Lots found by Spybot

B

bucksandy34

New member
Hello,
Since yesterday, my computer has been acting funny. The wall paper will not show up on the desktop, and no images show up online. They only show up as little boxes that say the picture title. Quite a few things showed up when I ran Spybot. I fixed all but one, but now they are all back. Here is what it said I had:

AdRevolver
DeepDive
MediaPlex
Microsoft.Windows.Explorer
Microsoft.WindowsSecurityCenter.RegistryTools
PWS.LDPinchIE
Right Media
Smitfraud-C.gp
Virtumonde
Virtumonde.dll
Win32.Agent.gvu
Win32.Agent.icb
Win32.Tiny.abk
Zedo


If I could get some help, that would be great! Thanks!

P.S. Is it okay for me to backup my files (Word docs, etc.) right now onto a flash drive or something like that, or might that be too dangerous? Thanks!
 
I kept running Spybot and fixing everything, but Smitfaud and/or Virtumonde kept showing up, and now the computer only works in safe mode (I'm in safemode with networking right now), so I thought I should just post the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:51 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drivers\services.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {0f8f84cf-dcba-4426-ac18-30a8ab00c526} - C:\WINDOWS\system32\ddcDtTnL.dll
O2 - BHO: (no name) - {39e9ee12-07c9-4922-9228-eb2a428c133f} - C:\WINDOWS\system32\advpac.dll
O2 - BHO: (no name) - {5104FAD1-347A-4CBC-9D64-BCD52C8CC457} - C:\WINDOWS\system32\awtrPfcA.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {977e31d4-196a-e76a-a804-2fc5b3f18cee} - {eec81f3b-5cf2-408a-a67e-a6914d13e779} - C:\WINDOWS\system32\ixacvmgx.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BM47975980] Rundll32.exe "C:\WINDOWS\system32\kaypbhce.dll",s
O4 - HKLM\..\Run: [44a46a1c] rundll32.exe "C:\WINDOWS\system32\mmmbmspn.dll",b
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [winlogon] C:\Documents and Settings\Kathy McDonald\svchost.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA785] command /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1488] cmd /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5032] command /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6713] cmd /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [winlogon] C:\Documents and Settings\Kathy McDonald\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB884] command /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2130] cmd /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7799] command /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5352] cmd /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1824] command /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7679] cmd /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7639] command /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3998] cmd /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1549] command /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4952] cmd /c del "C:\WINDOWS\SYSTEM32\awtrPfcA.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Startup: userinit.exe
O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://husqvarnaviking.webex.com/client/T23L/event/ieatgpc.cab
O20 - Winlogon Notify: ddcDtTnL - C:\WINDOWS\SYSTEM32\ddcDtTnL.dll
O20 - Winlogon Notify: usbmon - C:\WINDOWS\system32\usbmons.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe
O24 - Desktop Component 0: (no name) - http://blstj.msn.com/br/voodoo/js/6/core.js

--
End of file - 7533 bytes


Thanks!
 
Hi

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
 
The computer is just a computer at our house, and I'm almost positive there is no sensitive information stored on it (financial info, SSN, etc.). Since getting infected, no one typed in any sensitive info online, although before the infection I had done some online banking and shopping with a credit card. Is there much risk for identity theft even if I haven't done anything sensitive since getting infected? I wouldn't be opposed to a reformat and reinstall from what I know of it. Would that then make the computer 100% safe again? Lastly, I haven't finished putting my files on a flash drive, is it still safe to do so as long as I stay off the internet?

Thanks!
 
Hi

Then not.

It depends on files. Pictures and documents are pretty safe to transfer.

Let's start cleanup then:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:33 AM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {5104FAD1-347A-4CBC-9D64-BCD52C8CC457} - C:\WINDOWS\system32\awtrPfcA.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {977e31d4-196a-e76a-a804-2fc5b3f18cee} - {eec81f3b-5cf2-408a-a67e-a6914d13e779} - C:\WINDOWS\system32\ixacvmgx.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [44a46a1c] rundll32.exe "C:\WINDOWS\system32\mmmbmspn.dll",b
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [BM47975980] Rundll32.exe "C:\WINDOWS\system32\kaypbhce.dll",s
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Startup: userinit.exe
O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://husqvarnaviking.webex.com/client/T23L/event/ieatgpc.cab
O20 - Winlogon Notify: usbmon - C:\WINDOWS\system32\usbmons.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://blstj.msn.com/br/voodoo/js/6/core.js

--
End of file - 5862 bytes



ComboFix Report:

ComboFix 08-06-20.4 - Kathy McDonald 2008-06-25 10:29:43.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.98 [GMT -6:00]
Running from: C:\Documents and Settings\Kathy McDonald\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM47975980.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\AcfPrtwa.ini
C:\WINDOWS\SYSTEM32\AcfPrtwa.ini2
C:\WINDOWS\system32\advpac.dll
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\ddcDtTnL.dll
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\SYSTEM32\FLlUuBeg.ini2
C:\WINDOWS\system32\ho.ln
C:\WINDOWS\system32\ko.o
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\npsmbmmm.ini
C:\WINDOWS\system32\nvrsma.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-24 16:54 . 2008-06-21 14:29 13,824 --a------ C:\Documents and Settings\Kathy McDonald\svchost.exe
2008-06-24 11:53 . 2008-06-24 12:02 1,584,898,827 --a------ C:\Documents and Settings\Kathy McDonald\My Documents.zip
2008-06-22 19:07 . 2008-06-22 19:07 86,528 --a------ C:\WINDOWS\SYSTEM32\mmmbmspn.dll
2008-06-22 19:04 . 2008-06-22 19:04 101,888 --a------ C:\WINDOWS\SYSTEM32\ixacvmgx.dll
2008-06-22 19:02 . 2008-06-22 19:02 95,232 --a------ C:\WINDOWS\SYSTEM32\kaypbhce.dll
2008-06-22 14:08 . 2008-06-21 14:29 13,824 --a------ C:\userinit.exe
2008-06-21 20:59 . 2008-06-22 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 20:59 . 2008-06-22 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 16:16 . 2008-06-21 16:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-21 16:16 . 2008-06-21 16:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-21 14:31 . 2008-06-22 13:35 13,824 --a------ C:\WINDOWS\SYSTEM32\idef.dll
2008-06-21 14:30 . 2008-06-21 14:30 0 --a------ C:\1151625907
2008-06-21 14:29 . 2008-06-21 14:29 66,048 --a------ C:\mxuxc.exe
2008-06-21 14:29 . 2008-06-25 10:38 62,384 --a------ C:\WINDOWS\SYSTEM32\pqasghjd.sys
2008-06-21 14:29 . 2008-06-21 14:29 13,824 --a------ C:\vwhfxvxv.exe
2008-06-21 14:29 . 2008-06-21 17:07 10,000 --a------ C:\WINDOWS\SYSTEM32\jfiehayd.dll
2008-06-21 14:29 . 2008-06-21 18:14 7,680 --a------ C:\kbvxxo.exe
2008-06-21 14:28 . 2008-06-21 17:07 41,984 --a------ C:\WINDOWS\mrofinu1535.exe
2008-06-10 19:09 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 20:05 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 23:22 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\MSN6
2008-05-21 01:47 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\Uniblue
2008-05-21 01:42 --------- d-----w C:\Program Files\AIM Toolbar
2008-05-21 01:40 --------- d-----w C:\Program Files\Viewpoint
2008-05-21 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 16:49 --------- d-----w C:\Program Files\Project64 1.6
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
560,128 2004-06-17 17:58:35 C:\WINDOWS\$NtServicePackUninstall$\user32.dll
528,896 2002-11-01 22:26:46 C:\WINDOWS\$NtUninstallKB840987$\user32.dll
577,024 2004-08-04 07:56:46 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,024 2004-08-04 07:56:46 C:\WINDOWS\ServicePackFiles\i386\user32.dll
577,536 2008-06-21 20:29:49 C:\WINDOWS\SYSTEM32\user32.DLL
577,536 2008-06-21 20:29:49 C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll


------- Sigcheck -------

2005-03-02 12:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 09:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-06-17 11:58 560128 31fb2d788a9aa618452c02e8375b6dcd C:\WINDOWS\$NtServicePackUninstall$\user32.dll
2002-11-01 16:26 528896 68e1f4ef02df52ca9c5e157045d23582 C:\WINDOWS\$NtUninstallKB840987$\user32.dll
2004-08-04 01:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 12:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2004-08-04 01:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\ServicePackFiles\i386\user32.dll
2008-06-21 14:29 577536 2384d63d6a86a75eb55d1a87f60e86c6 C:\WINDOWS\SYSTEM32\user32.DLL
2008-06-21 14:29 577536 2384d63d6a86a75eb55d1a87f60e86c6 C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5104FAD1-347A-4CBC-9D64-BCD52C8CC457}]
C:\WINDOWS\system32\awtrPfcA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eec81f3b-5cf2-408a-a67e-a6914d13e779}]
2008-06-22 19:04 101888 --a------ C:\WINDOWS\system32\ixacvmgx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"winlogon"="C:\Documents and Settings\Kathy McDonald\svchost.exe" [2008-06-21 14:29 13824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"44a46a1c"="C:\WINDOWS\system32\mmmbmspn.dll" [2008-06-22 19:07 86528]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"BM47975980"="C:\WINDOWS\system32\kaypbhce.dll" [2008-06-22 19:02 95232]
"winlogon"="C:\Documents and Settings\Kathy McDonald\svchost.exe" [2008-06-21 14:29 13824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"winlogon"="C:\Documents and Settings\LocalService\svchost.exe" [ ]

C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2007-11-25 19:48:20 983040]
userinit.exe [2008-06-21 14:29:59 13824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
My Essentials Wireless USB Utility.lnk - C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe [2006-09-11 20:02:00 1568768]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 09:15:04 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usbmon]
C:\WINDOWS\system32\usbmons.dll 2008-05-21 21:49 0 C:\WINDOWS\SYSTEM32\usbmons.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=C:\WINDOWS\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 10:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 13:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-04-19 13:45 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-07-14 09:19 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-07-14 09:19 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\dlbccoms.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\nestc042\\NESTCL95.EXE"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\Nestopia137bin\\nestopia.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\gameboy\\VisualBoyAdvance\\VisualBoyAdvance [linker].exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27886:TCP"= 27886:TCP:Nestopia
"27886:UDP"= 27886:UDP:Nestopia

R2 dlbc_device;dlbc_device;C:\WINDOWS\system32\dlbccoms.exe [2007-02-07 16:26]
S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);C:\WINDOWS\system32\DRIVERS\OMAWGU.sys [2006-08-04 01:55]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 10:36:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe
.
**************************************************************************
.
Completion time: 2008-06-25 10:45:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 16:45:00

Pre-Run: 27,598,761,984 bytes free
Post-Run: 27,409,592,320 bytes free

172 --- E O F --- 2008-06-20 15:31:37


Thanks!
 
Hi

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System


KB310994.gif



Download the file & save it as it's originally named, next to ComboFix.exe.



rc1.gif



Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    RC_whatnext.gif


  • When the tool is finished, it will produce a report for you.

Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
 
Combo Fix Log:

ComboFix 08-06-20.4 - Kathy McDonald 2008-06-25 12:21:31.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.96 [GMT -6:00]
Running from: C:\Documents and Settings\Kathy McDonald\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kathy McDonald\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\services.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-25 12:25 . 2008-06-21 14:29 13,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\services.exe
2008-06-25 10:45 . 2008-06-25 12:25 414 ---hs---- C:\WINDOWS\SYSTEM32\npsmbmmm.ini
2008-06-25 10:45 . 2008-06-25 10:45 0 --a------ C:\WINDOWS\BM47975980.xml
2008-06-24 16:54 . 2008-06-21 14:29 13,824 --a------ C:\Documents and Settings\Kathy McDonald\svchost.exe
2008-06-24 11:53 . 2008-06-24 12:02 1,584,898,827 --a------ C:\Documents and Settings\Kathy McDonald\My Documents.zip
2008-06-22 19:07 . 2008-06-22 19:07 86,528 --a------ C:\WINDOWS\SYSTEM32\mmmbmspn.dll
2008-06-22 19:04 . 2008-06-22 19:04 101,888 --a------ C:\WINDOWS\SYSTEM32\ixacvmgx.dll
2008-06-22 19:02 . 2008-06-22 19:02 95,232 --a------ C:\WINDOWS\SYSTEM32\kaypbhce.dll
2008-06-22 14:08 . 2008-06-21 14:29 13,824 --a------ C:\userinit.exe
2008-06-21 20:59 . 2008-06-22 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 20:59 . 2008-06-22 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 16:16 . 2008-06-21 16:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-21 16:16 . 2008-06-21 16:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-21 14:31 . 2008-06-22 13:35 13,824 --a------ C:\WINDOWS\SYSTEM32\idef.dll
2008-06-21 14:30 . 2008-06-21 14:30 0 --a------ C:\1151625907
2008-06-21 14:29 . 2008-06-21 14:29 66,048 --a------ C:\mxuxc.exe
2008-06-21 14:29 . 2008-06-25 12:27 62,384 --a------ C:\WINDOWS\SYSTEM32\pqasghjd.sys
2008-06-21 14:29 . 2008-06-21 14:29 13,824 --a------ C:\vwhfxvxv.exe
2008-06-21 14:29 . 2008-06-21 17:07 10,000 --a------ C:\WINDOWS\SYSTEM32\jfiehayd.dll
2008-06-21 14:29 . 2008-06-21 18:14 7,680 --a------ C:\kbvxxo.exe
2008-06-21 14:28 . 2008-06-21 17:07 41,984 --a------ C:\WINDOWS\mrofinu1535.exe
2008-06-10 19:09 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 20:05 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 23:22 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\MSN6
2008-05-21 01:47 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\Uniblue
2008-05-21 01:42 --------- d-----w C:\Program Files\AIM Toolbar
2008-05-21 01:40 --------- d-----w C:\Program Files\Viewpoint
2008-05-21 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 16:49 --------- d-----w C:\Program Files\Project64 1.6
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


((((((((((((((((((((((((((((( snapshot@2008-06-25_10.44.37.61 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 16:35:41 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-25 18:24:41 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5104FAD1-347A-4CBC-9D64-BCD52C8CC457}]
C:\WINDOWS\system32\awtrPfcA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eec81f3b-5cf2-408a-a67e-a6914d13e779}]
2008-06-22 19:04 101888 --a------ C:\WINDOWS\system32\ixacvmgx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [2008-06-21 14:29 13824]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"winlogon"="C:\Documents and Settings\Kathy McDonald\svchost.exe" [2008-06-21 14:29 13824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"44a46a1c"="C:\WINDOWS\system32\mmmbmspn.dll" [2008-06-22 19:07 86528]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [2008-06-21 14:29 13824]
"BM47975980"="C:\WINDOWS\system32\kaypbhce.dll" [2008-06-22 19:02 95232]
"winlogon"="C:\Documents and Settings\Kathy McDonald\svchost.exe" [2008-06-21 14:29 13824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [2008-06-21 14:29 13824]
"winlogon"="C:\Documents and Settings\LocalService\svchost.exe" [ ]

C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2007-11-25 19:48:20 983040]
userinit.exe [2008-06-21 14:29:59 13824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
My Essentials Wireless USB Utility.lnk - C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe [2006-09-11 20:02:00 1568768]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 09:15:04 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usbmon]
C:\WINDOWS\system32\usbmons.dll 2008-05-21 21:49 0 C:\WINDOWS\SYSTEM32\usbmons.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=C:\WINDOWS\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 10:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 13:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-04-19 13:45 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-07-14 09:19 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-07-14 09:19 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\dlbccoms.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\nestc042\\NESTCL95.EXE"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\Nestopia137bin\\nestopia.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\gameboy\\VisualBoyAdvance\\VisualBoyAdvance [linker].exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27886:TCP"= 27886:TCP:Nestopia
"27886:UDP"= 27886:UDP:Nestopia

R2 dlbc_device;dlbc_device;C:\WINDOWS\system32\dlbccoms.exe [2007-02-07 16:26]
S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);C:\WINDOWS\system32\DRIVERS\OMAWGU.sys [2006-08-04 01:55]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 12:25:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\services.exe 13824 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\mmmbmspn.dll
-> C:\WINDOWS\system32\kaypbhce.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe
.
**************************************************************************
.
Completion time: 2008-06-25 12:31:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 18:31:25
ComboFix2.txt 2008-06-25 16:45:09

Pre-Run: 27,648,589,824 bytes free
Post-Run: 27,383,627,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

160 --- E O F --- 2008-06-20 15:31:37


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:31 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {5104FAD1-347A-4CBC-9D64-BCD52C8CC457} - C:\WINDOWS\system32\awtrPfcA.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {977e31d4-196a-e76a-a804-2fc5b3f18cee} - {eec81f3b-5cf2-408a-a67e-a6914d13e779} - C:\WINDOWS\system32\ixacvmgx.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [44a46a1c] rundll32.exe "C:\WINDOWS\system32\mmmbmspn.dll",b
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [BM47975980] Rundll32.exe "C:\WINDOWS\system32\kaypbhce.dll",s
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Startup: userinit.exe
O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://husqvarnaviking.webex.com/client/T23L/event/ieatgpc.cab
O20 - Winlogon Notify: usbmon - C:\WINDOWS\system32\usbmons.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://blstj.msn.com/br/voodoo/js/6/core.js

--
End of file - 5895 bytes
 
Hi

Open notepad and copy/paste the text in the codebox below into it:

Code: 
Rootkit::
C:\WINDOWS\system32\drivers\services.exe

File::
C:\WINDOWS\SYSTEM32\npsmbmmm.ini
C:\WINDOWS\BM47975980.xml
C:\Documents and Settings\Kathy McDonald\svchost.exe
C:\WINDOWS\SYSTEM32\mmmbmspn.dll
C:\WINDOWS\SYSTEM32\ixacvmgx.dll
C:\WINDOWS\SYSTEM32\kaypbhce.dll
C:\WINDOWS\SYSTEM32\idef.dll
C:\1151625907
C:\mxuxc.exe
C:\WINDOWS\SYSTEM32\pqasghjd.sys
C:\vwhfxvxv.exe
C:\WINDOWS\SYSTEM32\jfiehayd.dll
C:\kbvxxo.exe
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\usbmons.dll
C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe 

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5104FAD1-347A-4CBC-9D64-BCD52C8CC457}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eec81f3b-5cf2-408a-a67e-a6914d13e779}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"=-
"winlogon"="-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"44a46a1c"=-
"[system]"=-
"BM47975980"=-
"winlogon"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"=-
"winlogon"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usbmon]

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
Hello,

Combo Fix Log:

ComboFix 08-06-20.4 - Kathy McDonald 2008-06-25 13:51:23.3 - NTFSx86
Running from: C:\Documents and Settings\Kathy McDonald\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kathy McDonald\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\services.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-25 10:45 . 2008-06-25 13:51 594 ---hs---- C:\WINDOWS\SYSTEM32\npsmbmmm.ini
2008-06-25 10:45 . 2008-06-25 10:45 0 --a------ C:\WINDOWS\BM47975980.xml
2008-06-24 16:54 . 2008-06-21 14:29 13,824 --a------ C:\Documents and Settings\Kathy McDonald\svchost.exe
2008-06-24 11:53 . 2008-06-24 12:02 1,584,898,827 --a------ C:\Documents and Settings\Kathy McDonald\My Documents.zip
2008-06-22 19:07 . 2008-06-22 19:07 86,528 --a------ C:\WINDOWS\SYSTEM32\mmmbmspn.dll
2008-06-22 19:04 . 2008-06-22 19:04 101,888 --a------ C:\WINDOWS\SYSTEM32\ixacvmgx.dll
2008-06-22 19:02 . 2008-06-22 19:02 95,232 --a------ C:\WINDOWS\SYSTEM32\kaypbhce.dll
2008-06-22 14:08 . 2008-06-21 14:29 13,824 --a------ C:\userinit.exe
2008-06-21 20:59 . 2008-06-22 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 20:59 . 2008-06-22 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 16:16 . 2008-06-21 16:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-21 16:16 . 2008-06-21 16:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-21 14:31 . 2008-06-22 13:35 13,824 --a------ C:\WINDOWS\SYSTEM32\idef.dll
2008-06-21 14:30 . 2008-06-21 14:30 0 --a------ C:\1151625907
2008-06-21 14:29 . 2008-06-21 14:29 66,048 --a------ C:\mxuxc.exe
2008-06-21 14:29 . 2008-06-25 13:54 62,384 --a------ C:\WINDOWS\SYSTEM32\pqasghjd.sys
2008-06-21 14:29 . 2008-06-21 14:29 13,824 --a------ C:\vwhfxvxv.exe
2008-06-21 14:29 . 2008-06-21 17:07 10,000 --a------ C:\WINDOWS\SYSTEM32\jfiehayd.dll
2008-06-21 14:29 . 2008-06-21 18:14 7,680 --a------ C:\kbvxxo.exe
2008-06-21 14:28 . 2008-06-21 17:07 41,984 --a------ C:\WINDOWS\mrofinu1535.exe
2008-06-10 19:09 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 20:05 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-06-21 23:07 20,992 --sha-r C:\WINDOWS\SYSTEM32\usbmons.exe
2008-06-21 23:07 1,665 ----a-w C:\WINDOWS\SYSTEM32\kb2006a.exe
2008-06-21 20:29 577,536 ----a-w C:\WINDOWS\SYSTEM32\user32.DLL
2008-06-21 20:29 577,536 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 23:22 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\MSN6
2008-05-21 01:47 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\Uniblue
2008-05-21 01:42 --------- d-----w C:\Program Files\AIM Toolbar
2008-05-21 01:40 --------- d-----w C:\Program Files\Viewpoint
2008-05-21 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:18 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-05-03 16:49 --------- d-----w C:\Program Files\Project64 1.6
2008-04-24 04:16 3,591,680 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-04-22 07:40 625,664 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2008-04-22 07:39 70,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-04-20 05:07 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_10.44.37.61 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 16:35:41 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-25 19:43:04 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5104FAD1-347A-4CBC-9D64-BCD52C8CC457}]
C:\WINDOWS\system32\awtrPfcA.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eec81f3b-5cf2-408a-a67e-a6914d13e779}]
2008-06-22 19:04 101888 --a------ C:\WINDOWS\system32\ixacvmgx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"44a46a1c"="C:\WINDOWS\system32\mmmbmspn.dll" [2008-06-22 19:07 86528]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"BM47975980"="C:\WINDOWS\system32\kaypbhce.dll" [2008-06-22 19:02 95232]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"[system]"="C:\WINDOWS\system32\drivers\services.exe" [ ]
"winlogon"="C:\Documents and Settings\LocalService\svchost.exe" [ ]

C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2007-11-25 19:48:20 983040]
userinit.exe [2008-06-21 14:29:59 13824]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
My Essentials Wireless USB Utility.lnk - C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe [2006-09-11 20:02:00 1568768]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 09:15:04 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\usbmon]
C:\WINDOWS\system32\usbmons.dll 2008-05-21 21:49 0 C:\WINDOWS\SYSTEM32\usbmons.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=C:\WINDOWS\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 10:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 13:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-04-19 13:45 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-07-14 09:19 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-07-14 09:19 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\dlbccoms.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\nestc042\\NESTCL95.EXE"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\Nestopia137bin\\nestopia.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\gameboy\\VisualBoyAdvance\\VisualBoyAdvance [linker].exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27886:TCP"= 27886:TCP:Nestopia
"27886:UDP"= 27886:UDP:Nestopia


*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 13:54:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-25 13:58:15
ComboFix-quarantined-files.txt 2008-06-25 19:57:39
ComboFix2.txt 2008-06-25 18:31:38
ComboFix3.txt 2008-06-25 16:45:09

Pre-Run: 27,384,233,984 bytes free
Post-Run: 27,370,627,072 bytes free

149 --- E O F --- 2008-06-20 15:31:37


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:26 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: (no name) - {5104FAD1-347A-4CBC-9D64-BCD52C8CC457} - C:\WINDOWS\system32\awtrPfcA.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {977e31d4-196a-e76a-a804-2fc5b3f18cee} - {eec81f3b-5cf2-408a-a67e-a6914d13e779} - C:\WINDOWS\system32\ixacvmgx.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [44a46a1c] rundll32.exe "C:\WINDOWS\system32\mmmbmspn.dll",b
O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKLM\..\Run: [BM47975980] Rundll32.exe "C:\WINDOWS\system32\kaypbhce.dll",s
O4 - HKCU\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Startup: userinit.exe
O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://husqvarnaviking.webex.com/client/T23L/event/ieatgpc.cab
O20 - Winlogon Notify: usbmon - C:\WINDOWS\system32\usbmons.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://blstj.msn.com/br/voodoo/js/6/core.js

--
End of file - 5767 bytes
 
Hello,

I just checked the CFScript file against what you have typed in the code box (using two different laptops). It looked like I had everything in there. Should I try CFScript again?
 
Redid CFScript.

Combo Fix

ComboFix 08-06-20.4 - Kathy McDonald 2008-06-25 14:44:47.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.104 [GMT -6:00]
Running from: C:\Documents and Settings\Kathy McDonald\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kathy McDonald\Desktop\CFScript.txt

FILE ::
C:\1151625907
C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\Kathy McDonald\svchost.exe
C:\kbvxxo.exe
C:\mxuxc.exe
C:\vwhfxvxv.exe
C:\WINDOWS\BM47975980.xml
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\SYSTEM32\idef.dll
C:\WINDOWS\SYSTEM32\ixacvmgx.dll
C:\WINDOWS\SYSTEM32\jfiehayd.dll
C:\WINDOWS\SYSTEM32\kaypbhce.dll
C:\WINDOWS\SYSTEM32\mmmbmspn.dll
C:\WINDOWS\SYSTEM32\npsmbmmm.ini
C:\WINDOWS\SYSTEM32\pqasghjd.sys
C:\WINDOWS\system32\usbmons.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1151625907
C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe
C:\Documents and Settings\Kathy McDonald\svchost.exe
C:\kbvxxo.exe
C:\mxuxc.exe
C:\vwhfxvxv.exe
C:\WINDOWS\BM47975980.xml
C:\WINDOWS\mrofinu1535.exe
C:\WINDOWS\system32\drivers\services.exe
C:\WINDOWS\SYSTEM32\idef.dll
C:\WINDOWS\SYSTEM32\ixacvmgx.dll
C:\WINDOWS\SYSTEM32\jfiehayd.dll
C:\WINDOWS\SYSTEM32\kaypbhce.dll
C:\WINDOWS\SYSTEM32\mmmbmspn.dll
C:\WINDOWS\SYSTEM32\npsmbmmm.ini
C:\WINDOWS\SYSTEM32\pqasghjd.sys
C:\WINDOWS\system32\usbmons.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_pqasghjd


((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-24 11:53 . 2008-06-24 12:02 1,584,898,827 --a------ C:\Documents and Settings\Kathy McDonald\My Documents.zip
2008-06-22 14:08 . 2008-06-21 14:29 13,824 --a------ C:\userinit.exe
2008-06-21 20:59 . 2008-06-22 19:13 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-21 20:59 . 2008-06-22 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-21 16:16 . 2008-06-21 16:16 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-21 16:16 . 2008-06-21 16:16 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-10 19:09 . 2008-06-13 07:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 20:05 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-08 23:22 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\MSN6
2008-05-21 01:47 --------- d-----w C:\Documents and Settings\Kathy McDonald\Application Data\Uniblue
2008-05-21 01:42 --------- d-----w C:\Program Files\AIM Toolbar
2008-05-21 01:40 --------- d-----w C:\Program Files\Viewpoint
2008-05-21 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-21 01:33 --------- d-----w C:\Program Files\Trend Micro
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 16:49 --------- d-----w C:\Program Files\Project64 1.6
.

((((((((((((((((((((((((((((( snapshot@2008-06-25_10.44.37.61 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 16:35:41 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-25 20:48:12 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

C:\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Sprint music manager\MEMonitor.exe [2007-11-25 19:48:20 983040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
My Essentials Wireless USB Utility.lnk - C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe [2006-09-11 20:02:00 1568768]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2004-07-14 09:15:04 335872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=C:\WINDOWS\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-04-11 10:43 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-04-19 13:45 53248 c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-04-19 13:45 131072 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-07-14 09:19 77824 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2004-07-14 09:19 26112 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\SYSTEM32\\dlbccoms.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\nestc042\\NESTCL95.EXE"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\Nintendo\\Nestopia137bin\\nestopia.exe"=
"C:\\Documents and Settings\\Kathy McDonald\\My Documents\\Matt\\Games\\gameboy\\VisualBoyAdvance\\VisualBoyAdvance [linker].exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27886:TCP"= 27886:TCP:Nestopia
"27886:UDP"= 27886:UDP:Nestopia

R2 dlbc_device;dlbc_device;C:\WINDOWS\system32\dlbccoms.exe [2007-02-07 16:26]
S3 OMAWGU(Belkin Corporation);My Essential G USB Adapter(Belkin Corporation);C:\WINDOWS\system32\DRIVERS\OMAWGU.sys [2006-08-04 01:55]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 14:48:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-25 14:56:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 20:56:09
ComboFix2.txt 2008-06-25 19:58:16
ComboFix3.txt 2008-06-25 18:31:38
ComboFix4.txt 2008-06-25 16:45:09

Pre-Run: 27,617,202,176 bytes free
Post-Run: 27,368,648,704 bytes free

143 --- E O F --- 2008-06-20 15:31:37


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:57:37 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://husqvarnaviking.webex.com/client/T23L/event/ieatgpc.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://blstj.msn.com/br/voodoo/js/6/core.js

--
End of file - 4804 bytes
 
Hi

Now it looks better :bigthumb:

Please click this link-->Jotti

Copy/paste the file below into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\userinit.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Please do also this:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Post:

- a fresh HijackThis log
- jotti/virustotal results
 
Hello,

I think I did have an antivirus program on here before the infection, but it's obviously not there anymore so I downloaded a new one. Anyway, here are the scan results:

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:40 AM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://husqvarnaviking.webex.com/client/T23L/event/ieatgpc.cab
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://blstj.msn.com/br/voodoo/js/6/core.js

--
End of file - 5397 bytes


Jotti:

Scanner results
Scan taken on 26 Jun 2008 16:13:54 (GMT)
A-Squared Found nothing
AntiVir Found WORM/Socks.AE.15
ArcaVir Found Trojan.Psw.Qqshou.Gw
Avast Found Win32:Socks-AX
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found P2P-Worm.Win32.Socks.ae
Fortinet Found nothing
Ikarus Found Virus.P2P.Worm.Win32.Socks.ae
Kaspersky Anti-Virus Found P2P-Worm.Win32.Socks.ae
NOD32 Found nothing
Norman Virus Control Found W32/Malware.CZMC
Panda Antivirus Found W32/Socks.E.worm
Sophos Antivirus Found Mal/EncPk-DB
VirusBuster Found nothing
VBA32 Found P2P-Worm.Win32.Socks.ae


Thanks!
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - (no file)

Close all windows including browser and press fix checked.

Reboot.

Delete this file:

C:\userinit.exe

Empty Recycle Bin

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
 
Hello,

Kaspersky Scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 26, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 26, 2008 16:45:34
Records in database: 884878
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 52761
Threat name: 11
Infected objects: 72
Suspicious objects: 0
Duration of the scan: 02:31:10


File name / Threat name / Threats count
C:\Documents and Settings\Kathy McDonald\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-524f34ba Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Kathy McDonald\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-4f130336.zip Infected: Exploit.Java.Gimsh.a 1
C:\QooBox\Quarantine\C\Documents and Settings\Kathy McDonald\Start Menu\Programs\Startup\userinit.exe.vir Infected: P2P-Worm.Win32.Socks.ae 1
C:\QooBox\Quarantine\C\Documents and Settings\Kathy McDonald\svchost.exe.vir Infected: P2P-Worm.Win32.Socks.ae 1
C:\QooBox\Quarantine\C\vwhfxvxv.exe.vir Infected: P2P-Worm.Win32.Socks.ae 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\advpac.dll.vir Infected: Rootkit.Win32.Podnuha.gg 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\services.exe.vir Infected: P2P-Worm.Win32.Socks.ae 1
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\user32.dll.vir.vir Infected: Trojan.Win32.Patched.bb 1
C:\QooBox\Quarantine\catchme2008-06-25_103351.86.zip Infected: Trojan.Win32.Monder.zd 1
C:\QooBox\Quarantine\catchme2008-06-25_122315.44.zip Infected: Trojan.Win32.Patched.bb 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050352.bat Infected: Trojan-Downloader.Win32.Small.xpe 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050353.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.yxg 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050353.exe Infected: Trojan-Downloader.Win32.Small.ury 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050353.exe Infected: Trojan-Downloader.Win32.Small.xhc 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050353.exe Infected: Trojan-Downloader.Win32.Small.xpe 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050360.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050371.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050372.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP695\A0050373.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP696\A0050383.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP696\A0050394.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0050397.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0050398.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0050399.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0050406.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0051404.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0051406.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0051415.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0051423.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0051425.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0051432.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP697\A0051442.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP698\A0051446.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP699\A0051456.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP699\A0051471.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP699\A0051475.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP699\A0051476.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP699\A0051529.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP699\A0051532.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051545.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051550.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051553.bat Infected: Trojan-Downloader.Win32.Small.xpe 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051554.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.yxg 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051554.exe Infected: Trojan-Downloader.Win32.Small.ury 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051554.exe Infected: Trojan-Downloader.Win32.Small.xhc 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051554.exe Infected: Trojan-Downloader.Win32.Small.xpe 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051564.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051572.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051574.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051577.exe Infected: Rootkit.Win32.Podnuha.eg 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051582.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051584.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051593.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051595.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051596.dll Infected: Trojan.Win32.Monder.gen 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051603.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051613.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051615.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051622.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051627.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051635.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051645.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051651.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051655.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051660.dll Infected: Rootkit.Win32.Podnuha.gg 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051945.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP700\A0051954.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP701\A0052020.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP701\A0052064.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP701\A0052065.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP701\A0052068.exe Infected: P2P-Worm.Win32.Socks.ae 1
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP702\A0052139.exe Infected: P2P-Worm.Win32.Socks.ae 1

The selected area was scanned.


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:58 PM, on 6/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Sprint music manager\MEMonitor.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\dlbccoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Sprint music manager\MEMonitor.exe
O4 - Global Startup: My Essentials Wireless USB Utility.lnk = C:\Program Files\My Essentials\USB ME1001-USB\Wireless Utility\O-Maxwcui.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD42/J...bd/&filename=jinstall-6u6-windows-i586-jc.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://husqvarnaviking.webex.com/client/T23L/event/ieatgpc.cab
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: dlbc_device - - C:\WINDOWS\system32\dlbccoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - http://blstj.msn.com/br/voodoo/js/6/core.js

--
End of file - 5638 bytes
 
Hi

Empty these folders:

C:\Documents and Settings\Kathy McDonald\Application Data\Sun\Java\Deployment\cache
C:\QooBox\Quarantine

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
You must log in or register to reply here.
Back
Top