Virus redirecting Google [Archive] - Safer-Networking Forums

View Full Version : Virus redirecting Google

BR34095

2008-06-15, 20:19

Hi All, I know you have sorted this out before so it's a case of "Here we go again!!"

I am helping a friend out here as I know more than she does, but not as much as you good people.

Her comp has caught a cold, and Google keeps going where it shoudn't, and she gets related type ads when she clicks on Google results, instead of going to the sites she should be going to.

Here is her HJT log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:08:28, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
C:\Downloaded EXE files\Stoic Joker's T-Clock\Win32\Clock.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\GMR\GMRMan.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
c:\windows\system32\pmropn.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mysidesearch search enhancer - {1092c757-0b32-5ddd-77f6-f003763ce911} - C:\WINDOWS\system32\dnnckzjurlfuefxm.dll
O2 - BHO: adzgalore - {16554321-1aab-075e-a259-f4ccfb89858b} - C:\WINDOWS\system32\nsb41.dll
O2 - BHO: cpmsky browser optimizer - {336e159d-f841-3eae-b4a3-c381669d05c0} - C:\WINDOWS\system32\{d1d58797-83e1-6b15-89ee-553b1dfa9925}.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CF9F2982-1865-49E4-9E5E-11E89FFA2E64} - C:\WINDOWS\system32\basesr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NielsenOnline] C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [{30f4fb36-71ae-8e9f-4e6f-a6670b75a29d}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{d1d58797-83e1-6b15-89ee-553b1dfa9925}.dll" DllInit
O4 - HKLM\..\Run: [PremierOpinion] c:\windows\system32\pmropn.exe -boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW.exe" /s
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe
O4 - Startup: Stoic Joker's T-Clock 32.lnk = C:\Downloaded EXE files\Stoic Joker's T-Clock\Win32\Clock.exe
O4 - Global Startup: CONNECTAUTrayApp.lnk = C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202912379779
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202945878656
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210444011_24480574e054b49bd2cbef6a240c9021&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.grab.com//media/6512bd/games/files/1115/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\pmai.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: PremierOpinion - C:\WINDOWS\system32\pmls.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 11037 bytes

Your help please......

Thanks,

Phill

BR34095

2008-06-15, 20:47

I think I see some of the probs, am I right?

O2 - BHO: adzgalore - {16554321-1aab-075e-a259-f4ccfb89858b} - C:\WINDOWS\system32\nsb41.dll
is defo part of the problem

and

O2 - BHO: cpmsky browser optimizer - {336e159d-f841-3eae-b4a3-c381669d05c0} - C:\WINDOWS\system32\{d1d58797-83e1-6b15-89ee-553b1dfa9925}.dll (file missing)
looks a bit suspect

Am I half way there?

Phill

Blade81

2008-06-17, 10:19

Hi

Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.

_____

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

BR34095

2008-06-17, 22:49

Malwarebytes' Anti-Malware Log

Malwarebytes' Anti-Malware 1.17
Database version: 864

20:13:02 17/06/2008
mbam-log-6-17-2008 (20-13-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 120450
Time elapsed: 44 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 30
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\silc_dll.dll (Spyware.Marketscore) -> Unloaded module successfully.
C:\WINDOWS\system32\basesr.dll (Spyware.OnlineGames) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{cf9f2982-1865-49e4-9e5e-11e89ffa2e64} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf9f2982-1865-49e4-9e5e-11e89ffa2e64} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.amo (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5015bf9d-173c-474b-9af3-77d4d23a4135} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5ed7d3de-6dbe-4516-8712-01b1b64b7057} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5ed7d3de-6dbe-4516-8712-01b1b64b7057} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{92c3f342-45da-4511-853a-b3836aaff5f5} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.amo.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.ohb (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.ohb.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348d7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.momo (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fis.momo.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1037b06c-84b7-4240-8d80-485810a0497d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{54b287f9-fd90-4457-b65e-cb91560c021d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\upmedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\silc_dll.dll (Spyware.Marketscore) -> Delete on reboot.
C:\WINDOWS\system32\basesr.dll (Spyware.OnlineGames) -> Delete on reboot.
C:\WINDOWS\system32\UpMedia\ContentTool.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UpMedia\SearchTool.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UpMedia\uninstallSE.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\model.dat (Spyware.MarketScore) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\LDPackage.dll (Spyware.MarketScore) -> Quarantined and deleted successfully.

ComboFix Log

ComboFix 08-06-16.5 - Kate's Desktop 2008-06-17 20:27:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT 1:00]
Running from: C:\Documents and Settings\Kate's Desktop\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\nsb41.dll
C:\WINDOWS\system32\setup.ini
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 19:26 . 2008-06-17 19:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 19:26 . 2008-06-17 19:26 <DIR> d-------- C:\Documents and Settings\Kate's Desktop\Application Data\Malwarebytes
2008-06-17 19:26 . 2008-06-17 19:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 19:26 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 19:26 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 09:57 . 2008-06-17 09:57 139,264 --a------ C:\WINDOWS\MirarDownloader_876260.exe
2008-06-17 09:57 . 2008-06-17 19:25 18,432 --a------ C:\Documents and Settings\Kate's Desktop\Application Data\internaldb41.dat
2008-06-17 09:57 . 2008-06-17 19:24 555 --a------ C:\Documents and Settings\Kate's Desktop\Application Data\internaldb8467.dat
2008-06-17 09:57 . 2008-06-17 19:56 374 --a------ C:\Documents and Settings\Kate's Desktop\Application Data\internaldb6334.dat
2008-06-17 09:57 . 2008-06-17 09:57 189 --a------ C:\WINDOWS\wininit.ini
2008-06-15 20:01 . 2008-06-15 20:02 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-15 19:08 . 2008-06-15 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 16:25 . 2008-06-15 16:30 <DIR> d-------- C:\fixwareout
2008-06-14 05:39 . 2008-06-14 05:39 286,720 --a------ C:\WINDOWS\system32\pmxf.dll
2008-06-13 10:35 . 2008-06-13 10:35 712,704 --a------ C:\WINDOWS\system32\pmph.dll
2008-06-12 20:16 . 2008-06-12 20:16 118,784 --a------ C:\WINDOWS\system32\pmai.dll
2008-06-12 17:57 . 2008-06-12 20:15 1,609,728 --a------ C:\WINDOWS\system32\pmropn.exe
2008-06-12 17:57 . 2008-06-13 04:17 368,640 --a------ C:\WINDOWS\system32\pmls.dll
2008-06-12 17:57 . 2007-10-13 18:34 86,016 --a------ C:\WINDOWS\system32\pmservice.exe
2008-06-12 17:56 . 2008-06-12 17:56 90,923 --a------ C:\WINDOWS\system32\dnnckzjurlfuefxm.dll-uninst.exe
2008-06-11 14:11 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 08:51 . 2008-06-07 08:51 444,416 --a------ C:\WINDOWS\system32\dnnckzjurlfuefxm.dll
2008-06-06 20:05 . 2008-06-06 20:08 1,440 --a------ C:\Documents and Settings\Kate's Desktop\Application Data\filterclsid.dat
2008-06-06 00:32 . 2008-06-06 00:32 33 --a------ C:\WINDOWS\Multimedia manager.INI
2008-06-04 18:55 . 2008-06-04 18:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
2008-06-04 18:53 . 2008-06-04 20:03 <DIR> d-------- C:\Program Files\Virgin Media Games
2008-06-04 18:53 . 2008-06-04 18:53 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-06-04 16:41 . 1997-07-19 17:00 227,600 --a------ C:\WINDOWS\system32\Msflxgrd.ocx
2008-06-04 16:41 . 1996-06-06 22:06 189,952 --a------ C:\WINDOWS\Qcard32.dll
2008-06-04 15:12 . 1995-02-28 04:51 155,712 --a------ C:\WINDOWS\system32\Bwcc.dll
2008-06-04 15:12 . 2008-06-04 15:17 351 --a------ C:\WINDOWS\mahjongg.cfg
2008-06-04 15:11 . 2008-06-04 17:46 <DIR> d-------- C:\Program Files\eGames
2008-06-04 15:11 . 2008-06-04 15:11 <DIR> d-------- C:\Program Files\Common Files\gst
2008-06-02 21:25 . 2008-06-02 21:25 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-06-02 21:24 . 2008-06-03 20:41 <DIR> d-------- C:\Program Files\HideandSecret_at
2008-06-02 21:24 . 2008-06-04 19:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-24 22:02 . 2008-05-24 22:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-05-24 22:01 . 2008-05-24 22:02 <DIR> d-------- C:\Program Files\Sony
2008-05-24 22:01 . 2008-05-24 22:02 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2008-05-23 08:30 . 2008-05-23 08:30 <DIR> d-------- C:\Documents and Settings\Kate's Desktop\Application Data\Samsung
2008-05-23 07:59 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-05-23 07:58 . 2008-06-17 06:07 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-05-23 06:32 . 2004-08-04 07:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-23 06:32 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-23 06:30 . 2008-05-23 06:30 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-05-23 06:30 . 2008-05-23 06:30 <DIR> d-------- C:\Program Files\Samsung
2008-05-23 06:30 . 2005-08-30 17:59 94,000 --a------ C:\WINDOWS\system32\drivers\ss_mdm.sys
2008-05-23 06:30 . 2005-08-30 17:57 58,320 --a------ C:\WINDOWS\system32\drivers\ss_bus.sys
2008-05-23 06:30 . 2005-08-30 17:58 8,304 --a------ C:\WINDOWS\system32\drivers\ss_mdfl.sys
2008-05-23 06:30 . 2005-08-30 17:58 6,144 --a------ C:\WINDOWS\system32\drivers\ss_cmnt.sys
2008-05-23 06:30 . 2005-08-30 17:58 6,144 --a------ C:\WINDOWS\system32\drivers\ss_cm.sys
2008-05-23 06:30 . 2005-08-30 17:57 5,808 --a------ C:\WINDOWS\system32\drivers\ss_whnt.sys
2008-05-23 06:30 . 2005-08-30 17:57 5,808 --a------ C:\WINDOWS\system32\drivers\ss_wh.sys
2008-05-23 06:30 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-05-20 16:44 . 2004-08-04 07:56 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2008-05-20 16:44 . 2004-08-04 07:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2008-05-20 16:44 . 2004-08-04 07:56 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2008-05-20 16:44 . 2004-08-04 07:56 27,136 --a--c--- C:\WINDOWS\system32\dllcache\irmon.dll
2008-05-20 16:44 . 2004-08-04 07:56 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2008-05-20 16:44 . 2004-08-04 07:56 8,192 --a--c--- C:\WINDOWS\system32\dllcache\wshirda.dll
2008-05-17 12:28 . 2008-05-17 12:28 268 --ah----- C:\sqmdata02.sqm
2008-05-17 12:28 . 2008-05-17 12:28 244 --ah----- C:\sqmnoopt02.sqm
2008-05-17 07:51 . 2008-05-17 07:51 268 --ah----- C:\sqmdata01.sqm
2008-05-17 07:51 . 2008-05-17 07:51 244 --ah----- C:\sqmnoopt01.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 18:57 --------- d-----w C:\Documents and Settings\Kate's Desktop\Application Data\LimeWire
2008-06-14 22:21 --------- d-----w C:\Documents and Settings\Kate's Desktop\Application Data\uTorrent
2008-06-10 09:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-04 19:01 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-06-04 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 20:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-23 05:29 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 19:37 --------- d-----w C:\Program Files\Visioneer OneTouch
2008-05-12 19:34 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-05-12 12:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-12 06:29 --------- d-----w C:\Program Files\GatInst
2008-05-10 18:26 --------- d-----w C:\Program Files\Java
2008-05-10 17:00 --------- d-----w C:\Documents and Settings\Kate's Desktop\Application Data\Apple Computer
2008-05-10 16:59 --------- d-----w C:\Program Files\QuickTime
2008-05-10 16:57 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-10 16:54 --------- d-----w C:\Program Files\Apple Software Update
2008-05-10 16:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 18:44 --------- d-----w C:\Program Files\NetRatingsNetSight
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 18:32 --------- d-----w C:\Program Files\Dopewars
2008-04-30 17:52 --------- d-----w C:\Program Files\Paint.NET
2008-04-30 07:27 --------- d-----w C:\Program Files\Microsoft Works
2008-04-30 07:26 --------- d-----w C:\Program Files\MSBuild
2008-04-30 07:23 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-30 07:18 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-04-24 16:44 42,176 ----a-w C:\Documents and Settings\Kate's Desktop\Application Data\GDIPFONTCACHEV1.DAT
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2001-09-10 08:00 139,264 ----a-w C:\WINDOWS\inf\i386\Rtscan.dll
2001-09-10 07:10 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2001-08-17 17:43 32,768 ----a-w C:\WINDOWS\inf\i386\Wiamicro.dll
2001-08-03 17:29 13,824 ----a-w C:\WINDOWS\inf\i386\usbscan.sys
2001-06-29 07:10 163,840 ----a-w C:\WINDOWS\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1092c757-0b32-5ddd-77f6-f003763ce911}]
2008-06-07 08:51 444416 --a------ C:\WINDOWS\system32\dnnckzjurlfuefxm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{336e159d-f841-3eae-b4a3-c381669d05c0}]
C:\WINDOWS\system32\{d1d58797-83e1-6b15-89ee-553b1dfa9925}.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-04 20:01 1506544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"PPWebCap"="C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-08-10 10:50 40960]
"MCW Startup"="C:\Program Files\Monitor Calibration Wizard\MCW.exe" [2002-12-20 18:06 321024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-09-19 18:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"NielsenOnline"="C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2007-06-08 10:55 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"OneTouch Monitor"="C:\Program Files\Visioneer OneTouch\OneTouchMon.exe" [2001-09-10 08:08 86016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2006-03-23 02:00 75336]
"{30f4fb36-71ae-8e9f-4e6f-a6670b75a29d}"="C:\WINDOWS\system32\{d1d58797-83e1-6b15-89ee-553b1dfa9925}.dll" [ ]
"PremierOpinion"="c:\windows\system32\pmropn.exe" [2008-06-12 20:15 1609728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\Kate's Desktop\Start Menu\Programs\Startup\
Check For Dope Wars Updates.lnk - C:\Program Files\Dopewars\WiseUpdt.exe [2008-05-06 19:32:42 166518]
Stoic Joker's T-Clock 32.lnk - C:\Downloaded EXE files\Stoic Joker's T-Clock\Win32\Clock.exe [2006-12-24 14:16:42 131584]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
CONNECTAUTrayApp.lnk - C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTAUTrayApp.exe [2006-03-30 06:33:38 124488]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-20 21:18 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PremierOpinion]
C:\WINDOWS\system32\pmls.dll 2008-06-13 04:17 368640 C:\WINDOWS\system32\pmls.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\pmai.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Documents and Settings\\Kate's Desktop\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\windows\\system32\\pmropn.exe"=

R1 nnrnstdi;nnrnstdi;C:\WINDOWS\system32\drivers\nnrnstdi.sys [2007-06-08 09:47]
R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-06-30 02:49]
R3 km_filter;km_filter;C:\WINDOWS\system32\drivers\km_filter.sys [2007-06-08 09:47]
S3 pmxscan;USB USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 06:58]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-10 20:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 20:31:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-06-17 20:35:56
ComboFix-quarantined-files.txt 2008-06-17 19:34:49

Pre-Run: 42,107,080,704 bytes free
Post-Run: 42,095,902,720 bytes free

211 --- E O F --- 2008-06-12 02:05:22

This seems to have done the trick, Thanks Mucho

Regards,
Phill

Blade81

2008-06-17, 23:45

Hi Phil

Do you recognize following file? If not upload it to http://virusscan.jotti.org and post back the results:
C:\Downloaded EXE files\Stoic Joker's T-Clock\Win32\Clock.exe

Start hjt, do a system scan, check:
O4 - Startup: Check For Dope Wars Updates.lnk = C:\Program Files\Dopewars\WiseUpdt.exe

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\pmxf.dll
C:\WINDOWS\system32\pmph.dll
C:\WINDOWS\system32\pmai.dll
C:\WINDOWS\system32\pmropn.exe
C:\WINDOWS\system32\pmls.dll
C:\WINDOWS\system32\pmservice.exe
C:\WINDOWS\system32\dnnckzjurlfuefxm.dll-uninst.exe
C:\WINDOWS\system32\dnnckzjurlfuefxm.dll

Folder::
C:\Program Files\Dopewars

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1092c757-0b32-5ddd-77f6-f003763ce911}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{336e159d-f841-3eae-b4a3-c381669d05c0}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{30f4fb36-71ae-8e9f-4e6f-a6670b75a29d}"=-
"PremierOpinion"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PremierOpinion]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\windows\\system32\\pmropn.exe"=-

Save this as
CFScript

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Blade81

2008-06-24, 08:59

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.