PDA

View Full Version : Another virtuamonde



m2family
2008-09-01, 01:49
Hi. I am trying to fix my son's computer that is infected with various malware, especially Virtuamonde. We have been a Spybot user for years and really appreciate your efforts.

Problem #1 is Virtuamonde. Limewire was downloaded at some point which was when the issues started. We have removed limewire and many other apps like MyWay.
Problem #2 is Not able to use Windows Update Service. Indicates there are no devices associated with it so it does not start.

I followed the instructions one this forum and Spybot S&D does not recognize any issues. Teatimer is disabled.

Here is the Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:20 PM, on 8/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\MomDad\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O1 - Hosts: HPEF8C0B HP0019BBEF8C0B
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: Starware Games Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [bcbcef34] rundll32.exe "C:\WINDOWS\system32\huafbcbs.dll",b
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdefc.exe] C:\WINDOWS\system32\kdefc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [BMbf8fdca8] Rundll32.exe "C:\WINDOWS\system32\ymccotbj.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1582] command /c del "C:\WINDOWS\SYSTEM32\ymccotbj.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4542] cmd /c del "C:\WINDOWS\SYSTEM32\ymccotbj.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8528] command /c del "C:\WINDOWS\SYSTEM32\ymccotbj.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD227] cmd /c del "C:\WINDOWS\SYSTEM32\ymccotbj.dll_old"
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZCman000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O22 - SharedTaskScheduler: bebization - {97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} - C:\WINDOWS\system32\ouhzw.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9735 bytes

Thanks!

pskelley
2008-09-01, 16:22
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
LiveShare P2P Server <<< uninstall that item.

HijackThis is not located according to the instructions? Follow these directions to locate it to a safe position.
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Post that new HJT log and all log in Normal mode ( not Boot mode: Safe mode) and I will respond with the first instructions as soon as possible after that.

Thanks...Phil

m2family
2008-09-01, 23:43
Phil,

I completed the following steps per your instructions.

1. Rebooted to normal mode. Spybot S&D launched automatically and detected no problems.

2. Uninstalled all Roxio software using Control Panel, Add Remove Programs.

3. Recopied HiJackThis.exe to desktop and reran. Noticed that LiveShare P2P was still running.

4. Accessed Admin Tools...Component Management...Services...Standard. Double-clicked on LiveShare and disabled the service and disabled its Logon capabilities.

5. Reran HJT.exe and LiveShare service was no longer listed. If there is another way to uninstall this service, please let me know and I will do it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:51 PM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\MomDad\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O1 - Hosts: HPEF8C0B HP0019BBEF8C0B
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: Starware Games Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [bcbcef34] rundll32.exe "C:\WINDOWS\system32\huafbcbs.dll",b
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdefc.exe] C:\WINDOWS\system32\kdefc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [BMbf8fdca8] Rundll32.exe "C:\WINDOWS\system32\ymccotbj.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZCman000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O22 - SharedTaskScheduler: bebization - {97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} - C:\WINDOWS\system32\ouhzw.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9772 bytes

Thanks for the help!

m2family
2008-09-01, 23:50
:oops:

Forgot to run HJTInstall instead of copying HJT.exe from jumpdrive to desktop. Here is the HJTLog after running HJTInstall.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:42 PM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O1 - Hosts: HPEF8C0B HP0019BBEF8C0B
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O3 - Toolbar: Starware Games Toolbar - {1962c5bc-e475-465b-823b-133e711bceb9} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [bcbcef34] rundll32.exe "C:\WINDOWS\system32\huafbcbs.dll",b
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdefc.exe] C:\WINDOWS\system32\kdefc.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [BMbf8fdca8] Rundll32.exe "C:\WINDOWS\system32\qukrtdxy.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZCman000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O22 - SharedTaskScheduler: bebization - {97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} - C:\WINDOWS\system32\ouhzw.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9865 bytes


Will be more precise in my actions in the future.

pskelley
2008-09-02, 00:12
Thanks for returning your information...bunch of junk on the computer, we will remove Vundo first.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

m2family
2008-09-02, 00:44
Combifix Log
ComboFix 08-09-01.01 - MomDad 2008-09-01 17:21:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479 [GMT -4:00]
Running from: C:\Documents and Settings\MomDad\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\#SharedObjects\BLFQNADD\bin.clearspring.com
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\#SharedObjects\BLFQNADD\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\#SharedObjects\BLFQNADD\interclick.com
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\#SharedObjects\BLFQNADD\interclick.com\ud.sol
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\MomDad\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\MomDad\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Documents and Settings\MomDad\Application Data\rhcgqoj0epbv
C:\Documents and Settings\MomDad\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\MomDad\My Documents\My Documents.url
C:\Documents and Settings\MomDad\My Documents\My Music\My Music.url
C:\Documents and Settings\MomDad\My Documents\My Pictures\My Pictures.url
C:\Documents and Settings\MomDad\My Documents\My Videos\My Video.url
C:\Documents and Settings\Thomas\Application Data\ShoppingReport
C:\Documents and Settings\Thomas\Application Data\Starware347
C:\Documents and Settings\Thomas\Application Data\Starware347\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Configurator\Configurator.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\Configurator\Configurator.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Games\GamesOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\Games\GamesOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Games\images\active\Games0.bmp
C:\Documents and Settings\Thomas\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\JokeSearch\JokeSearchOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Manager\ManagerOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Movies\images\active\Movies0.bmp
C:\Documents and Settings\Thomas\Application Data\Starware347\Movies\images\active\Movies0.bmp_new
C:\Documents and Settings\Thomas\Application Data\Starware347\Movies\MoviesOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Pranks\PranksOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\Pranks\PranksOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\Thomas\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware347\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware381
C:\Documents and Settings\Thomas\Application Data\Starware381\Games\GamesOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware381\Games\GamesOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware381\Games\images\active\Games0.bmp
C:\Documents and Settings\Thomas\Application Data\Starware381\GenericRSSFeed\GenericRSSFeedOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware381\GenericRSSFeed\GenericRSSFeedOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware381\Marketing4\images\active\Marketing40.bmp
C:\Documents and Settings\Thomas\Application Data\Starware381\Marketing4\Marketing4Options.xml
C:\Documents and Settings\Thomas\Application Data\Starware381\Marketing4\Marketing4Options.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware381\Movies\images\active\Movies0.bmp
C:\Documents and Settings\Thomas\Application Data\Starware381\Movies\MoviesOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware381\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware381\MusicSearch\MusicSearchOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware381\MusicSearch\MusicSearchOptions.xml.backup
C:\Documents and Settings\Thomas\Application Data\Starware381\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\Thomas\Application Data\Starware381\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Thomas\Application Data\Starware381\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Thomas\Cookies\thomas@2o7[2].txt
C:\Documents and Settings\Thomas\Cookies\thomas@a.hasbro[1].txt
C:\Documents and Settings\Thomas\Cookies\thomas@advertising[2].txt
C:\Documents and Settings\Thomas\Cookies\thomas@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Thomas\Cookies\thomas@gamewinners[1].txt
C:\Documents and Settings\Thomas\Cookies\thomas@insightexpressai[2].txt
C:\Documents and Settings\Thomas\Cookies\thomas@revsci[1].txt
C:\Documents and Settings\Thomas\Cookies\thomas@spamblockerutility[1].txt
C:\Program Files\Applications\myd.ico
C:\Program Files\Applications\mym.ico
C:\Program Files\Applications\myp.ico
C:\Program Files\Applications\myv.ico
C:\Program Files\OneStepSearch
C:\WINDOWS\BMbf8fdca8.txt
C:\WINDOWS\BMbf8fdca8.xml
C:\WINDOWS\jestertb.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\bprnqlkx.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\GfOqrAHk.ini
C:\WINDOWS\SYSTEM32\GfOqrAHk.ini2
C:\WINDOWS\system32\gmetcvky.dll
C:\WINDOWS\system32\gtdbmqpa.exe
C:\WINDOWS\SYSTEM32\hjokdexn.ini
C:\WINDOWS\system32\hrjhpm.dll
C:\WINDOWS\system32\jorqcajk.dll
C:\WINDOWS\system32\kHArqOfG.dll
C:\WINDOWS\system32\ljjhIaxw.dll
C:\WINDOWS\system32\mffcvg.dll
C:\WINDOWS\system32\mmfejqso.dll
C:\WINDOWS\system32\nfgavs.dll
C:\WINDOWS\system32\nxedkojh.dll
C:\WINDOWS\system32\olcabhhn.exe
C:\WINDOWS\SYSTEM32\osqjefmm.ini
C:\WINDOWS\system32\qjykjjjr.ini
C:\WINDOWS\system32\qukrtdxy.dll
C:\WINDOWS\system32\salaoadw.exe
C:\WINDOWS\system32\tkrplxhq.dll
C:\WINDOWS\system32\wav.cpl
C:\WINDOWS\system32\xklqnrpb.dll
C:\WINDOWS\system32\ymjwcbjy.dll
C:\WINDOWS\system32\yplxyq.dll
C:\WINDOWS\system32\ytpcayjd.dll

----- BITS: Possible infected sites -----

http://www.graboid.com
.
((((((((((((((((((((((((( Files Created from 2008-08-01 to 2008-09-01 )))))))))))))))))))))))))))))))
.

2008-09-01 16:46 . 2008-09-01 16:46 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-31 13:21 . 2008-08-31 13:21 <DIR> d-------- C:\WINDOWS\Logs
2008-08-29 14:35 . 2008-08-29 14:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-29 08:52 . 2008-08-30 16:20 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-29 08:40 . 2008-08-31 13:06 714 --a------ C:\WINDOWS\SYSTEM32\sbcbfauh.ini
2008-08-28 07:59 . 2008-08-28 07:59 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-19 22:21 . 2008-08-19 22:21 <DIR> d-------- C:\Program Files\BitDownload
2008-08-18 22:16 . 2008-08-15 19:31 165,888 --a------ C:\WINDOWS\SYSTEM32\uav.cpl
2008-08-17 21:40 . 2008-08-28 12:42 <DIR> d-------- C:\Program Files\WAV
2008-08-14 22:51 . 2008-08-08 10:44 165,888 --a------ C:\WINDOWS\SYSTEM32\aav.cpl
2008-08-14 22:46 . 2008-09-01 17:21 <DIR> d-------- C:\Program Files\Applications
2008-08-14 21:49 . 2008-05-01 10:33 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-11 23:07 . 2008-08-17 17:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-08-11 23:07 . 2008-08-11 23:07 1,409 --a------ C:\WINDOWS\QTFont.for
2008-08-08 15:36 . 2008-08-08 15:36 <DIR> d-------- C:\Program Files\LEGO Company
2008-08-08 15:36 . 2008-08-08 15:45 <DIR> d-------- C:\Documents and Settings\MomDad\Application Data\LEGO Company
2008-08-04 18:19 . 2008-08-04 18:19 <DIR> d-------- C:\Program Files\Valusoft
2008-08-04 18:18 . 2008-08-29 11:39 <DIR> d-------- C:\Program Files\City Interactive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-01 20:22 --------- d-----w C:\Program Files\Roxio
2008-09-01 20:22 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-09-01 20:20 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-09-01 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-08-31 19:39 --------- d-----w C:\Program Files\VideoLAN
2008-08-31 17:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-30 19:37 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-08-30 19:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-08-29 17:48 --------- d-----w C:\Program Files\eGames
2008-08-29 15:52 --------- d-----w C:\Program Files\NCH Swift Sound
2008-08-29 15:41 --------- d-----w C:\Program Files\Deep Sea Tycoon
2008-08-29 15:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-29 15:40 --------- d-----w C:\Program Files\CyberLink
2008-08-29 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-28 12:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-27 20:29 --------- d-----w C:\Program Files\MSN Messenger
2008-08-05 21:59 --------- d-----w C:\Program Files\Cheat Engine
2008-07-31 17:25 --------- d-----w C:\Program Files\PartyGaming
2008-07-30 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Graboid Inc
2008-03-18 23:09 120,936 -c--a-w C:\Documents and Settings\Thomas\Application Data\GDIPFONTCACHEV1.DAT
2008-03-04 22:38 120,936 ----a-w C:\Documents and Settings\MomDad\Application Data\GDIPFONTCACHEV1.DAT
2006-11-20 23:45 92,064 ----a-w C:\Documents and Settings\MomDad\mqdmmdm.sys
2006-11-20 23:45 9,232 ----a-w C:\Documents and Settings\MomDad\mqdmmdfl.sys
2006-11-20 23:45 79,328 ----a-w C:\Documents and Settings\MomDad\mqdmserd.sys
2006-11-20 23:45 66,656 ----a-w C:\Documents and Settings\MomDad\mqdmbus.sys
2006-11-20 23:45 6,208 ----a-w C:\Documents and Settings\MomDad\mqdmcmnt.sys
2006-11-20 23:45 5,936 ----a-w C:\Documents and Settings\MomDad\mqdmwhnt.sys
2006-11-20 23:45 4,048 ----a-w C:\Documents and Settings\MomDad\mqdmcr.sys
2006-11-20 23:45 25,600 ----a-w C:\Documents and Settings\MomDad\usbsermptxp.sys
2006-11-20 23:45 22,768 ----a-w C:\Documents and Settings\MomDad\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43 57344]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-03-29 20:39:53 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ASWLNDLL]
2007-05-13 22:45 6656 C:\WINDOWS\SYSTEM32\ASWLNDLL.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\system32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppMgrGui]
--a------ 2006-09-27 20:49 24064 C:\Program Files\AppStream\WindowsClient\bin\exeForService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-11-16 02:05 127035 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 10:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-10-12 18:54 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 C:\WINDOWS\EHOME\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2004-03-23 14:16 135168 C:\Program Files\Intel\Intel Application Accelerator\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-06-16 06:03 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-09-11 05:40 86960 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-15 14:11 267048 C:\Documents and Settings\All Users\Documents\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-01-19 12:06 11776 C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2006-01-19 12:06 110592 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-03-29 20:50 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2001-12-05 12:53 73728 C:\Program Files\NavNT\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2007-11-15 22:51 166304 C:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2004-03-10 21:50 28672 C:\WINDOWS\SYSTEM32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Documents and Settings\\All Users\\Documents\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 APPSTREAM;APPSTREAM;C:\WINDOWS\System32\Drivers\APPSTREAM.SYS [2007-05-13 22:33]
R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-07-08 11:33]
R2 AppMgrService;AWE 5.1.0 Application Manager;C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe [2006-09-27 20:49]
R2 REGHOOK;REGHOOK;C:\WINDOWS\System32\Drivers\REGHOOK.SYS [2006-09-27 20:27]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R2 VSPD;VSPD;C:\WINDOWS\System32\Drivers\VSPD.SYS [2006-09-27 20:27]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 22:51]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 17:12]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 22:51]
S4 RoxLiveShare10;LiveShare P2P Server 10;C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe []
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-bcbcef34 - C:\WINDOWS\system32\mmfejqso.dll
HKLM-Run-C:\WINDOWS\system32\kdefc.exe - C:\WINDOWS\system32\kdefc.exe
HKLM-Run-BMbf8fdca8 - C:\WINDOWS\system32\qukrtdxy.dll
HKLM-Explorer_Run-smile - C:\Program Files\Applications\wcs.exe
SharedTaskScheduler-{97d2dfac-9acb-4d6f-ac2b-ab6ee090f649} - C:\WINDOWS\system32\ouhzw.dll
MSConfigStartUp-DMXLauncher - C:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - C:\PROGRA~1\MYWEBS~1\bar\3.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - C:\PROGRA~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL
MSConfigStartUp-RoxWatchTray - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe
MSConfigStartUp-UCam_Menu - C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
O8 -: &Search - ?p=ZCman000
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 -: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
O9 -: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 -: {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0}
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-01 17:34:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\WINDOWS\\system32\\kdefc.exe"="C:\\WINDOWS\\system32\\kdefc.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\EHOME\ehrecvr.exe
C:\WINDOWS\EHOME\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\SYSTEM32\UAService7.exe
C:\WINDOWS\EHOME\mcrdsvc.exe
C:\WINDOWS\SYSTEM32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-09-01 17:40:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-01 21:40:53

Pre-Run: 30,861,967,360 bytes free
Post-Run: 31,218,417,664 bytes free

348 --- E O F --- 2008-08-20 02:01:31

HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:44 PM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZCman000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O20 - Winlogon Notify: ASWLNDLL - C:\WINDOWS\SYSTEM32\ASWLNDLL.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9167 bytes


Yes there is junk...12 year olds...

pskelley
2008-09-02, 01:09
Thanks for returning your information, you said:

Yes there is junk...12 year olds...
You may want to block this website:
----- BITS: Possible infected sites -----
http://wXw.graboid.com <<< X added for safety
SpywareBlaster will Block it for you.


1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

2) C:\Program Files\Java\jre1.6.0_03\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(leave this if you want a blank StartPage)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O9 - Extra button: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyGammon.com - {59A861EE-32B3-42cd-8CCA-FC130EDF3A44} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\SYSTEM32\sbcbfauh.ini <<< see if you can delete that file manually, let me know.
You may need to show all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

7) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

How is the computer running?

Thanks...Phil

m2family
2008-09-02, 02:00
Phil,

Only a couple of the JREs had remove or Change/Remove options in Add/remove programs. Any suggestions for uninstalling old versions of Java?

I am assuming this step is mandatory before moving down the list of fixes.

Thanks in advance!

pskelley
2008-09-02, 02:25
I am assuming this step is mandatory before moving down the list of fixes.
You can move past that instruction and return to it if you wish, here is a tool to remove the old Java programs: http://raproducts.org/

Thanks for asking...Phil

m2family
2008-09-02, 03:39
:crowned:

Phil,

All steps successfully completed including Java removal. Here are the Malware and HJT logs.

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 3

8:33:38 PM 9/1/2008
mbam-log-09-01-2008 (20-33-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 172444
Time elapsed: 49 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ab3dfa03-f743-4302-81dd-c370bffeca23} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5b4c3b43-49b6-42a7-a602-f7acdca0d409} (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\UAV (Rogue.UltimateAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Live.com (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WAV (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Red Kawa\Video Converter\uninstaller.exe (BHO.Baidu) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gtdbmqpa.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\olcabhhn.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\salaoadw.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1012\A0151329.dll (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1012\A0151330.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1012\A0151331.exe (Adware.OneStepSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1012\A0151508.exe (Rogue.VirusHeat) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0155393.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0155402.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0155404.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP1040\A0155809.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\WAV\wav.cpl (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\WAV\wav.exe (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uav.cpl (Rogue.UltimateAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\aav.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.


HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:13 PM, on 9/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - ?p=ZCman000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,99/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O20 - Winlogon Notify: ASWLNDLL - C:\WINDOWS\SYSTEM32\ASWLNDLL.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AWE 5.1.0 Application Manager (AppMgrService) - AppStream Inc. - C:\Program Files\AppStream\WindowsClient\bin\AppMgrService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7564 bytes


I have placed the computer back on the internet and it seems to be operating fine.

Will these fixes also resolve my Windows Update issues? Also, should I reenable TeaTimer now?

pskelley
2008-09-02, 11:48
Thanks for returning your infomation and the feedback.

I have placed the computer back on the internet and it seems to be operating fine.
I would restrict internet activity to what is absolutely necessary for a bit longer.

Will these fixes also resolve my Windows Update issues?
If the malware we removed was the cause, it will, let me know if the issues are continue, exactly what they are and about any error message you receive. Do you have this information:

http://v4.windowsupdate.microsoft.com/troubleshoot/
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131

Also, should I reenable TeaTimer now?
Leave it off a bit longer, we still have a few changes to make and it will drive you crazy as it tries to do it's job.

This is the next bridge we must cross:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks...Phil

m2family
2008-09-07, 01:01
Phil,

Sorry it took so long to get back to you.

Windows Automatic updates are now available.

I successfully followed the instructions for the Recovery Console and the log is below:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect


What is next?

pskelley
2008-09-07, 01:40
Recovery Console was installed correctly, here is some information:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
Recovery Console is a tool that will allow you to recover from a catastrophic system failure, so let's hope you never need it. Many experts believe Microsoft should have installed it by default.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run MBAM again to make sure we got all of the junk, no need to post a clean scan result.

What are you running for an antivirus program? I see this:
C:\Program Files\NavNT\defwatch.exe
http://www.processlibrary.com/directory/files/defwatch
You want to be sure you have a current, up to date antivirus program. It is cyber-suicide to go online anymore without one. If you need a free program, let me know and I will make one available. Whatever you are running needs to be updated and the system scanned to make sure it is working right and scanning clean. This was a bad infection and they often damage security programs.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

m2family
2008-09-07, 21:23
Phil,

All done. One small process issue. There was not a reboot requested between installation of the Recovery Console and your last instructions. So when I went to My Computer...Properties, there was no System Restore tab. I restarted and it appeared.

As for virus protection, I use Norton Antivirus Corporate as it is provided by my employer. NAV is current failing on load though so I need to get the install disks again from IT.

What next? Teatimer?

pskelley
2008-09-07, 21:52
Please read the information in the links I posted first, then enable TeaTimer.

Safe surfing:bigthumb: