 ------w C:\Program Files\README.TXT
2001-09-02 20:51 369,143 ------w C:\Program Files\bluebeard.bty
2001-09-02 20:51 1,266 ------w C:\Program Files\RED.CNT
2001-08-28 23:31 208,900,096 ----a-w C:\Program Files\music.vpp
2001-08-28 22:03 991,232 ----a-w C:\Program Files\UpdateLauncher.exe
2001-05-16 20:31 128 ------w C:\Program Files\Red Faction Home Page.url
2001-05-08 18:44 40,960 ------w C:\Program Files\eax.dll
2001-05-07 15:46 181,760 ------w C:\Program Files\Patchw32.dll
2001-02-17 22:54 290,816 ------w C:\Program Files\binkw32.dll
1996-09-06 07:02 9,264 ----a-w C:\Program Files\CLICK.WAV
1996-09-06 07:02 667,136 ----a-w C:\Program Files\QPICT32.EXE
1996-09-06 07:02 554,496 ----a-w C:\Program Files\QMOVIE32.EXE
1996-09-06 07:02 5,584 ----a-w C:\Program Files\low.wav
1996-09-06 07:02 42,276 ----a-w C:\Program Files\QMOVIE.HLP
1996-09-06 07:02 31,523 ----a-w C:\Program Files\QPICT.HLP
1996-09-06 07:02 161,280 ----a-w C:\Program Files\INVI32.DLL
1996-09-06 07:02 11,156 ----a-w C:\Program Files\high.wav
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0343AB8C-604F-4CFA-9620-15BB16FBD961}]
C:\WINDOWS\System32\urqNFwvV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CB0AE2D-1FBB-46F8-8EB7-22AB38CFF4E1}]
C:\WINDOWS\System32\fccccAtR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2006-07-13 08:33 8453632 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\YAHOO!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"ResChanger2004"="C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe" [2004-03-02 16:33 882688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-02-04 13:37 2899968]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-02-04 13:37 46080]
"nwiz"="nwiz.exe" [2004-02-04 13:37 782336 C:\WINDOWS\SYSTEM32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE" -quiet
"SpywareBot"=C:\PROGRAM FILES\SPYWAREBOT\SpywareBot.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EnsoniqMixer"=starter.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\nvcpl.dll,NvStartup
"nwiz"=nwiz.exe /install
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\nvmctray.dll,NvTaskbarInit
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
"LexStart"=lexstart.exe
"B'sCLiP"=C:\PROGRA~1\B'SCLI~1\BSCLIP.exe
"ScanRegistry"=C:\WINDOWS\scanregw.exe /autorun
"DXM6Patch_981116"=C:\WINDOWS\p_981116.exe /Q:A
"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE
"Symantec Core LC"=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
"USB Storage Toolbox"=C:\Program Files\USBToolbox\Res.EXE
"SystemTray"=SysTray.ExE
"TaskMonitor"=C:\WINDOWS\taskmon.exe
"LoadQM"=loadqm.exe
"Multi-function Keyboard"=GWHotKey.exe
"AtiCwd32"=Aticwd32.exe
"AtiQiPcl"=AtiQiPcl.exe
"MSWheel"=C:\WINDOWS\SYSTEM32\MSWHEEL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"EnsoniqMixer"=starter.exe
"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"SchedulingAgent"=mstask.exe
"NVSvc"=C:\WINDOWS\SYSTEM32\nvsvc.exe -runservice
"KB918547"=C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
"KB891711"=C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\audioGnome\\Client4.exe"=

R2 IOPort;IOPort;C:\WINDOWS\System32\DRIVERS\IOPORT.SYS [1998-11-27 15:57]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2002-08-28 22:59]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]
rundll32.exeadvpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
"2007-11-04 04:00:00 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2008-05-12 23:11:24 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-05-12 23:11:26 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 00:45:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-22 0:47:58
ComboFix-quarantined-files.txt 2008-05-22 05:47:48
ComboFix2.txt 2008-05-22 02:44:18

Pre-Run: 22,995,468,288 bytes free
Post-Run: 22,984,622,080 bytes free

300 --- E O F --- 2008-05-19 22:48:37


Thanks again for all your help
Misti

shelf life
2008-05-23, 01:34
hi Misti,

looking good. if all is well on your end we can do a couple of things;

you can remove combofix like this:

start>run and type in combofix /u
click ok
note: there is a space after the x and before the /
-------------------------------------------------
check your java version:
Vulnerabilities/exploits in versions of Sun Java may be responsible for some malware installs via your browser.

It is important to keep Sun Java up to date and also to remove older versions which may have vulnerabilites/exploits that can be taken advantage of to possibly introduce malware via your browser.

* 1. Uninstall old versions of Sun Java via Add/Remove Programs.
* 2. Click the Remove or Change/Remove button
* 3. Reboot your PC if prompted.

to check if you have the latest version of Java and to download the latest version:

http://www.java.com/en/download/installed.jsp
-----------------------------------------

system restore; the why and how:

One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer its possible that it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.



(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)

On the Desktop, right-click My Computer.

Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.


2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.

Click Apply, and then click OK, then reboot
-------------------------------
My Top Ten:

The Short Version:



1) Keep your OS, browser and software up to date.

2) Know what you are installing to your computer. Do you trust the source?

3) Install, keep updated: antivirus and one or two anti-malware applications.

4) Dont click on adds/pop ups or offers from websites to install software.

5) Dont click on offers to "scan" your computer.

6) Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites no matter how tempting the message. Do you trust the source?

7) Set up and use limited accounts rather than administrator accounts.

8) Consider using an alternate browser and E-mail client.

9)Install and understand the limitations of a third party software firewall.

10) If your habits include warez,cracks/keygens, P2P or visting porn sites you are much more likely to encounter malicious code. Do you trust the source?

longer version in link below.

happy safe surfing out there.