Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: virtumonde infection HELP PLEASE!

  1. #1
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default virtumonde infection HELP PLEASE!

    Hi, I've tried many times to delete this but it always comes back at startup. I have a lot of blocked registry changes after startup using Spybot and a number of command prompt windows open after startup that have no path . Everything seems to be working inspite of this and virtumonde appears eventually each time (as well as another malware that opens window in explorer). It also seems to change my explorer security settings (it changes to allow all cookies which I have to fix each time I use exporer after start up). There is also an error message when I shut down but in spite of all these "errors" and blocked registry changes my computer seems to be operating OK. My anti-virus just keeps finding and deleting virtumonde viruses. I also already tried the "combofix" software recomended on this messageboard with no change.

    Here is my Highjackthis log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:45:04 PM, on 24/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Bell\Security Manager\Fws.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
    C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
    C:\Program Files\Bell\Security Manager\Rps.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\lcntklwb.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\windows\system32\rwwnw64d.exe
    C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/default.aspx?lang=en-CA
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
    O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
    O4 - HKLM\..\Run: [pmnmlkjjgd] Rundll32.exe "C:\WINDOWS\system32\ddaywwur.dll",s
    O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
    O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
    O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
    O4 - HKLM\..\Run: [{E5-5B-B9-94-DW}] C:\windows\system32\kjwnw64l.exe DWram
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [bc3e5b3b] rundll32.exe "C:\WINDOWS\system32\ehrxqdqq.dll",b
    O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\lcntklwb.exe DWram
    O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
    O4 - HKLM\..\RunOnce: [SpybotDeletingA8952] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_21 PM_052.log"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC4750] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_21 PM_052.log"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2474] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_31 PM_302.log"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC819] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_31 PM_302.log"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA2233] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC3576] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA4258] command /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC4162] cmd /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
    O4 - HKLM\..\RunOnce: [SpybotDeletingA7090] command /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
    O4 - HKLM\..\RunOnce: [SpybotDeletingC5658] cmd /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
    O4 - HKCU\..\Run: [AdwareProMFC] C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\RunOnce: [SpybotDeletingD4256] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Log\2008 Feb 21 - 10_41_31 PM_302.log"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB9245] command /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD784] cmd /c del "C:\Documents and Settings\Jim\Application Data\AdwareAlert\Settings\ScanResults.pie"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB9136] command /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD8493] cmd /c del "C:\Program Files\AntiSpywareApp\AntiSpyware.url"
    O4 - HKCU\..\RunOnce: [SpybotDeletingB20] command /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
    O4 - HKCU\..\RunOnce: [SpybotDeletingD983] cmd /c del "C:\Program Files\AntiSpywareApp\vistaCPtasks.xml"
    O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\lcntklwb.exe
    O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
    O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
    O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

    --
    End of file - 11148 bytes


    Thanks for your help and advice.

    Jim

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

    If you think you have similar problems, please post a log in the HJT forum and wait for help.


    Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.
    Hello and welcome to the forums

    My name is Katana and I will be helping you to remove any infection(s) that you may have.

    Please observe these rules while we work:
    1. If you don't know, stop and ask! Don't keep going on.
    2. Please reply to this thread. Do not start a new topic.
    3. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

    If you can do those three things, everything should go smoothly :D

    ----------------------------------------------------------------------------------------
    SD Fix

    Please download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



    Download and Run ComboFix (by sUBs)
    Please visit this webpage for instructions for downloading and running ComboFix:

    Bleeping Computer ComboFix Tutorial

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.


    Installed Programs

    Please could you give me a list of the programs that are installed.
    • Start HijackThis
    • Click on the Misc Tools button
    • Click on the Open Uninstall Manager button.

    You will see a list with the programs installed in your computer.
    Click on save list button and specify where you would like to save this file.
    When you press Save button a notepad will open with the contents of that file.
    Simply copy and paste the contents of that notepad into your next post.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  3. #3
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default

    Thank you for all your help so far. I ran SDFix and here is the log (sorry, I forgot to run hijack this before I ran combofix):

    SDFix: Version 1.146

    Run by Jim on 24/02/2008 at 09:45 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\SDFix\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\PROGRA~1\MSN\LAVUGAS - Deleted
    C:\WINDOWS\Fonts\Setup.exe - Deleted
    C:\WINDOWS\system32\msnav32.ax - Deleted
    C:\WINDOWS\system32\zxdnt3d.cfg - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-24 21:53:22
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - C:\SDFix\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
    Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
    Fri 21 Jul 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Sat 8 Jul 2006 39,424 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0001.tmp"
    Mon 26 Jun 2006 35,328 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0002.tmp"
    Tue 27 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0003.tmp"
    Tue 27 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0004.tmp"
    Wed 28 Jun 2006 37,888 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0005.tmp"
    Sat 8 Jul 2006 20,992 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0006.tmp"
    Sun 11 Mar 2007 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0007.tmp"
    Fri 1 Sep 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0032.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0058.tmp"
    Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0502.tmp"
    Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0806.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0818.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL0838.tmp"
    Fri 1 Sep 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1083.tmp"
    Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1160.tmp"
    Mon 10 Jul 2006 38,912 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1755.tmp"
    Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1774.tmp"
    Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1859.tmp"
    Wed 14 Mar 2007 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1863.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1908.tmp"
    Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL1960.tmp"
    Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2005.tmp"
    Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2128.tmp"
    Fri 1 Sep 2006 34,816 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2372.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2427.tmp"
    Mon 10 Jul 2006 39,936 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2514.tmp"
    Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2650.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL2913.tmp"
    Wed 28 Jun 2006 37,376 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3014.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3181.tmp"
    Wed 28 Jun 2006 36,864 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3207.tmp"
    Wed 28 Jun 2006 36,352 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3639.tmp"
    Fri 1 Sep 2006 34,304 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3894.tmp"
    Wed 28 Jun 2006 35,840 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3897.tmp"
    Wed 14 Mar 2007 37,376 ...H. --- "C:\Documents and Settings\Stephanie\My Documents\~WRL3915.tmp"
    Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
    Thu 14 Dec 2006 19,456 ...H. --- "C:\Documents and Settings\Jim\Application Data\Microsoft\Word\~WRL0003.tmp"
    Thu 16 Feb 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
    Fri 22 Feb 2008 8 A..H. --- "C:\Documents and Settings\Jim\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
    Fri 22 Feb 2008 8 A..H. --- "C:\Documents and Settings\Jim\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
    Fri 22 Feb 2008 8 A..H. --- "C:\Documents and Settings\Jim\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"

    Finished!



    Here is the combofix log:


    ComboFix 08-02-25.2 - Jim 2008-02-24 22:45:13.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -5:00]
    Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Deewoo.lnk
    C:\Documents and Settings\Jim\Start Menu\Programs\Startup\DW_Start.lnk
    C:\WINDOWS\system32\awvvt.dll
    C:\WINDOWS\system32\bsdmaxmi.dll
    C:\WINDOWS\system32\dphohxhh.dll
    C:\WINDOWS\system32\imxamdsb.ini
    C:\WINDOWS\system32\msnav32.ax
    C:\WINDOWS\system32\tvvwa.ini
    C:\WINDOWS\system32\tvvwa.ini2
    C:\WINDOWS\system32\winpfz37.sys
    C:\WINDOWS\system32\zxdnt3d.cfg

    .
    ((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
    .

    2008-02-24 21:41 . 2008-02-24 21:41 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-02-24 21:33 . 2008-02-24 21:33 <DIR> d-------- C:\SDFix
    2008-02-24 12:44 . 2008-02-24 12:44 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-24 00:55 . 2008-02-24 00:55 <DIR> d-------- C:\ComboFix[1]
    2008-02-24 00:06 . 2008-02-24 00:58 1,356,210 --ahs---- C:\WINDOWS\system32\eaaskjao.ini
    2008-02-23 21:28 . 2008-02-23 21:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-02-23 21:28 . 2008-02-23 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-23 15:38 . 2008-02-23 15:38 200,774 --a------ C:\WINDOWS\system32\lcntklwb.exe
    2008-02-23 11:57 . 2008-02-23 11:57 <DIR> d-------- C:\Program Files\Lavasoft
    2008-02-23 11:57 . 2008-02-23 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-23 11:53 . 2008-02-23 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-23 11:35 . 2008-02-23 11:35 <DIR> d-------- C:\WINDOWS\Ad-Ware Pro
    2008-02-23 10:40 . 2008-02-23 10:40 49,171 --a------ C:\WINDOWS\system32\kjwnw64l.exe
    2008-02-23 10:20 . 2008-02-23 12:03 <DIR> d--hs---- C:\WINDOWS\Smlt
    2008-02-23 10:20 . 2008-02-23 10:20 49,157 --a------ C:\WINDOWS\system32\rwwnw64d.exe
    2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\xo4
    2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\ap8
    2008-02-22 23:03 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
    2008-02-22 23:02 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
    2008-02-22 22:59 . 2008-02-22 22:59 <DIR> d-------- C:\Program Files\Common Files\Authentium
    2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Program Files\Raxco
    2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
    2008-02-22 22:52 . 2008-02-22 22:52 <DIR> d-------- C:\Program Files\CA
    2008-02-22 22:50 . 2008-02-23 01:05 <DIR> d-------- C:\Program Files\Common Files\Scanner
    2008-02-22 22:34 . 2008-02-22 22:35 <DIR> d-------- C:\Program Files\DellSupport
    2008-02-22 22:21 . 2008-02-22 22:21 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\InstallShield
    2008-02-21 23:35 . 2008-02-21 23:35 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-02-21 22:55 . 2008-02-23 23:16 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Antispyware
    2008-02-21 07:38 . 2008-02-24 11:20 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\AppDate
    2008-02-21 07:38 . 2008-02-21 07:38 34,304 --a------ C:\WINDOWS\system32\ddaywwur.dll
    2008-02-21 07:38 . 2008-02-21 07:38 34,304 --a------ C:\WINDOWS\ddabaaxu.dll
    2008-02-21 07:38 . 2008-02-21 07:38 34,304 --a------ C:\Documents and Settings\Jim\Application Data\awvtttro.dll
    2008-02-21 07:38 . 2008-02-24 22:52 340 --a------ C:\WINDOWS\system32\sstsqpoo
    2008-02-19 21:05 . 2008-02-19 21:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
    2008-02-19 20:41 . 2008-02-20 22:22 <DIR> d-------- C:\DVDMovie
    2008-02-19 20:39 . 2008-02-19 20:39 <DIR> d-------- C:\Program Files\Xvid
    2008-02-19 20:39 . 2008-02-19 20:42 <DIR> d-------- C:\Program Files\AoA DVD Ripper
    2008-02-19 20:39 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
    2008-02-19 20:39 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
    2008-02-19 20:39 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
    2008-02-19 20:39 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
    2008-02-19 20:39 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
    2008-02-19 20:39 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
    2008-02-19 20:39 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
    2008-02-19 20:39 . 2008-02-20 22:16 67 --a------ C:\WINDOWS\AoADVDRipper.INI
    2008-02-16 13:32 . 2008-02-16 13:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infob.dat
    2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infoa.dat
    2008-02-15 21:49 . 2008-02-15 21:49 305 --a------ C:\WINDOWS\system32\treeinfo.dat
    2008-02-15 21:22 . 2008-02-15 21:22 <DIR> d-------- C:\MyAudio
    2008-02-15 21:21 . 2008-02-15 21:22 <DIR> d-------- C:\Program Files\AoA Audio Extractor
    2008-02-15 21:21 . 2008-02-20 22:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-15 21:17 . 2008-02-15 21:48 <DIR> d-------- C:\Program Files\YouTube Downloader

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-23 15:36 --------- d-----w C:\Program Files\Bonjour
    2008-02-23 06:05 --------- d-----w C:\Program Files\LimeWire
    2008-02-23 04:08 --------- d-----w C:\Documents and Settings\Jim\Application Data\Bell
    2008-02-23 03:55 --------- d--h--w C:\Documents and Settings\Jim\Application Data\Gtek
    2008-02-23 03:43 --------- d-----w C:\Program Files\Bell
    2008-02-23 03:41 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Bell
    2008-02-23 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
    2008-02-23 03:35 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Gtek
    2008-02-23 03:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-15 05:14 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-15 04:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
    2008-01-15 04:18 --------- d-----w C:\Program Files\NetAssistant
    2008-01-15 04:12 --------- d-----w C:\Program Files\Jasc Software Inc
    2008-01-15 04:08 --------- d-----w C:\Program Files\Common Files\Sonic Shared
    2008-01-15 04:06 --------- d-----w C:\Program Files\WordPerfect Office 12
    2008-01-15 04:06 --------- d-----w C:\Program Files\QuickTime
    2008-01-15 04:06 --------- d-----w C:\Program Files\Intel
    2008-01-15 04:06 --------- d-----w C:\Program Files\EPSON
    2008-01-15 04:06 --------- d-----w C:\Program Files\Common Files\AOL
    2008-01-15 02:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
    2005-07-29 21:24 472 --sha-r C:\WINDOWS\Smlt\mA5Q.vbs
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B21B437-7E93-4BD1-9E0B-B23D58B34A4D}]
    2008-02-21 07:38 34304 --a------ C:\WINDOWS\ddabaaxu.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4FEC76A-BFE1-4A37-1783-7AF51D875EDC}]
    C:\Program Files\MSN\lavugas.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdwareProMFC"="C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe" [ ]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-17 20:17 180269]
    "StandardInstall"="" []
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-24 19:47 155648]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
    "EPSON Stylus C66 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.exe" [2004-01-13 03:00 99840]
    "EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 03:00 98304]
    "pmnmlkjjgd"="C:\WINDOWS\system32\ddaywwur.dll" [2008-02-21 07:38 34304]
    "SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 10:33 2061816]
    "Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\Rps.exe" [2007-08-27 16:57 310000]
    "-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 16:57 13552]
    "{E5-5B-B9-94-DW}"="C:\windows\system32\kjwnw64l.exe" [2008-02-23 10:40 49171]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]
    "bc3e5b3b"="C:\WINDOWS\system32\ehrxqdqq.dll" [ ]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
    NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-10-04 18:35:39 217088]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli C:\Documents and Settings\Jim\Application Data\awvtttro.dll C:\Documents and Settings\Jim\Application Data\awvtttro.dll C:\Documents and Settings\Jim\Application Data\awvtttro.dll C:\Documents and Settings\Jim\Application Data\awvtttro.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    --a------ 2004-10-22 15:13 393216 C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R2 ScFBPNT;CanoScan FBP Port Driver;C:\WINDOWS\system32\drivers\ScFBPNT.SYS [2000-02-08 10:33]
    S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-23 08:00:01 C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job"
    - C:\Program Files\AntiSpywareApp\AntiSpyware.ex
    - C:\Program Files\AntiSpywareApp
    "2005-09-21 01:01:04 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
    - C:\WINDOWS\system32\OOBE\oobebaln.exe
    .
    **************************************************************************

  4. #4
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default

    Sorry, the message was too long for one post...

    Here is the new hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:02:15 PM, on 24/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Bell\Security Manager\Fws.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Bell\Security Manager\RPS.exe
    C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
    C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/default.aspx?lang=en-CA
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Security Manager\pkR.dll
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {6B21B437-7E93-4BD1-9E0B-B23D58B34A4D} - C:\WINDOWS\ddabaaxu.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: 0 - {F4FEC76A-BFE1-4A37-1783-7AF51D875EDC} - C:\Program Files\MSN\lavugas.dll (file missing)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB001" /M "Stylus C66"
    O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
    O4 - HKLM\..\Run: [pmnmlkjjgd] Rundll32.exe "C:\WINDOWS\system32\ddaywwur.dll",s
    O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" /AUTORUN
    O4 - HKLM\..\Run: [Sympatico Security Manager] "C:\Program Files\Bell\Security Manager\Rps.exe"
    O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe"
    O4 - HKLM\..\Run: [{E5-5B-B9-94-DW}] C:\windows\system32\kjwnw64l.exe DWram
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [bc3e5b3b] rundll32.exe "C:\WINDOWS\system32\ehrxqdqq.dll",b
    O4 - HKCU\..\Run: [AdwareProMFC] C:\Program Files\Ad-Ware Pro\Ad-Ware Pro.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.photolab.ca/Upload/ImageUploader4.cab
    O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
    O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...pv2.0.0.9.cab?
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: Sympatico Security Manager Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
    O23 - Service: Sympatico Security Manager Firewall (RP_FWS) - Bell Sympatico - C:\Program Files\Bell\Security Manager\Fws.exe

    --
    End of file - 8812 bytes





    Finally, here is the uninstall list from hijackthis:

    Ad-Aware 2007
    Adobe Anchor Service CS3
    Adobe Asset Services CS3
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Bridge CS3
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps
    Adobe Color - Photoshop Specific
    Adobe Color Common Settings
    Adobe Color EU Extra Settings
    Adobe Color JA Extra Settings
    Adobe Color NA Recommended Settings
    Adobe Default Language CS3
    Adobe Device Central CS3
    Adobe Download Manager 2.0 (Remove Only)
    Adobe ExtendScript Toolkit 2
    Adobe Flash Player ActiveX
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Linguistics CS3
    Adobe PDF Library Files
    Adobe Photoshop CS3
    Adobe Photoshop CS3
    Adobe Reader 7.0.7
    Adobe Setup
    Adobe Stock Photos CS3
    Adobe Type Support
    Adobe Update Manager CS3
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS3
    AoA Audio Extractor 1.0
    AoA DVD Ripper
    Audacity 1.2.6
    Authentium AntiVirus SDK - 2
    CodeBaby Player (Remove Only) 1.0.2.15
    Deewoo Network Manager removal
    Dell Driver Reset Tool
    DellSupport
    EPSON Printer Software
    FreeRIP v2.942
    Google Earth
    Google Toolbar for Internet Explorer
    HijackThis 2.0.2
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    iPod for Windows 2005-10-12
    iPod for Windows 2006-01-10
    ISEngineUpdate
    iTunes
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Learn2 Player (Uninstall Only)
    Macromedia Shockwave Player
    MGI VideoWave III (Remove Only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB928366)
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 Professional
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MyWay Search Assistant
    NetAssistant
    PDF Settings
    PerfectDisk
    Photo Click
    PowerDVD 5.5
    PPSDKRedistributables
    QuickTax 2005
    QuickTax 2006
    QuickTime
    Radialpoint Security Services
    RealPlayer
    RPS Ad Blocker
    RPS AntiFraud
    RPS AntiSpyware
    RPS AntiVirus
    RPS App Detector
    RPS AsRealtime
    RPS Backup
    RPS Burn
    RPS Diagnostic Utility
    RPS Firewall
    RPS ParentalControl
    RPS Performance Tool
    RPS PopupBlocker
    RPS Privacy Manager
    RPS RpsCore
    RPS Security Cleanup
    RPS Zip
    ScanCraft CS-P
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB946026)
    Sonic DLA
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Spybot - Search & Destroy
    Staples Copy & Print 1.7
    Sympatico Security Advisor 1.5.11
    Sympatico Security Manager
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    WebCyberCoach 3.2 Dell
    Windows Installer 3.1 (KB893803)
    Windows Installer Clean Up
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player 10
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB893086
    WordPerfect Office 12
    Xvid 1.1.3 final uninstall

    Thanks.

  5. #5
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default

    Sorry, one thing I forgot was that I had trouble installing the xp recovery console. I couldn't find my XP disk and I tried to follow the directions on the site you provided to download it but I couldn't find it. Hopefully that is okay. If you have a suggestion on where to find this program, please let me know.

    Thank you again.

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Manchester UK
    Posts
    3,425

    Default

    Disable Teatimer
    First step:
    • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
    • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
    • If you have Version 1.4, Click on Exit Spybot S&D Resident
    Second step, For Either Version :
    • Open Spybot S&D
    • Click Mode, choose Advanced Mode
    • Go To the bottom of the Vertical Panel on the Left, Click Tools
    • then, also in left panel, click Resident shows a red/white shield.
    • If your firewall raises a question, say OK
    • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
    • OK any prompts.
    • Use File, Exit to terminate Spybot
    • Reboot your machine for the changes to take effect.



    SmitFraud Look
    Please download SmitfraudFix (by S!Ri)

    Double-click SmitfraudFix.exe.
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm



    Custom CFScript
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      DirLook::
      C:\WINDOWS\system32\xo4
      C:\WINDOWS\system32\ap8
      C:\Documents and Settings\Jim\Application Data\Antispyware
      
      
      File::
      C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job
      C:\WINDOWS\Tasks\ISP signup reminder 1.job
      C:\WINDOWS\system32\eaaskjao.ini
      C:\WINDOWS\system32\lcntklwb.exe
      C:\WINDOWS\system32\kjwnw64l.exe
      C:\WINDOWS\system32\rwwnw64d.exe
      C:\WINDOWS\system32\ddaywwur.dll
      C:\WINDOWS\ddabaaxu.dll
      C:\Documents and Settings\Jim\Application Data\awvtttro.dll
      C:\WINDOWS\system32\sstsqpoo
      Folder::
      C:\WINDOWS\system32\sstsqpoo
      C:\WINDOWS\Smlt
      
      Registry::
      [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B21B437-7E93-4BD1-9E0B-B23D58B34A4D}]
      
      [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4FEC76A-BFE1-4A37-1783-7AF51D875EDC}]
      
      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "AdwareProMFC"=-
      
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "StandardInstall"=-
      "ISUSScheduler"=-
      "ISUSPM Startup"=-
      "pmnmlkjjgd"=-
      "{E5-5B-B9-94-DW}"=-
      "bc3e5b3b"=-
    • Save this as CFScript.txt and place it on your desktop.




    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt



    Recovery Console
    Go to Microsoft's website => http://support.microsoft.com/kb/310994
    Select the download that's appropriate for your Operating System




    Download the file & save it as its originally named, next to ComboFix.exe.






    Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

    Please do not reboot your machine until we have reviewed the log.
    Microsoft MVP Consumer Security 2009 -2010
    If we have helped, please consider a donation
    THESE INSTRUCTIONS ARE FOR THIS USER ONLY

  7. #7
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default

    smitfraud report


    SmitFraudFix v2.296

    Scan done at 21:22:09.21, 25/02/2008
    Run from C:\Documents and Settings\Jim\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Bell\Security Manager\Fws.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
    C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe
    C:\windows\system32\kjwnw64l.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
    C:\WINDOWS\system32\lcntklwb.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jim\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jim\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.2.1
    DNS Server Search Order: 192.168.2.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{E23A1D00-1A73-4B80-BFCC-AFDA693581C0}: DhcpNameServer=192.168.2.1 192.168.2.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{E23A1D00-1A73-4B80-BFCC-AFDA693581C0}: DhcpNameServer=192.168.2.1 192.168.2.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{E23A1D00-1A73-4B80-BFCC-AFDA693581C0}: DhcpNameServer=192.168.2.1 192.168.2.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 192.168.2.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

  8. #8
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default

    combofix log

    ComboFix 08-02-25.2 - Jim 2008-02-25 21:28:32.3 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.183 [GMT -5:00]
    Running from: C:\Documents and Settings\Jim\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Jim\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\Documents and Settings\Jim\Application Data\awvtttro.dll
    C:\WINDOWS\ddabaaxu.dll
    C:\WINDOWS\system32\ddaywwur.dll
    C:\WINDOWS\system32\eaaskjao.ini
    C:\WINDOWS\system32\kjwnw64l.exe
    C:\WINDOWS\system32\lcntklwb.exe
    C:\WINDOWS\system32\rwwnw64d.exe
    C:\WINDOWS\system32\sstsqpoo
    C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job
    C:\WINDOWS\Tasks\ISP signup reminder 1.job
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Jim\Application Data\awvtttro.dll
    C:\Documents and Settings\Jim\Start Menu\Programs\Startup\Deewoo.lnk
    C:\Documents and Settings\Jim\Start Menu\Programs\Startup\DW_Start.lnk
    C:\WINDOWS\ddabaaxu.dll
    C:\WINDOWS\Smlt
    C:\WINDOWS\Smlt\mA5Q.vbs
    C:\WINDOWS\system32\awtqp.dll
    C:\WINDOWS\system32\btkcsxml.dll
    C:\WINDOWS\system32\ddaywwur.dll
    C:\WINDOWS\system32\eaaskjao.ini
    C:\WINDOWS\system32\hqucdcem.dll
    C:\WINDOWS\system32\kjwnw64l.exe
    C:\WINDOWS\system32\lcntklwb.exe
    C:\WINDOWS\system32\lmxscktb.ini
    C:\WINDOWS\system32\msnav32.ax
    C:\WINDOWS\system32\pqtwa.ini
    C:\WINDOWS\system32\pqtwa.ini2
    C:\WINDOWS\system32\rwwnw64d.exe
    C:\WINDOWS\system32\sstsqpoo
    C:\WINDOWS\system32\sstsqpoo\
    C:\WINDOWS\system32\urbcobbu.dll
    C:\WINDOWS\system32\winpfz37.sys
    C:\WINDOWS\system32\zxdnt3d.cfg
    C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job
    C:\WINDOWS\Tasks\ISP signup reminder 1.job

    .
    ((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
    .

    2008-02-25 21:22 . 2008-02-25 21:22 4,770 --a------ C:\WINDOWS\system32\tmp.reg
    2008-02-25 21:20 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-02-25 21:20 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-02-25 21:20 . 2008-02-22 18:44 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-02-25 21:20 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-02-25 21:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-02-25 21:20 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-02-25 21:20 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-02-25 20:31 . 2008-02-25 21:24 68,402 --a------ C:\WINDOWS\BMbf0d68a7.xml
    2008-02-25 20:31 . 2008-02-25 21:28 21 --a------ C:\WINDOWS\pskt.ini
    2008-02-24 21:41 . 2008-02-24 21:41 <DIR> d-------- C:\WINDOWS\ERUNT
    2008-02-24 21:33 . 2008-02-24 21:33 <DIR> d-------- C:\SDFix
    2008-02-24 12:44 . 2008-02-24 12:44 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-24 00:55 . 2008-02-24 22:57 <DIR> d-------- C:\ComboFix[1]
    2008-02-23 21:28 . 2008-02-23 21:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-02-23 21:28 . 2008-02-23 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-23 11:57 . 2008-02-23 11:57 <DIR> d-------- C:\Program Files\Lavasoft
    2008-02-23 11:57 . 2008-02-23 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-23 11:53 . 2008-02-23 11:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-23 11:35 . 2008-02-23 11:35 <DIR> d-------- C:\WINDOWS\Ad-Ware Pro
    2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\xo4
    2008-02-23 10:19 . 2008-02-23 10:19 <DIR> d-------- C:\WINDOWS\system32\ap8
    2008-02-22 23:03 . 2007-03-06 13:24 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
    2008-02-22 23:02 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
    2008-02-22 22:59 . 2008-02-22 22:59 <DIR> d-------- C:\Program Files\Common Files\Authentium
    2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Program Files\Raxco
    2008-02-22 22:53 . 2008-02-22 22:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
    2008-02-22 22:52 . 2008-02-22 22:52 <DIR> d-------- C:\Program Files\CA
    2008-02-22 22:50 . 2008-02-23 01:05 <DIR> d-------- C:\Program Files\Common Files\Scanner
    2008-02-22 22:34 . 2008-02-22 22:35 <DIR> d-------- C:\Program Files\DellSupport
    2008-02-22 22:21 . 2008-02-22 22:21 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\InstallShield
    2008-02-21 23:35 . 2008-02-21 23:35 <DIR> d-------- C:\Program Files\Enigma Software Group
    2008-02-21 22:55 . 2008-02-23 23:16 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\Antispyware
    2008-02-21 07:38 . 2008-02-25 20:29 <DIR> d-------- C:\Documents and Settings\Jim\Application Data\AppDate
    2008-02-19 21:05 . 2008-02-19 21:05 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
    2008-02-19 20:41 . 2008-02-20 22:22 <DIR> d-------- C:\DVDMovie
    2008-02-19 20:39 . 2008-02-19 20:39 <DIR> d-------- C:\Program Files\Xvid
    2008-02-19 20:39 . 2008-02-19 20:42 <DIR> d-------- C:\Program Files\AoA DVD Ripper
    2008-02-19 20:39 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
    2008-02-19 20:39 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
    2008-02-19 20:39 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
    2008-02-19 20:39 . 2002-07-17 09:20 45,056 --a------ C:\WINDOWS\system32\Wnaspi32.dll
    2008-02-19 20:39 . 2002-07-17 08:53 16,877 --a------ C:\WINDOWS\system32\drivers\Aspi32.sys
    2008-02-19 20:39 . 2002-07-17 16:22 4,455 --a------ C:\WINDOWS\system\Winaspi.dll
    2008-02-19 20:39 . 2002-07-17 16:22 3,535 --a------ C:\WINDOWS\system\Wowpost.exe
    2008-02-19 20:39 . 2008-02-20 22:16 67 --a------ C:\WINDOWS\AoADVDRipper.INI
    2008-02-16 13:32 . 2008-02-16 13:32 <DIR> d-------- C:\Program Files\Common Files\Download Manager
    2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infob.dat
    2008-02-15 21:51 . 2008-02-15 21:51 0 --a------ C:\WINDOWS\system32\Infoa.dat
    2008-02-15 21:49 . 2008-02-15 21:49 305 --a------ C:\WINDOWS\system32\treeinfo.dat
    2008-02-15 21:22 . 2008-02-15 21:22 <DIR> d-------- C:\MyAudio
    2008-02-15 21:21 . 2008-02-15 21:22 <DIR> d-------- C:\Program Files\AoA Audio Extractor
    2008-02-15 21:21 . 2008-02-20 22:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-15 21:17 . 2008-02-15 21:48 <DIR> d-------- C:\Program Files\YouTube Downloader

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-23 15:36 --------- d-----w C:\Program Files\Bonjour
    2008-02-23 06:05 --------- d-----w C:\Program Files\LimeWire
    2008-02-23 04:08 --------- d-----w C:\Documents and Settings\Jim\Application Data\Bell
    2008-02-23 03:55 --------- d--h--w C:\Documents and Settings\Jim\Application Data\Gtek
    2008-02-23 03:43 --------- d-----w C:\Program Files\Bell
    2008-02-23 03:41 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Bell
    2008-02-23 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bell
    2008-02-23 03:35 --------- d-----w C:\Documents and Settings\Stephanie\Application Data\Gtek
    2008-02-23 03:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-01-15 05:14 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-15 04:43 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
    2008-01-15 04:18 --------- d-----w C:\Program Files\NetAssistant
    2008-01-15 04:12 --------- d-----w C:\Program Files\Jasc Software Inc
    2008-01-15 04:08 --------- d-----w C:\Program Files\Common Files\Sonic Shared
    2008-01-15 04:06 --------- d-----w C:\Program Files\WordPerfect Office 12
    2008-01-15 04:06 --------- d-----w C:\Program Files\QuickTime
    2008-01-15 04:06 --------- d-----w C:\Program Files\Intel
    2008-01-15 04:06 --------- d-----w C:\Program Files\EPSON
    2008-01-15 04:06 --------- d-----w C:\Program Files\Common Files\AOL
    2008-01-15 02:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
    .

    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    ---- Directory of C:\Documents and Settings\Jim\Application Data\Antispyware ----

    2008-02-21 23:27 643 --a------ C:\Documents and Settings\Jim\Application Data\Antispyware\rs.dat

    ---- Directory of C:\WINDOWS\system32\ap8 ----

    2008-01-30 16:19 183216 --a------ C:\WINDOWS\system32\ap8\yula4403.exe

    ---- Directory of C:\WINDOWS\system32\xo4 ----

    2008-02-14 10:42 49152 --a------ C:\WINDOWS\system32\xo4\dameco3305.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-17 20:17 180269]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-24 19:47 155648]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-12-20 20:54 278528]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
    "EPSON Stylus C66 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.exe" [2004-01-13 03:00 99840]
    "EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 03:00 98304]
    "SSA.exe"="C:\Program Files\Bell\Sympatico Security Advisor\SSA.exe" [2007-03-27 10:33 2061816]
    "Sympatico Security Manager"="C:\Program Files\Bell\Security Manager\Rps.exe" [2007-08-27 16:57 310000]
    "-FreedomNeedsReboot"="C:\Program Files\Bell\Security Manager\ZkRunOnceR.exe" [2007-08-27 16:57 13552]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10 49263]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]
    NetAssistant.lnk - C:\Program Files\NetAssistant\bin\matcli.exe [2005-10-04 18:35:39 217088]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    --a------ 2004-10-22 15:13 393216 C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R2 ScFBPNT;CanoScan FBP Port Driver;C:\WINDOWS\system32\drivers\ScFBPNT.SYS [2000-02-08 10:33]
    S3 Radialpoint Security Services;Sympatico Security Manager;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-25 21:35:39
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Bell\Security Manager\Fws.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
    C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\wdfmgr.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Bell\Sympatico Security Advisor\SSAComHandler.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\Bell\Security Manager\rpsupdaterR.exe
    .
    **************************************************************************
    .
    Completion time: 2008-02-25 21:39:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-26 02:39:37
    ComboFix2.txt 2008-02-25 03:56:25
    ComboFix3.txt 2008-02-24 06:35:07
    .
    2008-02-13 04:08:45 --- E O F ---

  9. #9
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default

    mbam log

    Malwarebytes' Anti-Malware 1.05
    Database version: 405

    Scan type: Full Scan (C:\|)
    Objects scanned: 96043
    Time elapsed: 42 minute(s), 17 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 10
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 16

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d25f921-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{4d25f924-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (Adware.MyWay) -> Quarantined and deleted successfully.
    C:\QooBox\Quarantine\C\Program Files\Movie Maker\gajulaq89104.dll.vir (Adware.TTC) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP841\A0055187.rbf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP841\A0055188.rbf (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP841\A0055190.exe (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0056227.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP842\A0056229.sys (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056767.exe (Adware.TTC) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056785.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP844\A0056804.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP845\A0058993.vbs (Malware.Trace) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP846\A0059087.dll (Adware.TTC) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ap8\yula4403.exe (Adware.RABCO) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xo4\dameco3305.exe (Adware.ZenoSearch) -> Quarantined and deleted successfully.
    C:\WINDOWS\Ad-Ware Pro Setup Log.txt (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.
    C:\WINDOWS\Ad-Ware Pro Uninstall Log.txt (Rogue.Ad-WarePro) -> Quarantined and deleted successfully.

  10. #10
    Junior Member
    Join Date
    Feb 2008
    Posts
    23

    Default

    Finally... combofix log that recovery console has been installed

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


    Thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •