Smitfraud-C, Virtumonde.generic/.sci, IRC.crt, etc.

[Faemasi]

Kaspersky Online Scanner Report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, January 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 07, 2009 19:52:59
Records in database: 1580002
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 146349
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:55:42


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\hplvocqy.dll.vir Infected: Trojan.Win32.Monder.ajla 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuVMFWQj.dll.vir Infected: Trojan.Win32.Monder.agwe 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wshamrnh.dll.vir Infected: Trojan.Win32.Monder.ahye 1

The selected area was scanned.

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:48:04 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.YOUR-190328E63E\Desktop\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5220
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5220
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8046 bytes

ComboFix log:

ComboFix 09-01-07.01 - Owner 2009-01-07 12:30:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.511 [GMT -8:00]
Running from: c:\documents and settings\Owner.YOUR-190328E63E\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-190328E63E\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090107-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\ffkuz.dll
c:\windows\system32\iIBQKdBu.dll
c:\windows\Tasks\nmblgxgd.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ffkuz.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-01 18:33 . 2009-01-01 18:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 18:33 . 2009-01-01 18:33 <DIR> d-------- c:\program files\Lavasoft
2009-01-01 18:33 . 2009-01-02 12:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 18:33 . 2009-01-01 18:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-29 22:03 . 2008-04-13 10:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-29 22:03 . 2008-04-13 10:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-12-29 21:50 . 2008-07-29 23:25 195,337 --a------ c:\windows\system32\nvapps.nvb
2008-12-29 21:49 . 2008-12-29 21:52 <DIR> d-------- c:\windows\NV24522448.TMP
2008-12-29 21:48 . 2009-01-01 12:59 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-29 21:48 . 2008-12-29 21:48 1,409 --a------ c:\windows\QTFont.for
2008-12-28 20:31 . 2008-12-28 20:31 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-12-28 20:00 . 2008-12-28 20:00 <DIR> d-------- C:\ProgramData
2008-12-28 20:00 . 2008-12-28 20:00 <DIR> d-------- c:\program files\Electronic Arts
2008-12-28 20:00 . 2008-12-28 20:00 6,302 --a------ c:\windows\system32\ealregsnapshot1.reg
2008-12-28 19:11 . 2008-12-28 19:11 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\Hewlett-Packard
2008-12-28 12:58 . 2008-12-28 12:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2008-12-28 12:53 . 2005-08-11 15:29 73,728 --a------ c:\windows\system32\ISUSPM.cpl
2008-12-28 12:45 . 2008-12-28 13:02 <DIR> d-------- c:\program files\The Creative Assembly
2008-12-26 17:59 . 2008-12-28 20:12 <DIR> d-------- c:\program files\EA GAMES
2008-12-26 17:59 . 2007-04-04 14:39 442,368 -ra------ c:\windows\system32\vp6vfw.dll
2008-12-26 17:56 . 2008-12-26 17:56 <DIR> d-------- c:\program files\Common Files\Microsoft Games
2008-12-26 17:46 . 2008-12-26 17:46 <DIR> d-------- c:\windows\Sun
2008-12-26 17:09 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2008-12-26 16:56 . 2008-12-26 16:56 <DIR> d-------- c:\program files\Microsoft Games
2008-12-21 14:00 . 2008-12-21 14:00 <DIR> d-------- c:\windows\system32\scripting
2008-12-21 14:00 . 2008-12-21 14:00 <DIR> d-------- c:\windows\system32\en
2008-12-21 14:00 . 2008-12-21 14:00 <DIR> d-------- c:\windows\system32\bits
2008-12-21 14:00 . 2008-12-21 14:00 <DIR> d-------- c:\windows\l2schemas
2008-12-21 13:57 . 2008-12-21 14:00 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-19 13:03 . 2008-04-13 16:12 1,737,856 --a------ c:\windows\system32\mtxparhd.dll
2008-12-19 13:02 . 2008-04-13 16:11 1,888,992 --a------ c:\windows\system32\ati3duag.dll
2008-12-19 00:07 . 2008-12-19 00:07 <DIR> d-------- c:\program files\MSXML 4.0
2008-12-18 12:47 . 2008-12-18 12:47 <DIR> d---s---- c:\documents and settings\Owner.YOUR-190328E63E\UserData
2008-12-18 12:43 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-18 12:43 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2008-12-18 12:43 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-18 00:58 . 2008-12-18 00:58 268 --ah----- C:\sqmdata00.sqm
2008-12-18 00:58 . 2008-12-18 00:58 244 --ah----- C:\sqmnoopt00.sqm
2008-12-17 23:55 . 2008-12-17 23:55 <DIR> d-------- c:\program files\Alwil Software
2008-12-17 22:32 . 2008-12-18 12:47 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Contacts
2008-12-17 22:29 . 2008-12-17 22:51 <DIR> d-------- c:\program files\Windows Live
2008-12-17 22:29 . 2008-12-17 22:31 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-12-17 22:29 . 2008-12-17 22:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-17 18:25 . 2008-12-29 22:44 523 --a------ C:\hpfr3420.xml
2008-12-17 15:32 . 2008-12-17 15:32 <DIR> d-------- c:\program files\Common Files\Hewlett-Packard
2008-12-17 15:31 . 2008-12-17 15:32 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-17 15:31 . 2008-12-17 15:33 19,558 --a------ c:\windows\hpoins01.dat
2008-12-17 15:31 . 2003-04-22 10:24 16,606 --------- c:\windows\hpomdl01.dat
2008-12-17 15:30 . 2008-12-17 15:31 <DIR> d-------- c:\temp\HP All-in-One Series Web Release
2008-12-17 15:30 . 2008-12-17 15:30 <DIR> d-------- C:\temp
2008-12-17 15:30 . 2008-12-17 15:30 <DIR> d-------- c:\documents and settings\OWNER~1~YOU\LOCALS~1
2008-12-17 15:30 . 2008-12-17 15:30 <DIR> d-------- c:\documents and settings\OWNER~1~YOU
2008-12-17 09:49 . 2008-12-17 09:49 <DIR> d-------- c:\program files\Ventrilo
2008-12-17 09:48 . 2009-01-01 18:33 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-17 09:46 . 2008-12-17 09:46 <DIR> d-------- c:\program files\Common Files\LogiShared
2008-12-17 09:46 . 2008-12-17 09:46 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\Logitech
2008-12-17 09:46 . 2008-12-17 09:46 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\Leadertech
2008-12-17 09:45 . 2008-12-17 09:45 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-12-17 09:45 . 2008-12-17 09:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2008-12-17 09:44 . 2008-12-17 09:49 <DIR> d-------- c:\program files\Logitech
2008-12-17 09:44 . 2008-12-17 09:44 <DIR> d-------- c:\program files\Common Files\Logitech
2008-12-17 09:44 . 2008-12-17 09:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2008-12-17 09:44 . 2007-04-11 15:33 1,419,024 --a------ c:\windows\system32\WdfCoInstaller01005.dll
2008-12-17 09:44 . 2007-04-23 04:00 163,840 --a------ c:\windows\system32\kemutb.dll
2008-12-17 09:44 . 2007-04-23 04:00 135,168 --a------ c:\windows\system32\KemUtil.dll
2008-12-17 09:44 . 2007-04-23 04:00 110,592 --a------ c:\windows\system32\KemWnd.dll
2008-12-17 09:44 . 2007-04-23 04:00 69,632 --a------ c:\windows\system32\KemXML.dll
2008-12-17 09:44 . 2007-04-11 15:32 56,080 --a------ c:\windows\KHALMNPR.Exe
2008-12-17 09:44 . 2007-04-11 15:32 36,112 --a------ c:\windows\system32\drivers\LMouFilt.Sys
2008-12-17 09:44 . 2007-04-11 15:32 34,832 --a------ c:\windows\system32\drivers\LHidFilt.Sys
2008-12-17 09:43 . 2008-12-17 09:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2008-12-17 09:43 . 2008-12-12 09:01 3,067,904 --a--c--- c:\windows\system32\dllcache\mshtml.dll
2008-12-17 09:43 . 2008-10-15 17:00 1,499,136 --a--c--- c:\windows\system32\dllcache\shdocvw.dll
2008-12-17 09:43 . 2008-10-15 17:00 666,112 --a--c--- c:\windows\system32\dllcache\wininet.dll
2008-12-17 09:43 . 2008-10-15 17:00 619,520 --a--c--- c:\windows\system32\dllcache\urlmon.dll
2008-12-17 09:42 . 2008-06-13 03:05 272,128 --a------ c:\windows\system32\drivers\bthport.sys
2008-12-17 09:42 . 2008-06-13 03:05 272,128 --a--c--- c:\windows\system32\dllcache\bthport.sys
2008-12-17 09:41 . 2008-08-14 02:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-17 09:41 . 2008-08-14 02:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-17 09:41 . 2008-08-14 01:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-17 09:41 . 2008-08-14 01:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-17 09:41 . 2008-09-15 04:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-12-17 09:41 . 2008-09-08 02:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-12-17 09:39 . 2008-06-11 02:58 2,330,624 --a--c--- c:\windows\system32\dllcache\WMVCore.dll
2008-12-17 09:39 . 2008-09-04 09:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-17 09:39 . 2008-04-11 11:04 691,712 --a--c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-17 09:39 . 2008-10-24 03:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-17 09:39 . 2008-05-01 06:33 331,776 --a--c--- c:\windows\system32\dllcache\msadce.dll
2008-12-17 09:39 . 2008-05-08 06:02 203,136 --a--c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-17 09:38 . 2008-10-15 08:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-17 09:38 . 2008-10-03 02:02 247,326 --a--c--- c:\windows\system32\dllcache\strmdll.dll
2008-12-17 09:19 . 2008-12-17 22:01 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\U3
2008-12-17 00:19 . 2008-12-17 00:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard
2008-12-16 23:18 . 2008-12-16 23:18 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\AdobeUM
2008-12-16 22:38 . 2008-12-18 16:18 <DIR> d-------- c:\program files\World of Warcraft
2008-12-16 22:38 . 2008-12-16 22:38 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2008-12-16 22:24 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-12-16 22:23 . 2008-12-16 22:23 <DIR> d-------- c:\program files\MSBuild
2008-12-16 22:22 . 2008-12-16 22:22 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-16 22:20 . 2008-12-16 22:20 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-16 22:19 . 2008-12-16 22:22 <DIR> d-------- c:\windows\SHELLNEW
2008-12-16 22:19 . 2008-12-16 22:19 <DIR> dr-h----- C:\MSOCache
2008-12-16 22:19 . 2008-12-19 20:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 21:52 . 2008-12-16 22:17 <DIR> d-------- c:\program files\YPOPs
2008-12-16 21:43 . 2008-12-16 21:43 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\Thunderbird
2008-12-16 21:26 . 2009-01-07 10:39 186,591 --a------ c:\windows\system32\nvapps.xml
2008-12-16 21:25 . 2008-12-29 21:52 <DIR> d-------- c:\windows\nview
2008-12-16 21:25 . 2008-07-26 21:18 446,464 --a------ c:\windows\system32\nvudisp.exe
2008-12-16 21:25 . 2008-07-26 21:18 18,335 --a------ c:\windows\system32\nvdisp.nvu
2008-12-16 20:19 . 2008-12-16 20:19 <DIR> d-------- c:\program files\Dynex G Desktop Card Adapter
2008-12-16 20:19 . 2008-12-16 20:19 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\InstallShield
2008-12-16 20:08 . 2008-12-16 20:08 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\McAfee.com Personal Firewall
2008-12-16 20:07 . 2008-12-16 20:07 2 --a------ c:\windows\msoffice.ini
2008-12-16 20:04 . 2008-12-16 18:56 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\WINDOWS
2008-12-16 20:04 . 2008-12-16 19:35 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\You've Got Pictures Screensaver
2008-12-16 20:04 . 2008-12-16 19:41 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E\Application Data\SampleView
2008-12-16 20:04 . 2008-12-29 21:51 <DIR> d-------- c:\documents and settings\Owner.YOUR-190328E63E
2008-12-16 20:03 . 2008-12-16 18:56 <DIR> d-------- c:\windows\system32\config\systemprofile\WINDOWS
2008-12-16 19:53 . 2008-12-16 19:53 8,192 --a------ c:\windows\REGLOCS.OLD
2008-12-16 19:50 . 2008-12-16 19:50 333 --a------ c:\windows\system32\$ncsp$.inf
2008-12-16 19:50 . 2008-12-16 19:50 0 --a------ c:\windows\system32\Gateway_GT5220__GCN6911008520.MRK
2008-12-16 19:49 . 2009-01-07 10:39 <DIR> d-------- c:\windows\system32\Lang
2008-12-16 19:49 . 2008-12-16 19:49 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2008-12-16 19:49 . 2008-12-16 19:49 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2008-12-16 19:48 . 2008-12-16 20:08 2,752 --a------ c:\windows\system32\Status.MPF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 09:18 413,696 ----a-w c:\windows\system32\wrap_oal.dll
2008-12-28 09:18 110,592 ----a-w c:\windows\system32\OpenAL32.dll
2008-12-17 03:35 8,552 ----a-w c:\windows\system32\drivers\asctrm.sys
2008-12-17 02:57 --------- d-----w c:\program files\Windows Plus
2008-12-17 02:57 --------- d-----w c:\program files\microsoft frontpage
2008-12-17 02:57 --------- d-----w c:\program files\Common Files\New Boundary
2008-12-17 02:56 --------- d-----w c:\documents and settings\All Users\Application Data\Prism Deploy
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-07_10.46.08.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-07 18:34:26 63,392 ----a-w c:\windows\system32\perfc009.dat
+ 2009-01-07 20:29:21 63,392 ----a-w c:\windows\system32\perfc009.dat
- 2009-01-07 18:34:26 404,298 ----a-w c:\windows\system32\perfh009.dat
+ 2009-01-07 20:29:21 404,298 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-17 2094352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-16 98304]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-09 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-07-26 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\Owner.YOUR-190328E63E\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-12-16 2168360]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex G Desktop Card Adapter\DynexWCUI.exe [2008-12-16 1454080]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-12-17 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-17 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-17 20560]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3f14c02-cc5e-11dd-b92d-001cdf0cc913}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-30 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1229567065.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5220
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-190328E63E\Application Data\Mozilla\Firefox\Profiles\ucjpxy6w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 12:33:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-01-07 12:34:54
ComboFix-quarantined-files.txt 2009-01-07 20:34:34
ComboFix2.txt 2009-01-07 18:46:47

Pre-Run: 190,656,172,032 bytes free
Post-Run: 190,639,116,288 bytes free

273 --- E O F --- 2008-12-28 09:20:14

Also, a question...would Avast Anti-Virus be sufficient or should I switch to Kaspersky? I just want to make sure that something like this doesn't happen again.

[Blade81]

Also, a question...would Avast Anti-Virus be sufficient or should I switch to Kaspersky? I just want to make sure that something like this doesn't happen again.

Hi

Avast is good antivirus program. Truth is that there isn't any free or commercial antivirus program that could give you 100% protection. Being careful by avoiding dubious websites and other suspicious items you're already safer.

Anyway, back to the results. Looks like all Kaspersky findings are in quarantine folder. Before we clean those I'd like to know how's your system running. Please post a fresh hjt log too.

[Faemasi]

Hi there!

Everything seems to be running smoother and I'm not terrified to have this machine connected to the internet. I don't have any rogue tabs opening up on firefox nor do I have any of those bogus "You've been infected click here" windows popping up on my screen. I know that at one point, I had check windows security in the contorl panel and it said that it had been disabled and try as I might, I could not enable it. I haven't checked it yet, just been working on my laptop and using the desktop when I have instructions from you. I can't thank you enough for your help thus far and I know we're not done yet!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:02 AM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Owner.YOUR-190328E63E\Desktop\something.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5220
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...s=DTP&M=GT5220
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8126 bytes

[Blade81]

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

• Download SpywareBlaster
  Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
  kill bits
  in the registry, so that certain activex controls can't install.
  If you don't know what activex controls are, see here
  You can download SpywareBlaster here here
  SpywareBlaster tutorial
  
  
• hosts file:
  
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  
  Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
  If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  
  2. Click the start button (at the lower left hand corner of your screen)
  3. Click run
  4. In the dialog box, type services.msc
  5. hit enter, then locate dns client
  6. Highlight it, then double-click it.
  7. On the dropdown box, change the setting from automatic to manual.
  8. Click ok
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
  If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).
  
• recommended Firefox addons
  
  Adblock Plus and NoScript

Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade

[Faemasi]

I'm in the process of completing your instructions posted above but I had a few questions...

Do I need to reinstate TeaTimer or is this already done?

Should I uninstall HiJackThis and it's logs and how would I go about doing that correctly?

I have icons for ATF cleaner, the java update, reset TeaTimer and the windows xp recovery console, how do I go about ridding my desktop of these correctly?

So far everything is running great and I am confident about using my desktop. I can't thank you enough for all your help!

[Blade81]

Do I need to reinstate TeaTimer or is this already done?

Restart? You may do so if you want. I leave that decision for you to make

Should I uninstall HiJackThis and it's logs and how would I go about doing that correctly?

You may uninstall it thru add/remove programs. Find TrendMicro HijackThis entry there.

I have icons for ATF cleaner, the java update, reset TeaTimer and the windows xp recovery console, how do I go about ridding my desktop of these correctly?

Of those I'd leave ATF cleaner there and run it occasionally to get rid of temporary items. Other three you may remove.

[Faemasi]

Blade-

Thank you so much for all of your help over the last few days! You and your fellow volunteers are knights in shining armor for those of us who don't know how to rid our machines of these evil little bugs and bots!

I've downloaded the programs that you suggested and ran them along with spybot and everything has come back clean. I've also downloaded the firefox add ons to my laptop and my husband is in the process of doing the same. The computer is running great and I'm no longer afraid to turn it on and browse safely. I have a good idea of where the infection came from and WILL NOT visit those sites again!

Thank you again for your help! :D

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.