tanusgreystar
2009-01-08, 02:59
Hi. I'm working on someone's pc and it was very infected. They look at alot of dangerous sites and download free screen savers, etc. The woman who owns it got rid of most of it, and I thought it was clean until I ran Spybot, which picked up almost 200 instances of spyware, and trojans. I was able to get most of it except for VarioAntivirus, FunWebProducts, and Myway.MywebSearch. I looked on your archives for a fix and I ran Hijack this, Malwarebytes, and ATF cleaner. The logs are below. I was wondering if someone could look at them and let me know what else I need to do. There's a million antispyware programs running, which I believe slow down the computer as well as remnants of Norton antivirus, which was uninstalled before the woman got the pc. Thanks.
HighjackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:01 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CyberDefender\AntiSpyware\cdase1c.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Shopping Advisor - {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - C:\PROGRA~1\BUYSAF~1\BUYSAF~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Shopping Advisor - {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - C:\PROGRA~1\BUYSAF~1\BUYSAF~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdase1c.exe" /minimize
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 5582 bytes
Malwarebytes:
Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 3
1/7/2009 8:16:20 PM
mbam-log-2009-01-07 (20-16-20).txt
Scan type: Quick Scan
Objects scanned: 56251
Time elapsed: 3 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\WinSecureAv\AVQuar (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zachary\Application Data\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zachary\Application Data\WinSecureAv\Logs (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
ComboFix 09-01-07.01 - Kimberly 2009-01-07 20:28:49.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.735.404 [GMT -5:00]
Running from: c:\documents and settings\Kimberly\Desktop\ComboFix.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Kimberly\Application Data\FunWebProducts
c:\documents and settings\Zachary\ResErrors.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DHLP
-------\Legacy_MYWEBSEARCHSERVICE
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.
2009-01-07 19:36 . 2009-01-07 19:36 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\Malwarebytes
2009-01-07 19:35 . 2009-01-07 19:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 19:35 . 2009-01-07 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 19:35 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 19:35 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 19:14 . 2009-01-07 19:14 <DIR> d-------- c:\program files\Highjackthis
2009-01-07 17:57 . 2009-01-07 17:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 00:31 . 2009-01-07 00:31 0 --a------ c:\windows\vpc32.INI
2009-01-06 20:44 . 2009-01-06 20:44 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\IObit
2009-01-06 20:09 . 2009-01-06 20:09 <DIR> d-------- c:\program files\IObit
2009-01-06 20:08 . 2009-01-06 20:08 <DIR> d-------- c:\program files\CCleaner
2009-01-06 19:59 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-01-06 19:59 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2009-01-06 19:55 . 2009-01-06 19:55 <DIR> d-------- c:\program files\Windows Defender
2009-01-06 19:41 . 2009-01-06 19:41 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-06 19:40 . 2009-01-06 19:40 <DIR> d-------- c:\windows\system32\ZoneLabs
2009-01-06 19:40 . 2009-01-06 19:40 <DIR> d-------- c:\program files\Zone Labs
2009-01-06 19:40 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-06 19:39 . 2009-01-07 20:34 348,371 --a------ c:\windows\system32\vsconfig.xml
2009-01-06 19:36 . 2009-01-06 19:36 <DIR> d-------- c:\windows\Internet Logs
2009-01-06 19:10 . 2009-01-06 19:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 19:10 . 2009-01-06 19:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 16:45 . 2009-01-06 16:45 <DIR> d-------- c:\documents and settings\Zachary\Application Data\BUYSAFESHOPPINGADVISOR
2009-01-04 16:54 . 2009-01-04 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-02 21:09 . 2009-01-02 21:09 187 --a------ C:\Shortcut to ACER (C).lnk
2009-01-01 15:58 . 2009-01-01 15:58 <DIR> d-------- c:\program files\RegCure
2009-01-01 14:59 . 2009-01-01 14:59 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-01 13:52 . 2009-01-01 14:37 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-01 13:52 . 2009-01-01 14:37 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-01 13:52 . 2009-01-01 14:37 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-01 13:52 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-01 13:51 . 2009-01-01 13:51 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-01 13:51 . 2009-01-01 13:52 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\PC Tools
2009-01-01 13:50 . 2009-01-01 13:50 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-01 13:49 . 2009-01-01 13:49 <DIR> d-------- c:\program files\Norton Security Scan
2009-01-01 13:48 . 2009-01-01 13:48 <DIR> d-------- c:\windows\system32\runtime
2009-01-01 13:45 . 2009-01-01 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-01-01 11:52 . 2009-01-01 11:52 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-28 10:18 . 2008-12-29 19:15 73 --a------ c:\windows\st_affiliate.ini
2008-12-28 09:23 . 2008-12-28 09:23 <DIR> d-------- c:\program files\WebEx
2008-12-28 08:56 . 2008-12-28 08:56 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\BUYSAFESHOPPINGADVISOR
2008-12-28 08:56 . 2008-12-28 09:36 63 --a------ c:\windows\av_affiliate.ini
2008-12-28 08:56 . 2008-12-28 09:36 63 --a------ c:\windows\as_affiliate.ini
2008-12-28 08:54 . 2008-12-28 08:54 <DIR> d-------- c:\program files\CyberDefender
2008-12-28 08:54 . 2008-12-28 08:53 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2008-12-28 08:18 . 2008-12-28 08:18 <DIR> d-------- c:\program files\buySAFEShoppingAdvisor
2008-12-20 08:45 . 2008-12-20 08:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-11 12:34 . 2008-12-11 12:34 <DIR> d-------- c:\program files\FreeShield Toolbar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 21:47 2,864 ----a-w c:\windows\system32\winsock.dll
2009-01-01 21:47 2,864 ----a-w c:\windows\system32\dllcache\winsock.dll
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 23:19 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-06 15:47 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 17:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-04-06 16:59 0 ----a-w c:\program files\temp01
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\cdase1c.exe" [2008-12-28 664904]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-12-21 2250256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2005-03-18 106496]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\ISSIntro.exe" [2008-12-28 570696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"SiSPower"="SiSPower.dll" [2005-03-03 c:\windows\system32\SiSPower.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdase1c.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27299:TCP"= 27299:TCP:BitComet 27299 TCP
"27299:UDP"= 27299:UDP:BitComet 27299 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-01 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-01 20560]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2008-12-28 67424]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-04 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-01 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-11-03 c:\windows\Tasks\wrSpySweeperTrialSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2008-11-03 c:\windows\Tasks\wrSpySweeperTrialSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2008-11-03 c:\windows\Tasks\wrSpySweeperTrialSweep.job
- c:\","d:\" []
2009-01-07 c:\windows\Tasks\wrSpySweeper_L2242B180E06E4FCB998ECC46AD283123.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_L2242B180E06E4FCB998ECC46AD283123.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_L2242B180E06E4FCB998ECC46AD283123.job
- c:\","d:\" []
2009-01-07 c:\windows\Tasks\wrSpySweeper_LFA859013DD8941DD80533DFE03AC72C3.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_LFA859013DD8941DD80533DFE03AC72C3.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_LFA859013DD8941DD80533DFE03AC72C3.job
- c:\","d:\" []
2008-07-02 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]
2008-12-28 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]
2008-12-11 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
2008-12-21 c:\windows\Tasks\Uniblue SpyEraser Nag.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 09:50]
2008-11-27 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 09:50]
2009-01-01 c:\windows\Tasks\Norton Security Scan for Kimberly.job
- c:\program files\Norton Security Scan\Nss.exe [2008-12-11 17:49]
2009-01-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 13:55]
2009-01-08 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 13:55]
2009-01-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-~0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
Notify-NavLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - ?p=ZKfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
FF - ProfilePath - c:\documents and settings\Kimberly\Application Data\Mozilla\Firefox\Profiles\wslccsno.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 20:36:57
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZONELABS\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2009-01-07 20:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 01:40:50
Pre-Run: 56,436,523,008 bytes free
Post-Run: 56,305,188,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
239 --- E O F --- 2008-12-18 20:11:44
Thanks!
HighjackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:01 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CyberDefender\AntiSpyware\cdase1c.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Shopping Advisor - {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - C:\PROGRA~1\BUYSAF~1\BUYSAF~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Shopping Advisor - {A057A204-BACC-4D26-C7D7-6BAD84E32FCB} - C:\PROGRA~1\BUYSAF~1\BUYSAF~1.DLL
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [SiSPower] "Rundll32.exe" SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdase1c.exe" /minimize
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKfox000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 5582 bytes
Malwarebytes:
Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 3
1/7/2009 8:16:20 PM
mbam-log-2009-01-07 (20-16-20).txt
Scan type: Quick Scan
Objects scanned: 56251
Time elapsed: 3 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\WinSecureAv\AVQuar (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zachary\Application Data\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\Zachary\Application Data\WinSecureAv\Logs (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
Files Infected:
(No malicious items detected)
ComboFix 09-01-07.01 - Kimberly 2009-01-07 20:28:49.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.735.404 [GMT -5:00]
Running from: c:\documents and settings\Kimberly\Desktop\ComboFix.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Kimberly\Application Data\FunWebProducts
c:\documents and settings\Zachary\ResErrors.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_DHLP
-------\Legacy_MYWEBSEARCHSERVICE
((((((((((((((((((((((((( Files Created from 2008-12-08 to 2009-01-08 )))))))))))))))))))))))))))))))
.
2009-01-07 19:36 . 2009-01-07 19:36 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\Malwarebytes
2009-01-07 19:35 . 2009-01-07 19:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-07 19:35 . 2009-01-07 19:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-07 19:35 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-07 19:35 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 19:14 . 2009-01-07 19:14 <DIR> d-------- c:\program files\Highjackthis
2009-01-07 17:57 . 2009-01-07 17:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 00:31 . 2009-01-07 00:31 0 --a------ c:\windows\vpc32.INI
2009-01-06 20:44 . 2009-01-06 20:44 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\IObit
2009-01-06 20:09 . 2009-01-06 20:09 <DIR> d-------- c:\program files\IObit
2009-01-06 20:08 . 2009-01-06 20:08 <DIR> d-------- c:\program files\CCleaner
2009-01-06 19:59 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX
2009-01-06 19:59 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL
2009-01-06 19:55 . 2009-01-06 19:55 <DIR> d-------- c:\program files\Windows Defender
2009-01-06 19:41 . 2009-01-06 19:41 4,212 --ah----- c:\windows\system32\zllictbl.dat
2009-01-06 19:40 . 2009-01-06 19:40 <DIR> d-------- c:\windows\system32\ZoneLabs
2009-01-06 19:40 . 2009-01-06 19:40 <DIR> d-------- c:\program files\Zone Labs
2009-01-06 19:40 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll
2009-01-06 19:39 . 2009-01-07 20:34 348,371 --a------ c:\windows\system32\vsconfig.xml
2009-01-06 19:36 . 2009-01-06 19:36 <DIR> d-------- c:\windows\Internet Logs
2009-01-06 19:10 . 2009-01-06 19:10 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-06 19:10 . 2009-01-06 19:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-06 16:45 . 2009-01-06 16:45 <DIR> d-------- c:\documents and settings\Zachary\Application Data\BUYSAFESHOPPINGADVISOR
2009-01-04 16:54 . 2009-01-04 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trymedia
2009-01-02 21:09 . 2009-01-02 21:09 187 --a------ C:\Shortcut to ACER (C).lnk
2009-01-01 15:58 . 2009-01-01 15:58 <DIR> d-------- c:\program files\RegCure
2009-01-01 14:59 . 2009-01-01 14:59 <DIR> d-------- c:\program files\Common Files\Adobe
2009-01-01 13:52 . 2009-01-01 14:37 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-01 13:52 . 2009-01-01 14:37 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-01 13:52 . 2009-01-01 14:37 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-01 13:52 . 2008-06-02 15:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-01 13:51 . 2009-01-01 13:51 <DIR> d-------- c:\program files\Spyware Doctor
2009-01-01 13:51 . 2009-01-01 13:52 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\PC Tools
2009-01-01 13:50 . 2009-01-01 13:50 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-01-01 13:49 . 2009-01-01 13:49 <DIR> d-------- c:\program files\Norton Security Scan
2009-01-01 13:48 . 2009-01-01 13:48 <DIR> d-------- c:\windows\system32\runtime
2009-01-01 13:45 . 2009-01-01 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-01-01 11:52 . 2009-01-01 11:52 <DIR> d-------- c:\windows\system32\NtmsData
2008-12-28 10:18 . 2008-12-29 19:15 73 --a------ c:\windows\st_affiliate.ini
2008-12-28 09:23 . 2008-12-28 09:23 <DIR> d-------- c:\program files\WebEx
2008-12-28 08:56 . 2008-12-28 08:56 <DIR> d-------- c:\documents and settings\Kimberly\Application Data\BUYSAFESHOPPINGADVISOR
2008-12-28 08:56 . 2008-12-28 09:36 63 --a------ c:\windows\av_affiliate.ini
2008-12-28 08:56 . 2008-12-28 09:36 63 --a------ c:\windows\as_affiliate.ini
2008-12-28 08:54 . 2008-12-28 08:54 <DIR> d-------- c:\program files\CyberDefender
2008-12-28 08:54 . 2008-12-28 08:53 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2008-12-28 08:18 . 2008-12-28 08:18 <DIR> d-------- c:\program files\buySAFEShoppingAdvisor
2008-12-20 08:45 . 2008-12-20 08:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-11 12:34 . 2008-12-11 12:34 <DIR> d-------- c:\program files\FreeShield Toolbar
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 21:47 2,864 ----a-w c:\windows\system32\winsock.dll
2009-01-01 21:47 2,864 ----a-w c:\windows\system32\dllcache\winsock.dll
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-07 23:19 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-06 15:47 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-10-16 01:00 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-10-16 01:00 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-10-16 01:00 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2008-10-15 17:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-04-06 16:59 0 ----a-w c:\program files\temp01
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\cdase1c.exe" [2008-12-28 664904]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-12-21 2250256]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2005-03-18 106496]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"CyberDefender Early Detection Center"="c:\program files\CyberDefender\AntiSpyware\ISSIntro.exe" [2008-12-28 570696]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"SiSPower"="SiSPower.dll" [2005-03-03 c:\windows\system32\SiSPower.dll]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CyberDefender\\AntiSpyware\\cdase1c.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27299:TCP"= 27299:TCP:BitComet 27299 TCP
"27299:UDP"= 27299:UDP:BitComet 27299 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-08-01 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-08-01 20560]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 CDAVFS;CDAVFS;c:\windows\system32\drivers\CDAVFS.sys [2008-12-28 67424]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-04 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-01 356920]
.
Contents of the 'Scheduled Tasks' folder
2008-11-03 c:\windows\Tasks\wrSpySweeperTrialSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2008-11-03 c:\windows\Tasks\wrSpySweeperTrialSweep.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2008-11-03 c:\windows\Tasks\wrSpySweeperTrialSweep.job
- c:\","d:\" []
2009-01-07 c:\windows\Tasks\wrSpySweeper_L2242B180E06E4FCB998ECC46AD283123.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_L2242B180E06E4FCB998ECC46AD283123.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_L2242B180E06E4FCB998ECC46AD283123.job
- c:\","d:\" []
2009-01-07 c:\windows\Tasks\wrSpySweeper_LFA859013DD8941DD80533DFE03AC72C3.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_LFA859013DD8941DD80533DFE03AC72C3.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]
2009-01-07 c:\windows\Tasks\wrSpySweeper_LFA859013DD8941DD80533DFE03AC72C3.job
- c:\","d:\" []
2008-07-02 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]
2008-12-28 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 09:50]
2008-12-11 c:\windows\Tasks\rpc.job
- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe []
2008-12-21 c:\windows\Tasks\Uniblue SpyEraser Nag.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 09:50]
2008-11-27 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-04-02 09:50]
2009-01-01 c:\windows\Tasks\Norton Security Scan for Kimberly.job
- c:\program files\Norton Security Scan\Nss.exe [2008-12-11 17:49]
2009-01-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 13:55]
2009-01-08 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-11-27 13:55]
2009-01-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-~0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
Notify-NavLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search - ?p=ZKfox000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\program files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll
FF - ProfilePath - c:\documents and settings\Kimberly\Application Data\Mozilla\Firefox\Profiles\wslccsno.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1439.6872\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 20:36:57
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZONELABS\vsmon.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Webroot\Spy Sweeper\SSU.EXE
.
**************************************************************************
.
Completion time: 2009-01-07 20:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-08 01:40:50
Pre-Run: 56,436,523,008 bytes free
Post-Run: 56,305,188,864 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
239 --- E O F --- 2008-12-18 20:11:44
Thanks!