PDA

View Full Version : Ultimate Cleaner



yfarah
2008-05-25, 03:36
Hello Everyone,

I think my computer may have been infected with the Ultimate Cleaner virus. I scanned the system using HijackThis and wanted to post on the site for someone to look at but am unable to save the log (everytime I click on save log, nothing happens). Please can anyone help me with this?

yfarah
2008-05-25, 04:16
I have the log saved in screenshot format as 2 separate GIF files (from paint) but can't attach them either as the browse button on this site isn't working for me. Currently, my computer is helpless, the desktop screen is flashing and will disapear shortly. Any help on this would be much appreciated.

yfarah
2008-05-25, 05:14
I managed to attach my HijackThis Log information...please check out files entitled log1.GIF and log2.GIF.

Can someone tell me what the problem is?

Thank you!

shelf life
2008-05-25, 16:35
hi,

save the hjt log to your computer, then copy/paste the log back here. or see this topic #4:

http://forums.spybot.info/showthread.php?t=288

yfarah
2008-05-25, 21:24
Hi shelf life, thank you for the response.

Im having problems saving my Hjt log to notepad. Specifically, when I select "save log", nothing happens, no destination prompt appears and the "save log" button becomes the "scan" button again.

Is there a manual way, perhaps through config, to choose a destination, or change the default destination to notepad, for the log to be saved?

shelf life
2008-05-26, 00:38
hi yfarah,

try it like this:

start hjt, click on "none of the above, just start the program" next click on the "scan" button, then click on the "save log" button. save it to your desktop.
see if the .txt log appears on your desktop.

you can also try renaming the hjt icon to something like scanner.exe and see if that allows you to save a log.

yfarah
2008-05-26, 03:11
Hi Shelf Life,

Thank you for the instructions! I am finally able to save the log and have copy/pasted the info below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:37 PM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\imapi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [UIUCU] "C:\DOCUME~1\Ahmad\LOCALS~1\Temp\UIUCU.EXE" -CLEAN_UP
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] "C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" -1 --delay 200
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7155 bytes

shelf life
2008-05-26, 15:44
hi yfarah,

ok good.


may have been infected with the Ultimate Cleaner virus
log looks ok. do you have any signs (http://www.virusvault.us/signs1.html) of malware.

do spysweeper and ad aware come up clean after a scan?

yfarah
2008-05-26, 20:55
hi shelf life,

everything came up clean after the scan.....internet is running normally....the only problem is with my desktop. When I start my computer, the desktop appears but starts to flash before it disappears (the background then turns blue). What are my options at this point? I would hate to have to format the computer.

shelf life
2008-05-26, 23:28
hi,

lets run another anti-malware app.

Please download Malwarebytes' Anti-Malware to your desktop:

http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the log in your reply.

yfarah
2008-05-27, 02:56
Hi,

Ran the MalwareBytes AntiMalware scan and below are the results: When I tried to remove the selected items, I recieved an error saying that not all items were removed (the items not removed were added to the delete on the reboot list).

Malwarebytes' Anti-Malware 1.12
Database version: 788

Scan type: Full Scan (C:\|)
Objects scanned: 86513
Time elapsed: 37 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\qoMFULEX.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5200ab5d-f269-449f-91f2-3a8271beadde} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5200ab5d-f269-449f-91f2-3a8271beadde} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gktxaspm.bvwm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0983040a-984f-4bef-bebe-d3d3342d3954} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gktxaspm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d76343c6-2e19-48a4-9ddf-1c9144a506b7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3b1bb93d-8da6-4f13-87d8-2501003e2236} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfulex -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfulex -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\qoMFULEX.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\XELUFMoq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\XELUFMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\gktxaspm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP292\A0027771.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP292\A0027772.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\epse.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\mdtgkswr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

shelf life
2008-05-27, 04:13
hi yfarah,

ok good. yes, some items have to be deleted during a reboot. run the scan one more time and if asked to reboot, do so.

we will also get one more download to use:


Download combofix from one of these links and save it to your Desktop:

http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

yfarah
2008-05-27, 21:01
Hi shelf life,

Here is the log from combofix:

ComboFix 08-05-26.2 - Ahmad 2008-05-26 23:10:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1321 [GMT -4:00]
Running from: C:\Documents and Settings\Ahmad\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\qoMFULEX.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-26 17:43 . 2008-05-26 17:43 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 17:43 . 2008-05-26 17:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-26 17:43 . 2008-05-26 17:43 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Malwarebytes
2008-05-26 17:43 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-26 17:43 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 01:51 . 2008-05-25 01:51 <DIR> d-------- C:\Program Files\AskSBar
2008-05-25 01:51 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-05-25 01:50 . 2008-05-25 01:50 164 --a------ C:\install.dat
2008-05-24 19:53 . 2008-05-24 19:53 <DIR> d-------- C:\!KillBox
2008-05-24 18:52 . 2008-05-24 18:52 244 --ah----- C:\sqmnoopt11.sqm
2008-05-24 18:52 . 2008-05-24 18:52 232 --ah----- C:\sqmdata11.sqm
2008-05-24 17:15 . 2008-05-24 17:15 244 --ah----- C:\sqmnoopt10.sqm
2008-05-24 17:15 . 2008-05-24 17:15 244 --ah----- C:\sqmnoopt09.sqm
2008-05-24 17:15 . 2008-05-24 17:15 232 --ah----- C:\sqmdata10.sqm
2008-05-24 17:15 . 2008-05-24 17:15 232 --ah----- C:\sqmdata09.sqm
2008-05-24 12:22 . 2008-05-24 15:57 <DIR> d-------- C:\Program Files\Panda Security
2008-05-24 09:50 . 2008-05-24 09:50 3,196 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-23 20:38 . 2008-05-23 20:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-23 20:38 . 2008-05-23 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-23 20:06 . 2008-05-23 20:06 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 18:43 . 2008-05-23 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2008-05-23 18:21 . 2008-05-23 18:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-05-23 17:52 . 2008-05-24 12:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-23 17:08 . 2008-05-23 17:08 244 --ah----- C:\sqmnoopt08.sqm
2008-05-23 17:08 . 2008-05-23 17:08 232 --ah----- C:\sqmdata08.sqm
2008-05-23 17:06 . 2008-05-23 17:06 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\TmpRecentIcons
2008-05-23 04:42 . 2008-05-26 08:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-23 03:45 . 2008-05-23 03:45 244 --ah----- C:\sqmnoopt07.sqm
2008-05-23 03:45 . 2008-05-23 03:45 232 --ah----- C:\sqmdata07.sqm
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
2008-05-16 02:05 . 2008-05-16 02:05 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-06 21:30 . 2008-05-06 21:37 <DIR> d-------- C:\Program Files\GMATPrep
2008-05-05 17:23 . 2008-05-05 17:23 268 --ah----- C:\sqmdata06.sqm
2008-05-05 17:23 . 2008-05-05 17:23 244 --ah----- C:\sqmnoopt06.sqm
2008-05-05 16:46 . 2008-05-05 16:46 244 --ah----- C:\sqmnoopt05.sqm
2008-05-05 16:46 . 2008-05-05 16:46 232 --ah----- C:\sqmdata05.sqm
2008-05-05 16:41 . 2008-05-05 16:41 244 --ah----- C:\sqmnoopt04.sqm
2008-05-05 16:41 . 2008-05-05 16:41 232 --ah----- C:\sqmdata04.sqm
2008-05-05 14:54 . 2008-05-05 14:54 244 --ah----- C:\sqmnoopt03.sqm
2008-05-05 14:54 . 2008-05-05 14:54 232 --ah----- C:\sqmdata03.sqm
2008-05-05 14:43 . 2008-05-05 14:43 244 --ah----- C:\sqmnoopt02.sqm
2008-05-05 14:43 . 2008-05-05 14:43 232 --ah----- C:\sqmdata02.sqm
2008-05-05 14:10 . 2008-05-05 14:10 244 --ah----- C:\sqmnoopt01.sqm
2008-05-05 14:10 . 2008-05-05 14:10 232 --ah----- C:\sqmdata01.sqm
2008-05-05 13:03 . 2008-05-05 13:03 244 --ah----- C:\sqmnoopt00.sqm
2008-05-05 13:03 . 2008-05-05 13:03 232 --ah----- C:\sqmdata00.sqm
2008-05-04 13:36 . 2008-05-04 13:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PopCap
2008-05-03 19:09 . 2008-05-03 19:10 <DIR> d-------- C:\Documents and Settings\Ahmad\Application Data\Move Networks
2008-05-02 16:42 . 2008-05-02 16:55 <DIR> d-------- C:\ETS
2008-04-29 11:20 . 2008-04-29 11:20 15,648 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 11:19 . 2008-04-29 11:19 15,648 --a------ C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 11:19 . 2008-04-29 11:19 12,960 --a------ C:\WINDOWS\system32\drivers\Awrtpd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 23:58 --------- d-----w C:\Program Files\Trend Micro
2008-05-23 21:38 --------- d-----w C:\Program Files\Google
2008-05-07 01:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 17:23 12,319 ----a-w C:\WINDOWS\system32\drivers\tmfilter.cat
2008-05-02 21:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-02 20:22 3,444 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.inf
2008-05-02 20:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 20:22 2,583 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.inf
2008-05-02 20:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 20:21 265,304 ----a-w C:\WINDOWS\system32\drivers\Tmfilter.sys
2008-05-02 20:17 2,544 ----a-w C:\WINDOWS\system32\drivers\vsapint.inf
2008-05-02 20:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-26 21:27 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Apple Computer
2008-04-26 15:44 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Leadertech
2008-04-25 22:39 --------- d-----w C:\Program Files\Warcraft III
2008-04-22 22:18 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-04-22 22:18 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-04-22 20:21 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-22 20:20 --------- d-----w C:\Program Files\Windows Live Favorites
2008-04-22 20:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-22 20:10 --------- d-----w C:\Program Files\Windows Live
2008-04-22 01:22 --------- d-----w C:\Documents and Settings\Ahmad\Application Data\Windows Live Writer
2008-04-21 23:40 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-20 13:50 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-05-25 01:51 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-05-25 01:51 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-05-25 01:51 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-10 08:02 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 15:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-09-18 10:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-10 15:00 33280 C:\WINDOWS\system32\rundll32.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe]
"Trend Micro AntiVirus 2007"="C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe" [2007-07-05 20:09 4609288]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 03:00:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-27 02:25:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 23:21:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\components\TmProxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-05-26 23:24:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 03:24:28

Pre-Run: 292,125,945,856 bytes free
Post-Run: 292,316,839,936 bytes free

179 --- E O F --- 2008-05-16 07:01:50

shelf life
2008-05-28, 03:21
hi yfarah,

thanks for the info. all looks ok. hows it looking now on your end?

yfarah
2008-05-29, 00:23
Hi shelf life,

Everything looks good! Words can't express how thankful I am.....you really saved the day. I really appreciate all your help on this.

Thank you!!

shelf life
2008-05-29, 01:47
hi yfarah,

good. you are welcome. you can remove combofix like this;

start>run and type in combofix /u
click ok
note: there is a space after the x and before the /

system restore:
One of the features of Windows ME,XP and Vista is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
-------------------------------
My Top Ten
The Short Version:

1) Keep your OS, browser and software up to date.
2) Know what you are installing to your computer. Do you trust the source?
3) Install, keep updated: antivirus and one or two anti-malware applications.
4) Dont click on adds/pop ups or offers from websites to install software.
5) Dont click on offers to "scan" your computer.
6) Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting. Do you trust the source?
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include warez, cracks/keygens, P2P or visiting adult sites you are much more likely to encounter malicious code. Do you trust the source?

long version in link below--
happy safe surfing.