Possible Trojan Adware.MyWebSearch?

Status
Not open for further replies.
Ok

OK, got it. I found a reference to someone that tried using SuperAntiSpyware Free Edition prior to running ComboFix and that did the trick. Apparently the virus was not allowing ComboFix to run. I removed a bunch more infections (19) and it ran. Here is the HJT log followed by the ComboFix log. Let me know what is next. I really appreciate your help on this. I am in uncharted waters here...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:20 PM, on 11/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Secunia\PSI (RC4)\psi.exe
C:\PROGRA~1\SQUEEZ~1\server\squeezecenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [desajewitu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [desajewitu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Secunia PSI (RC4).lnk = C:\Program Files\Secunia\PSI (RC4)\psi.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SqueezeCenter Tray Tool.lnk = C:\Program Files\SqueezeCenter\SqueezeTray.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1193592129828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 10089 bytes




ComboFix 08-11-07.01 - David 2008-11-07 15:37:26.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2294 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\Combo--Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log

.
((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\program files\iTunes
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\iPod
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\Bonjour
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-07 08:23 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\David\Application Data\acccore
2008-11-07 08:22 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-07 08:22 . 2008-11-07 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-07 08:21 . 2008-11-07 08:21 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-07 08:18 . 2008-11-07 08:18 <DIR> d-------- c:\program files\Apple Software Update
2008-11-07 08:11 . 2008-11-07 08:11 <DIR> d-------- c:\program files\ACW
2008-11-07 07:33 . 2008-11-07 07:33 <DIR> d-------- c:\program files\Secunia
2008-11-07 01:36 . 2008-11-07 01:36 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-05 21:24 . 2008-11-05 21:26 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-05 19:00 . 2008-11-05 19:00 <DIR> d-------- c:\documents and settings\Diane.BEAR\Application Data\Malwarebytes
2008-11-05 18:47 . 2008-11-05 18:47 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 18:44 . 2008-11-06 07:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 18:44 . 2008-11-04 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Lavasoft
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-03 22:37 . 2008-11-03 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\David\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 22:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-27 03:04 . 2008-10-27 03:04 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-10-24 06:57 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 08:20 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:20 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:20 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:19 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 14:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 14:02 --------- d-----w c:\program files\NCH Swift Sound
2008-11-07 14:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 13:59 --------- d-----w c:\program files\calendarmakereval
2008-11-07 13:31 --------- d-----w c:\program files\Java
2008-11-07 13:28 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-07 13:22 --------- d-----w c:\program files\AIM6
2008-11-07 13:19 --------- d-----w c:\program files\QuickTime
2008-11-07 13:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-07 12:58 --------- d-----w c:\program files\Common Files\Adobe
2008-11-05 15:30 --------- d-----w c:\program files\Glary Utilities
2008-11-02 12:51 --------- d-----w c:\program files\SpeedFan
2008-10-31 17:24 --------- d-----w c:\program files\SqueezeCenter
2008-10-17 11:52 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-04 15:15 --------- d-----w c:\documents and settings\David\Application Data\GlarySoft
2008-09-29 11:12 --------- d-----w c:\program files\Paint.NET
2008-09-23 00:51 95,960 ----a-w c:\documents and settings\Rebecca.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-20 10:44 99,648 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2008-09-19 20:46 --------- d-----w c:\program files\IObit
2008-09-19 00:32 --------- d-----w c:\program files\Avidemux 2.4
2008-09-14 03:00 95,960 ----a-w c:\documents and settings\Diane.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-08 10:41 333,824 ------w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-20 2177984]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-26 2209224]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-10-23 1968880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\David\Start Menu\Programs\Startup\
Secunia PSI (RC4).lnk - c:\program files\Secunia\PSI (RC4)\psi.exe [2008-10-29 695656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2008-06-28 1728601]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Linksys Wireless-G Wireless Network Monitor\\WMP54GS.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2008-10-21 4149248]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-01-13 18864]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-10-27 7808]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a853402-2383-11dd-9258-000ea63f77b8}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-07 c:\windows\Tasks\At1.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At10.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At11.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At12.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At13.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At14.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At15.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-04 c:\windows\Tasks\At16.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-05 c:\windows\Tasks\At17.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-04 c:\windows\Tasks\At18.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-04 c:\windows\Tasks\At19.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At2.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At20.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At21.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At22.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At23.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At24.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At25.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At26.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At27.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At28.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At29.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At3.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At30.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At31.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At32.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At33.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At34.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At35.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At36.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At37.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At38.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At39.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At4.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-04 c:\windows\Tasks\At40.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-05 c:\windows\Tasks\At41.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-04 c:\windows\Tasks\At42.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-04 c:\windows\Tasks\At43.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At44.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At45.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At46.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At47.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At48.job
- c:\windows\system32\lR2dfi7G.exe []

2008-11-07 c:\windows\Tasks\At49.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At5.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At50.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At51.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At52.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At53.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At54.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At55.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At56.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At57.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At58.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At59.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At6.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At60.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At61.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At62.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At63.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-04 c:\windows\Tasks\At64.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-05 c:\windows\Tasks\At65.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-04 c:\windows\Tasks\At66.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-04 c:\windows\Tasks\At67.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At68.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At69.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At7.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At70.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At71.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At72.job
- c:\windows\system32\36EG4DJf.exe []

2008-11-07 c:\windows\Tasks\At8.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\At9.job
- c:\windows\system32\88Aoc21U.exe []

2008-11-07 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2008-10-29 17:58]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-MXOBG - c:\documents and settings\David\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
HKLM-Run-CPMd379e946 - c:\windows\system32\piseraho.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\lqqjx91w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://nytimes.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 15:41:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\hphipm09.exe
c:\progra~1\SQUEEZ~1\server\squeezecenter.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-11-07 15:45:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 20:45:37

Pre-Run: 250,804,277,248 bytes free
Post-Run: 250,828,390,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

348 --- E O F --- 2008-10-25 04:27:02
 
Let's hope the infections SAS removed were what was causing the problem, combofix is not showing much. It may have removed what SAS did, but we will never know. Do you have the log from SAS? If so, I would like to see it.

Let's start here: Contents of the 'Scheduled Tasks' folder

The first one is 2008-11-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] <<< which is likely something you set.

But look at the others, I believe they were set by the infection. If you do not know what they are, then let's remove them. You can look here:
Go to the Scheduled Tasks applet in Control Panel, right-click the task you want to delete, and select Delete from the displayed context menu. Click Yes to confirm the deletion. Be aware that you can't delete tasks you've created with the Task Scheduler Wizard from the command line using the AT command. http://support.microsoft.com/kb/308671

This is running in the HJT log:
O4 - HKUS\S-1-5-19\..\Run: [desajewitu] Rundll32.exe "C:\WINDOWS\system32\miwefoda.dll",s (User 'LOCAL SERVICE')
Do you know what this is? If not remove it with CFScript, here is the Google:
http://www.google.com/search?hl=en&q=miwefoda.dll&btnG=Search

Have a look down that HJT log for anything you do not know, the above item is the only one I can not idenify. If you wish to scan it before removing it, show all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

and scan with one or more of these free online scans:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
C:\WINDOWS\system32\miwefoda.dll <<< scan this file


Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\miwefoda.dll
c:\windows\system32\88Aoc21U.exe 
c:\windows\system32\lR2dfi7G.exe
c:\windows\system32\36EG4DJf.exe

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Let me know how things are running now and post the SAS log if you have it so I can see what it removed.

Thanks
 
near the end?

Sorry but I cannot find the SAS logfile. It found about 15 infections that were very similar to the infections found by Malawarebyte - they were all Trojans with different extensions.

Here is the ComboFix Log:

ComboFix 08-11-07.01 - David 2008-11-07 17:08:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2129 [GMT -5:00]
Running from: c:\documents and settings\David\Desktop\Combo--Fix.exe
Command switches used :: c:\documents and settings\David\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\36EG4DJf.exe
c:\windows\system32\88Aoc21U.exe
c:\windows\system32\lR2dfi7G.exe
c:\windows\system32\miwefoda.dll
.

((((((((((((((((((((((((( Files Created from 2008-10-07 to 2008-11-07 )))))))))))))))))))))))))))))))
.

2008-11-07 16:58 . 2008-11-07 15:25 13,646 --a------ c:\windows\system32\wpa.dbl BACKUP
2008-11-07 16:28 . 2008-11-07 16:28 <DIR> d-------- c:\documents and settings\David\Application Data\TrueCrypt
2008-11-07 15:34 . 2008-11-07 17:08 <DIR> d-------- C:\ComboFix
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2008-11-07 15:27 . 2008-11-07 15:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\program files\iTunes
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\iPod
2008-11-07 08:36 . 2008-11-07 08:36 <DIR> d-------- c:\program files\Bonjour
2008-11-07 08:36 . 2008-11-07 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-07 08:23 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\David\Application Data\acccore
2008-11-07 08:22 . 2008-11-07 08:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-07 08:22 . 2008-11-07 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL OCP
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\AOL
2008-11-07 08:22 . 2008-11-07 08:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-11-07 08:21 . 2008-11-07 08:21 <DIR> d-------- c:\program files\Common Files\AOL
2008-11-07 08:18 . 2008-11-07 08:18 <DIR> d-------- c:\program files\Apple Software Update
2008-11-07 08:11 . 2008-11-07 08:11 <DIR> d-------- c:\program files\ACW
2008-11-07 07:33 . 2008-11-07 07:33 <DIR> d-------- c:\program files\Secunia
2008-11-07 01:36 . 2008-11-07 01:36 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\AdobeUM
2008-11-05 21:24 . 2008-11-05 21:26 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-05 19:00 . 2008-11-05 19:00 <DIR> d-------- c:\documents and settings\Diane.BEAR\Application Data\Malwarebytes
2008-11-05 18:47 . 2008-11-05 18:47 <DIR> d-------- c:\program files\Trend Micro
2008-11-04 18:44 . 2008-11-06 07:00 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-04 18:44 . 2008-11-04 18:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Lavasoft
2008-11-03 22:37 . 2008-11-03 22:37 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-03 22:37 . 2008-11-03 22:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\David\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-11-03 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-03 22:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-03 22:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-27 03:04 . 2008-10-27 03:04 7,808 --a------ c:\windows\system32\drivers\psi_mf.sys
2008-10-24 06:57 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 08:20 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 08:20 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 08:20 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 08:19 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 08:19 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 21:24 --------- d-----w c:\program files\SpeedFan
2008-11-07 14:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-07 14:02 --------- d-----w c:\program files\NCH Swift Sound
2008-11-07 14:01 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 13:59 --------- d-----w c:\program files\calendarmakereval
2008-11-07 13:31 --------- d-----w c:\program files\Java
2008-11-07 13:28 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-07 13:22 --------- d-----w c:\program files\AIM6
2008-11-07 13:19 --------- d-----w c:\program files\QuickTime
2008-11-07 13:18 --------- d-----w c:\program files\Common Files\Apple
2008-11-07 12:58 --------- d-----w c:\program files\Common Files\Adobe
2008-11-05 15:30 --------- d-----w c:\program files\Glary Utilities
2008-10-31 17:24 --------- d-----w c:\program files\SqueezeCenter
2008-10-17 11:52 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-10-04 15:15 --------- d-----w c:\documents and settings\David\Application Data\GlarySoft
2008-09-29 11:12 --------- d-----w c:\program files\Paint.NET
2008-09-23 00:51 95,960 ----a-w c:\documents and settings\Rebecca.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-20 10:44 99,648 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2008-09-19 20:46 --------- d-----w c:\program files\IObit
2008-09-19 00:32 --------- d-----w c:\program files\Avidemux 2.4
2008-09-14 03:00 95,960 ----a-w c:\documents and settings\Diane.BEAR\Application Data\GDIPFONTCACHEV1.DAT
2008-09-08 10:41 333,824 ------w c:\windows\system32\drivers\srv.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-07_15.45.13.90 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-19 02:10:48 94,920 ----a-w c:\windows\system32\cdm.dll
+ 2008-10-16 19:09:44 92,696 ----a-w c:\windows\system32\cdm.dll
- 2008-07-19 02:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 19:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-07-19 02:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 19:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-19 02:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-19 02:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 19:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-19 02:10:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 19:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-19 02:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 19:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-11-07 19:55:38 294,864 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-07 22:11:33 294,864 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-07-19 02:07:34 270,880 ----a-w c:\windows\system32\mucltui.dll
+ 2008-10-16 19:06:48 268,648 ----a-w c:\windows\system32\mucltui.dll
- 2008-07-19 02:07:32 210,976 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 19:06:48 208,744 ----a-w c:\windows\system32\muweb.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2008-07-19 02:09:44 563,912 ----a-w c:\windows\system32\wuapi.dll
+ 2008-10-16 19:12:20 561,688 ----a-w c:\windows\system32\wuapi.dll
- 2008-07-19 02:10:42 53,448 ----a-w c:\windows\system32\wuauclt.exe
+ 2008-10-16 19:09:44 51,224 ----a-w c:\windows\system32\wuauclt.exe
- 2008-07-19 02:09:42 1,811,656 ----a-w c:\windows\system32\wuaueng.dll
+ 2008-10-16 19:13:40 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
- 2008-07-19 02:09:46 325,832 ----a-w c:\windows\system32\wucltui.dll
+ 2008-10-16 19:12:22 323,608 ----a-w c:\windows\system32\wucltui.dll
- 2008-07-19 02:10:20 36,552 ----a-w c:\windows\system32\wups.dll
+ 2008-10-16 19:08:58 34,328 ----a-w c:\windows\system32\wups.dll
- 2008-07-19 02:10:40 45,768 ----a-w c:\windows\system32\wups2.dll
+ 2008-10-16 19:09:44 43,544 ----a-w c:\windows\system32\wups2.dll
- 2008-07-19 02:09:44 205,000 ----a-w c:\windows\system32\wuweb.dll
+ 2008-10-16 19:13:40 202,776 ----a-w c:\windows\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-09-20 2177984]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 87584]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-26 2209224]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2006-01-13 196608]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2006-01-13 311296]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2008-10-23 1968880]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-28 160592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-08-26 c:\windows\system32\advpack.dll]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\David\Start Menu\Programs\Startup\
Secunia PSI (RC4).lnk - c:\program files\Secunia\PSI (RC4)\psi.exe [2008-10-29 695656]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
SqueezeCenter Tray Tool.lnk - c:\program files\SqueezeCenter\SqueezeTray.exe [2008-06-28 1728601]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Linksys Wireless-G Wireless Network Monitor\\WMP54GS.exe"=
"c:\\WINDOWS\\system32\\logonui.exe"=
"c:\\WINDOWS\\system32\\winlogon.exe"=
"c:\\WINDOWS\\system32\\lsass.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe [2008-10-21 4149248]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2006-01-13 18864]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2008-10-27 7808]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;c:\windows\system32\NSNDIS5.SYS [2004-03-23 17280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a853402-2383-11dd-9258-000ea63f77b8}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2909a84-ad12-11dd-80a1-000ea63f77b8}]
\Shell\AutoRun\command - f:\truecrypt\TrueCrypt.exe
\Shell\dismount\command - f:\truecrypt\TrueCrypt.exe /q /d
\Shell\start\command - f:\truecrypt\TrueCrypt.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-07 17:12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\hphipm09.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\SQUEEZ~1\server\squeezecenter.exe
.
**************************************************************************
.
Completion time: 2008-11-07 17:16:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-07 22:16:16
ComboFix2.txt 2008-11-07 20:45:42

Pre-Run: 255,631,368,192 bytes free
Post-Run: 255,622,107,136 bytes free

230 --- E O F --- 2008-10-25 04:27:02
 
So far so good

Things appear to be OK now. I removed all items in the scheduler. I would not have thought to look there. Hoping that this is licked I'll leave the machine running overnight to see what happens. Thanks for all your help on this one.
 
Success?

It has been several hours and I think we have it licked. No errant popups. Computer is calm. Thanks you for all your help pskelly. I couldn't have navigated this one without your capable assistance. Let me know if you still need anything from me. I will be very careful from here on out.
 
Thanks for taking the time to provide that feedback:bigthumb: safe surfing.

Phil
 
Status
Not open for further replies.
Back
Top