A lot of malware problems

**orange450** · 2007-08-10, 21:33

Here is part 2 of ComboFix log:

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 21:06 --------- d-------- C:\DOCUME~1\Abba\APPLIC~1\Gtek
2007-08-07 15:16 932 --a------ C:\WINDOWS\system32\drivers\core.cache(14).dsk
2007-08-07 15:16 283 --a------ C:\WINDOWS\system32\drivers\x.gif
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(9).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(8).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(7).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(6).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(5).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(4).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(3).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(2).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(13).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(12).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(11).dsk
2007-08-07 15:16 164787 --a------ C:\WINDOWS\system32\drivers\core.cache(10).dsk
2007-08-07 15:15 639 --a------ C:\WINDOWS\system32\drivers\star.gif
2007-08-07 15:15 550 --a------ C:\WINDOWS\system32\drivers\star_small.gif
2007-08-07 15:15 53 --a------ C:\WINDOWS\system32\drivers\sep_vert.gif
2007-08-07 15:15 49 --a------ C:\WINDOWS\system32\drivers\spacer.gif
2007-08-07 15:15 425 --a------ C:\WINDOWS\system32\drivers\star_gray.gif
2007-08-07 15:15 3877 --a------ C:\WINDOWS\system32\drivers\warning_icon.gif
2007-08-07 15:15 291 --a------ C:\WINDOWS\system32\drivers\v.gif
2007-08-07 15:15 223 --a------ C:\WINDOWS\system32\drivers\star_gray_small.gif
2007-08-07 15:15 2090 --a------ C:\WINDOWS\system32\drivers\shadow.jpg
2007-08-07 15:15 1791 --a------ C:\WINDOWS\system32\drivers\win_logo.gif
2007-08-07 15:15 13618 --a------ C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-08-07 15:14 979 --a------ C:\WINDOWS\system32\drivers\product_2_name_small.gif
2007-08-07 15:14 65 --a------ C:\WINDOWS\system32\drivers\sep_hor.gif
2007-08-07 15:14 3080 --a------ C:\WINDOWS\system32\drivers\product_3_header.gif
2007-08-07 15:14 2604 --a------ C:\WINDOWS\system32\drivers\product_1_header.gif
2007-08-07 15:14 2214 --a------ C:\WINDOWS\system32\drivers\product_2_header.gif
2007-08-07 15:14 215 --a------ C:\WINDOWS\system32\drivers\main_back.gif
2007-08-07 15:14 1714 --a------ C:\WINDOWS\system32\drivers\product_3_name_small.gif
2007-08-07 15:14 1330 --a------ C:\WINDOWS\system32\drivers\product_features.gif
2007-08-07 15:14 1253 --a------ C:\WINDOWS\system32\drivers\product_1_name_small.gif
2007-08-07 15:14 10260 --a------ C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-08-07 15:13 918 --a------ C:\WINDOWS\system32\drivers\s_detect.htm
2007-08-07 15:13 837 --a------ C:\WINDOWS\system32\drivers\blank.gif
2007-08-07 15:13 835 --a------ C:\WINDOWS\system32\drivers\style.css
2007-08-07 15:13 6575 --a------ C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-08-07 15:13 6373 --a------ C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-08-07 15:13 48933 --a------ C:\WINDOWS\system32\drivers\pt.htm
2007-08-07 15:13 2922 --a------ C:\WINDOWS\system32\drivers\footer_back.jpg
2007-08-07 15:13 28459 --a------ C:\WINDOWS\system32\drivers\header_1.gif
2007-08-07 15:13 2238 --a------ C:\WINDOWS\system32\drivers\download_box.gif
2007-08-07 15:13 1647 --a------ C:\WINDOWS\system32\drivers\button_freescan.gif
2007-08-07 15:13 1619 --a------ C:\WINDOWS\system32\drivers\button_buynow.gif
2007-08-07 15:13 15421 --a------ C:\WINDOWS\system32\drivers\header_2.gif
2007-08-07 15:13 12326 --a------ C:\WINDOWS\system32\drivers\box_3.gif
2007-08-07 15:13 12313 --a------ C:\WINDOWS\system32\drivers\box_1.gif
2007-08-07 15:13 1204 --a------ C:\WINDOWS\system32\drivers\infected.gif
2007-08-07 15:13 11927 --a------ C:\WINDOWS\system32\drivers\box_2.gif
2007-08-07 15:13 11077 --a------ C:\WINDOWS\system32\drivers\header_4.gif
2007-08-07 15:13 10193 --a------ C:\WINDOWS\system32\drivers\header_3.gif
2007-08-07 15:13 1014 --a------ C:\WINDOWS\system32\drivers\icon_warning.gif
2007-08-07 15:12 64 --a------ C:\WINDOWS\system32\drivers\close_icon.gif
2007-08-07 15:12 4723 --a------ C:\WINDOWS\system32\drivers\detect.htm
2007-08-07 15:12 360 --a------ C:\WINDOWS\system32\drivers\header_bg.gif
2007-08-07 15:12 2186 --a------ C:\WINDOWS\system32\drivers\alert_icon.gif
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"Error Nuker"="C:\Program Files\Error Nuker\bin\ErrorNuker.exe" []
"MediaGateway"="C:\Program Files\MediaGateway\MediaGateway.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"dlgabrkA"="C:\WINDOWS\dlgabrkA.exe" []
"{96-6F-FB-B6-ZN}"="C:\WINDOWS\SYSTEM32\dwdsregt.exe" []
"WinCore32.exe"="C:\WINDOWS\system32\WinCore32.exe" []
"Windows Configure"="c:\windows\system32\syscfg32.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]
"Magicantispy"="C:\Program Files\Magicantispy\Magicantispy.exe" [2007-08-09 13:45]
"Kuaiwcl"="C:\WINDOWS\??sks\??erinit.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Windows Configure"=c:\windows\system32\syscfg32.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress

C:\Documents and Settings\Abba\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
eSClean.vbs [2005-09-03 20:41:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"tTIaba"= {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljge]
mljge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum167.txt

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S2 aspimgr;Microsoft ASPI Manager;C:\WINDOWS\system32\aspimgr.exe
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys

Contents of the 'Scheduled Tasks' folder
2007-08-10 04:00:02 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 14:42:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-10 14:45:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 14:45

--- E O F ---

**orange450** · 2007-08-10, 21:44

And finally, here's the HiJack This log. Thank you so much for your help. So far, the Magicantispy pop-up is the only one there, but I can't seem to get rid of it.

Logfile of HijackThis v1.99.1
Scan saved at 3:42:07 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Magicantispy\Magicantispy.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Documents and Settings\Abba\Desktop\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [dlgabrkA] C:\WINDOWS\dlgabrkA.exe
O4 - HKLM\..\Run: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKLM\..\RunServices: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Magicantispy] C:\Program Files\Magicantispy\Magicantispy.exe
O4 - HKCU\..\Run: [Kuaiwcl] C:\WINDOWS\??sks\??erinit.exe
O4 - Startup: eSClean.vbs
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/R...hotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodes...loads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_my...ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: mljge - mljge.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: tTIaba - {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

**orange450** · 2007-08-10, 23:44

Shaba, thank you for all your help so far. The computer seems better - there are fewer pop ups, but the Magicantispy can't be removed, and my Control Panel capability is gone. When I try to activate it, I get a message that my computer has restrictions, and I should contact the system administrator - but my account has administrator privileges. I'm still getting other messages that look like an info message from Windows, saying that my computer is infected and I should download anti-spyware. Also, a message that says that copies of my registry are being made - that message started while I was running ComboFix, and I'm still getting it, even tho' the computer has been rebooted several times by the fix programs.

I'll be away tomorrow, so I won't be able to respond quickly if you post before then, but I'm still here. Thank you so much for everything you're doing.

**Shaba** · 2007-08-11, 11:20

Hi

Wow there were a lot of malware lurking and still is.

Do you recognize this folder?

C:\DOCUME~1\ADMINI~1\WINDOWS

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe
O4 - HKLM\..\Run: [dlgabrkA] C:\WINDOWS\dlgabrkA.exe
O4 - HKLM\..\Run: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKLM\..\RunServices: [Windows Configure] c:\windows\system32\syscfg32.exe
O4 - HKCU\..\Run: [Magicantispy] C:\Program Files\Magicantispy\Magicantispy.exe
O4 - HKCU\..\Run: [Kuaiwcl] C:\WINDOWS\??sks\??erinit.exe
O4 - Startup: eSClean.vbs
O9 - Extra button: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra 'Tools' menuitem: Smiley District - {0418F3E3-C763-4e02-9EC5-F0AE13B54B0F} - C:\Program Files\SmileyDistrict\insmile.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: mljge - mljge.dll (file missing)
O21 - SSODL: tTIaba - {ACA96FB7-0603-C51D-9A17-121E9FEABAAD} - C:\WINDOWS\system32\jty.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\SYSTEM32\vtr167.dll
C:\WINDOWS\SYSTEM32\rxaavqhh.exe
C:\WINDOWS\SYSTEM32\kespeulb.exe
C:\WINDOWS\SYSTEM32\drvjok.dll
C:\WINDOWS\SYSTEM32\slwkynpj.exe
C:\WINDOWS\SYSTEM32\user10.exe
C:\WINDOWS\SYSTEM32\install.exe
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\SYSTEM32\DRIVERS\Awf59.sys
C:\WINDOWS\qsxbj0578.exe
C:\WINDOWS\SYSTEM32\ldcore(3).dll
C:\WINDOWS\SYSTEM32\skna455101.exe
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\hrum167.txt
C:\WINDOWS\SYSTEM32\dacca.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp2

Folder::
C:\Program Files\Magicantispy
C:\WINDOWS\SYSTEM32\f06WtR
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007 Free
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 
C:\Program Files\BHO
C:\WINDOWS\SYSTEM32\Z2
C:\WINDOWS\SYSTEM32\Z1
C:\WINDOWS\SYSTEM32\f02WtR
C:\WINDOWS\SYSTEM32\A1
C:\Temp
C:\DOCUME~1\AVIFUS~1\APPLIC~1\?ystem
C:\Program Files\SmileyDistrict

Save this as "CFScript"

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**orange450** · 2007-08-12, 05:13

Shaba, thank you so much for all your help. Here is the ComboFix log. Does it matter which account I run these fixes from? I'm not running them in the account in which I caused the problems, because that had become unusable - with background and color changes. It looks much better now, though.

Also, I got some error messages when I applied the HiJack This fixes - about "registry edit has been disabled by your administrator". There was an error message from the makers of HiJack This - asking to notify them -

020 - AppInit_DLLs: c:\WINDOWS\system32\hrum167.txt

seems to be the line that caused it.

ComboFix 07-08-09.3 - "Abba" 2007-08-11 22:55:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.198 [GMT -4:00]
Command switches used :: C:\Documents and Settings\Abba\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\SYSTEM32\vtr167.dll
C:\WINDOWS\SYSTEM32\rxaavqhh.exe
C:\WINDOWS\SYSTEM32\kespeulb.exe
C:\WINDOWS\SYSTEM32\drvjok.dll
C:\WINDOWS\SYSTEM32\slwkynpj.exe
C:\WINDOWS\SYSTEM32\user10.exe
C:\WINDOWS\SYSTEM32\install.exe
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\SYSTEM32\DRIVERS\Awf59.sys
C:\WINDOWS\qsxbj0578.exe
C:\WINDOWS\SYSTEM32\ldcore(3).dll
C:\WINDOWS\SYSTEM32\skna455101.exe
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\hrum167.txt
C:\WINDOWS\SYSTEM32\dacca.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp2

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\Abba\STARTM~1\Programs\Startup.\system.exe
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\autorun.exe
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007 Free
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\AVIFUS~1\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\Program Files\BHO
C:\Program Files\BHO\bho.dat
C:\Program Files\BHO\er.dat
C:\Program Files\BHO\plugin.dll
C:\Program Files\BHO\plugin1.dll
C:\Program Files\BHO\uninstall.exe
C:\Program Files\Magicantispy
C:\Program Files\Magicantispy\Magicantispy.exe
C:\Program Files\Magicantispy\Magicantispy.lic
C:\Program Files\Magicantispy\Magicantispy0.dll
C:\Program Files\Magicantispy\Magicantispy0.my
C:\Program Files\Magicantispy\Magicantispy1.dll
C:\Program Files\Magicantispy\Magicantispy1.my
C:\Program Files\Magicantispy\Magicantispy3.dll
C:\Program Files\Magicantispy\Uninstall.exe
C:\Program Files\SmileyDistrict
C:\Program Files\SmileyDistrict\bf.dat
C:\Program Files\SmileyDistrict\bm.dat
C:\Program Files\SmileyDistrict\insmile.dll
C:\Program Files\SmileyDistrict\OSmile.dll
C:\Program Files\SmileyDistrict\plugin.dll
C:\Program Files\SmileyDistrict\plugin.exe
C:\Program Files\SmileyDistrict\SDHelp.url
C:\Program Files\SmileyDistrict\SDistr.url
C:\Program Files\SmileyDistrict\serv.dat
C:\Program Files\SmileyDistrict\uninstall.exe
C:\Program Files\SmileyDistrict\ver.dat
C:\Program Files\SmileyDistrict\WrdSmile.dll
C:\Temp
C:\WINDOWS\qsxbj0578.exe
C:\WINDOWS\SYSTEM32\A1
C:\WINDOWS\system32\A1\kmhp83122.exe
C:\WINDOWS\SYSTEM32\A1\kmhp83122.exe
C:\WINDOWS\SYSTEM32\dacca.tmp
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\SYSTEM32\DRIVERS\Awf59.sys
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\core.cache(10).dsk
C:\WINDOWS\system32\drivers\core.cache(11).dsk
C:\WINDOWS\system32\drivers\core.cache(12).dsk
C:\WINDOWS\system32\drivers\core.cache(13).dsk
C:\WINDOWS\system32\drivers\core.cache(14).dsk
C:\WINDOWS\system32\drivers\core.cache(2).dsk
C:\WINDOWS\system32\drivers\core.cache(3).dsk
C:\WINDOWS\system32\drivers\core.cache(4).dsk
C:\WINDOWS\system32\drivers\core.cache(5).dsk
C:\WINDOWS\system32\drivers\core.cache(6).dsk
C:\WINDOWS\system32\drivers\core.cache(7).dsk
C:\WINDOWS\system32\drivers\core.cache(8).dsk
C:\WINDOWS\system32\drivers\core.cache(9).dsk
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\SYSTEM32\drvjok.dll
C:\WINDOWS\SYSTEM32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe
C:\WINDOWS\SYSTEM32\f06WtR
C:\WINDOWS\system32\f06WtR\f06WtR1083.exe
C:\WINDOWS\SYSTEM32\f06WtR\f06WtR1083.exe
C:\WINDOWS\system32\hrum167.txt
C:\WINDOWS\SYSTEM32\kespeulb.exe
C:\WINDOWS\SYSTEM32\ldcore(3).dll
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\SYSTEM32\rxaavqhh.exe
C:\WINDOWS\SYSTEM32\skna455101.exe
C:\WINDOWS\SYSTEM32\slwkynpj.exe
C:\WINDOWS\SYSTEM32\user10.exe
C:\WINDOWS\SYSTEM32\vtr167.dll
C:\WINDOWS\SYSTEM32\waverevenue.exe
C:\WINDOWS\system32\WinAvXX.exe
C:\WINDOWS\SYSTEM32\wybeg.tmp
C:\WINDOWS\SYSTEM32\wybeg.tmp2
C:\WINDOWS\SYSTEM32\Z1
C:\WINDOWS\SYSTEM32\Z2
C:\WINDOWS\SYSTEM32\Z2\x55.exe
C:\WINDOWS\system32\Z2\x55.exe

((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

2007-08-10 14:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-09 13:59 <DIR> d---s---- C:\DOCUME~1\Tali\UserData
2007-08-09 13:56 <DIR> d-------- C:\DOCUME~1\Tali\APPLIC~1\Google
2007-08-09 13:53 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Google
2007-08-08 22:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-08-08 21:07 <DIR> d---s---- C:\DOCUME~1\Ima\UserData
2007-08-08 21:07 <DIR> d-------- C:\VundoFix Backups
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-08 21:07 <DIR> d-------- C:\Program Files\Dell Support
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Xerox
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Symantec
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Sonic
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Real
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Nikon
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Jasc Software Inc
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\Google
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\F-Secure
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Ima\APPLIC~1\AdobeUM
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Gtek
2007-08-08 21:07 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\APPLIC~1\Gtek
2007-08-08 20:40 <DIR> d-------- C:\DOCUME~1\Abba\APPLIC~1\Apple Computer
2007-08-08 16:49 <DIR> d-------- C:\Program Files\Lavasoft(2)
2007-08-08 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-08 16:35 <DIR> d-------- C:\DOCUME~1\Guest\UserData
2007-08-08 16:31 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\Lavasoft
2007-08-08 15:43 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-08-08 15:43 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-08-08 15:39 <DIR> d-------- C:\DOCUME~1\Guest\APPLIC~1\GTek(2)
2007-08-07 22:02 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-07 20:11 <DIR> d-------- C:\Program Files\DellSupport
2007-08-07 14:58 192,582 --a------ C:\WINDOWS\SYSTEM32\swinmmdt.exe
2007-08-07 14:58 <DIR> d-------- C:\DOCUME~1\AVIFUS~1\APPLIC~1\?ystem

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 21:06 --------- d-------- C:\DOCUME~1\Abba\APPLIC~1\Gtek
2007-07-01 22:31 --------- d-------- C:\Program Files\Winamp
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 13:16]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 23:35]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 21:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 21:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 02:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-05 21:50]
"XeroxScannerDaemon"="C:\Program Files\Xerox\NWWia\XrxFTPLt.exe" [2001-08-17 22:37]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"DVDTray"="C:\Program Files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 13:42]
"DVDBitSet"="C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" [2003-12-18 17:37]
"mmtask"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe" [2005-03-15 08:58]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-02 18:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 10:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 09:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-23 17:40]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 16:45]
"HostManager"="C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe" [2006-04-20 13:10]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 11:38]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SRUUninstall"="C:\WINDOWS\system32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress

C:\Documents and Settings\Abba\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 10:00:00]
F-Secure Anti-Virus 2006.lnk - C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe [2005-12-14 20:42:44]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52]
Scan Button.lnk - C:\SCANNER\EXE32\DETECTON.EXE [2004-07-29 23:31:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\system32\hrum167.txt

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 iaStor;Intel AHCI Controller;C:\WINDOWS\system32\drivers\iaStor.sys
R2 BackWeb Plug-in - 4476822;F-Secure Anti-Virus 2006;C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
R2 DgivEcp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgivEcp.Sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 StillCam;Still Serial Digital Camera Driver;C:\WINDOWS\system32\DRIVERS\serscan.sys
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;C:\WINDOWS\system32\DRIVERS\hpusbwdm.sys
S3 Jukebox;Jukebox;C:\WINDOWS\system32\DRIVERS\ctpdusb2.sys

Contents of the 'Scheduled Tasks' folder
2007-08-12 02:24:04 C:\WINDOWS\Tasks\Scheduled scanning task.job
2004-12-24 18:42:14 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 23:01:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 23:03:39 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 23:03
C:\ComboFix2.txt ... 2007-08-10 14:45

--- E O F ---

**orange450** · 2007-08-12, 05:19

I didn't recognize the folder

C:\DOCUME~1\ADMINI~1\WINDOWS

And here is the HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 11:14:33 PM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\internet explorer\iexplore.exe
c:\program files\aol\aol toolbar 3.1\aoltbhelper.exe
C:\Documents and Settings\Abba\Desktop\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1149391482\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Scan Button.lnk = C:\SCANNER\EXE32\DETECTON.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.1\resources\en-US\local\search.html
O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.1\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/R...hotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - http://trials1.endeavors.com/autodes...loads/OTAI.CAB
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://pc.mywebexpc.com/client/v_my...ra/ieatgpc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/TrueInstall.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

**orange450** · 2007-08-12, 05:29

Hi Shaba, my Control Panel is back. Under Change/Remove Programs, I can see the entry for MagicantiSpy. Should I try to remove it? Right now I'm afraid to try anything unless you tell me to! Thank you so much for all your help. The computer seems much calmer now.

**orange450** · 2007-08-12, 05:38

Shaba, it looks like I spoke too soon. I logged onto the account where I caused the problems, and the control panel capability is gone, and I get that error message about the capability being restricted and to contact the system administrator. Then I logged back onto the account from which I was doing the fixes, and from where I could see Control Panel a few minutes ago, and now it's gone from that account too.

I'm still getting some Windows pop-ups about the computer being infected, and asking to download software, but the browser pop-ups seem to have stopped.

**Shaba** · 2007-08-12, 11:13

Hi

Some baddies gone, but not clean yet.

I already warn you that this cleaning process will take time because your computer was in my papers a candidate for formatting (= in very bad shape).

"Does it matter which account I run these fixes from?"

You should run it from account that has admin rights, otherwise doesn't matter.

"Under Change/Remove Programs, I can see the entry for MagicantiSpy. Should I try to remove it"

No, it's not possible any more as we removed folder manually. However, we can later remove that corresponding entry from add/remove list.

Open HijackThis, click do a system scan only and checkmark this:

O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt

Close all windows including browser and press fix checked.

Reboot.

Delete these:

C:\WINDOWS\SYSTEM32\swinmmdt.exe
C:\Documents and settings\AVIFUS~1\application data\?ystem (should look like "system).
C:\Documents and settings\Administrator\WINDOWS

Empty Recycle Bin

Re-run combofix

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Post:

- a fresh HijackThis log
- combofix report
- smitfraudfix report

**orange450** · 2007-08-12, 15:50

Hi Shaba, here is the message I got when I tried to delete the hrum167.txt entry from HiJack This. It's the same error I got the last time I tried to remove it. I haven't continued with the rest of your instructions. Should I?
Thanks again.

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\hrum167.txt)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Thread: A lot of malware problems

Thread Tools

Display

Part 2 of the ComboFix log

Posting Permissions