Spybot won't run

Status
Not open for further replies.
O

okrobie

New member
Hello,
Spybot S&D was running fine until I was attacked. I ran it after I was attacked once and it detected 108 entries. The next time I tried to run it, it wouldn't run. All I get after I doubleclick the desktop icon is a flash of the hourglass.

I have already uninstalled and reinstalled it twice following the directions I found in another thread, to no avail.

I have downloaded and installed Hijackthis and it wont run either. Same symptom, just a flash of the hourglass when I doubleclick the desktop icon.

My computer is still infected. I'm running Windows XP and Spybot 1.6

Thanks for any help. Regards, Jim
 
P.S. I have also tried to install RSIT but it won't install. Got an error mesage about it not being a valid win32 application.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Hey Jim, why don't you try the directions? They are also pinned (sticky) to the top of this forum. After you read them, then post the HJT log.
Zenobia provided you a link and you seem to have ignored it?

Thanks
 
Hi pskelley, thanks for your reply. It might not seem so, but I did read (and re-read) the stickey.

You advise that I should post a HJT log. I would love to. The problem at the moment is that I can't create a logfile since I can't get HJT to run in either Safe mode or Windows. It was installed according to directions but when I doubleclick the icon all I get is a flash of the hourglass and then nothing. I also tried to install RSIT, which I understand is another logfile grabber, but without success. As I mentioned above, I aalso can't get Spybot S&D to run in Safe or windows.

I'm wondering where to go from here. Am I missing something?

Best regards, Jim
 
Jim, hackers know the tools we use, amd often block them, try these directions for a self-installer.

Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Follow those directions exactly. If that does not work, then when you click the link:
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
and choose "Save this file now" make sure you are saving it to the "Desktop" but change the File name to okrobie.exe before you "Save" now follow the instructions as posted.

Thanks
 
Hi pskelley, Thanks!

I deleted the old copy of HJT and then re-installed it according to your instructions, but it still wouldn't run. I then deleted it all again and re-installed it using the "save as okrobie.exe" option, but it still won't run.

What next?

Regards, Jim
 
Does not sound good, let's give combofix a try and see what happens. Follow the directions carefully and if you can not run combofix from the Desktop in normal mode, then try booting into safe mode and running it there.
http://spyware-free.us/tutorials/safemode/

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log. <<< if possible at that point.

Thanks...Phil

Thanks
 
Hi pskelley, Thanks for the help.

I followed your instructions, read the ComboFix tutorial and installed ComboFix. It installed smoothly. I even did the little trick with the Windows Boot Disk icon. Everything smooth so far... but when I double clicked on the icon, it wouldn't run. I then booted up in safe mode with the same result... nada.

I have been staying off line as as much as possible like you suggested. The only good news is that it is stable and not getting any new symptoms.

Any plan B up your sleeve?

Thanks, Jim
 
If you can not get any program to run, it does not sound good. You may want to think about a reformat. It is unusual when nothing will run? Here is another good malware program you can try.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.


Have you thought about trying a System Restore to an earlier point?
http://support.microsoft.com/kb/306084/


Or trying this:
http://support.microsoft.com/kb/307852
 
Phil, here is the log from Malwarebytes' Anti-malware I'll re-boot now and try to run the other programs. Thanks

Malwarebytes' Anti-Malware 1.28
Database version: 1267
Windows 5.1.2600 Service Pack 2

10/13/2008 11:03:32 PM
mbam-log-2008-10-13 (23-03-32).txt

Scan type: Full Scan (C:\|)
Objects scanned: 119313
Time elapsed: 1 hour(s), 18 minute(s), 32 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 10
Files Infected: 70

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\wbszidij\sjyfefyv.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\GetModule\GetModule23.exe (Adware.ISM) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\toolbar.tb (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54645654-2225-4455-44a1-9f4543d34545} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8fcdf9d9-a28b-480f-8c3d-581f119a8ab8} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a2aa1df5-6e92-4d92-90ea-c8739016e923} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e76bab5-f558-4345-a5fb-43e7028fa258} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b437ae7e-edc1-4a83-825e-e2cad11905e8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\icheck (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\xp_antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\getsn32.msiesn (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smwin32.mdr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jbgomfijea (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\getmodule23 (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xp antispyware 2009 (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\data (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Start Menu\Programs\XP_AntiSpyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\wbszidij\sjyfefyv.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\GetModule23.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\0486cc67.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\mmmatt.exe (Spyware.Banker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\n2ewsys.exe (Rogue.Spymonitor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\3nick568.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\44.exe (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\gettpa222.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\gettpa421.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Local Settings\Temp\stf8BC.tmp (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\iCheck.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\AVEngn.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033205.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033206.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032834.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032894.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032895.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP95\A0032909.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032913.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032915.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032916.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP96\A0032918.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP97\A0032938.dll (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\WINDOWS\faceback.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\smwin32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv393.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wpv473.cpx (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uesiuqcr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\crap.1187090851.old (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin\matrix.dll (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\iCheck\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\dicik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\GetModule\kwdik.gz (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\comp.dat (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\htmlayout.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\pthreadVC2.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Uninstall.exe (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\wscui.cpl (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\data\daily.cvd (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcm80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcp80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_AntiSpyware\Microsoft.VC80.CRT\msvcr80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Start Menu\Programs\XP_AntiSpyware\Uninstall.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Start Menu\Programs\XP_AntiSpyware\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\James T. Robson\Desktop\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\Application Data\Microsoft\Internet Explorer\Quick Launch\XP_AntiSpyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\robie1\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\okrobie.MUSIC\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\James T. Robson\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
 
Hi Phil, Viola! I can now run HJT and here is the log. Thank you, Jim

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:55 PM, on 10/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.194.230.197:3128
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.turbotax.com
O18 - Filter hijack: text/html - {863eaa62-57ba-4cd6-b38c-d2185624e47a} - C:\WINDOWS\system32\msziptools.dll
O20 - AppInit_DLLs: karna.dat
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~2\LicenseManager\lmgrd.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 7356 bytes
 
Thanks Jim, MBAM did a fantastic job, what a freeware tool!! Let's see if we can get combofix to run, it may remove malware MBAM does not have in it's databases, I see a little more junk in the HJT log.

1) C:\Program Files\Java\jre1.6.0_02\ <<< update Java, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks...Phil
 
Thanks Phil, Here are the two logs you requested:

ComboFix 08-10-14.03 - James T. Robson 2008-10-14 16:01:45.1 - NTFSx86
Running from: C:\Documents and Settings\James T. Robson\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James T. Robson\Application Data\Install.dat
C:\Program Files\INSTALL.LOG
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll
C:\WINDOWS\Downloaded Program Files\temp
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\start.exe
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-14 01:07 . 2008-10-14 01:07 <DIR> d--hsc--- C:\Documents and Settings\James T. Robson\PrivacIE
2008-10-14 00:53 . 2008-10-14 00:55 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-13 21:01 . 2008-10-13 21:02 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\James T. Robson\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-09-10 00:04 38,528 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-13 21:01 . 2008-09-10 00:03 17,200 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 15:33 . 2008-10-13 15:33 <DIR> d----c--- C:\Program Files\Trend Micro
2008-10-12 19:08 . 2008-10-12 19:08 <DIR> d----c--- C:\rsit
2008-10-12 14:44 . 2008-10-13 23:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-12 10:51 . 2008-10-12 10:51 <DIR> d----c--- C:\Documents and Settings\robie1\Application Data\AT&T
2008-10-12 10:51 . 2008-10-12 10:51 86,016 --a--c--- C:\WINDOWS\system32\cdgjejep.exe
2008-10-12 09:46 . 2008-10-12 11:09 65,428 --a--c--- C:\WINDOWS\system32\wini10451631.exe
2008-10-12 09:18 . 2008-10-12 09:18 86,016 --a--c--- C:\WINDOWS\system32\hudklklw.exe
2008-10-12 04:13 . 2008-10-12 04:13 77,824 --a--c--- C:\WINDOWS\system32\kzwnqxuj.exe
2008-10-12 02:06 . 2008-10-12 02:06 <DIR> d----c--- C:\Documents and Settings\okrobie.MUSIC\Application Data\AT&T
2008-10-12 02:06 . 2008-10-12 02:06 77,824 --a--c--- C:\WINDOWS\system32\czanohgz.exe
2008-10-11 23:16 . 2008-10-11 23:16 77,824 --a--c--- C:\WINDOWS\system32\byxkbkrm.exe
2008-10-11 19:01 . 2008-10-13 23:03 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\wbszidij
2008-10-11 19:01 . 2008-10-11 19:01 77,824 --a--c--- C:\WINDOWS\system32\mbgjcdij.exe
2008-10-11 19:00 . 2008-10-11 19:00 71,715 --a--c--- C:\WINDOWS\system32\syvkqpiicj.exe
2008-10-09 23:44 . 2008-10-09 23:44 <DIR> d----c--- C:\NFRoot
2008-10-09 20:45 . 2008-10-09 20:45 7,704 --a------ C:\WINDOWS\system32\msziptools.dll
2008-10-09 19:51 . 2008-10-09 19:51 357 --a--c--- C:\Shortcut to NFRoot.lnk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 03:32 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-10-12 18:24 --------- dc----w C:\Documents and Settings\James T. Robson\Application Data\Spybot - Search & Destroy
2008-10-10 00:54 --------- dc----w C:\Program Files\VCW VicMan's Photo Editor
2008-10-10 00:28 --------- dc----w C:\Program Files\TurboTax
2008-10-10 00:23 --------- dc----w C:\Program Files\Ahead
2003-04-08 03:50 36,199 -c--a-w C:\Program Files\auctionmagic.exe
2003-03-25 05:16 266 --sh--w C:\Program Files\desktop.ini
2003-03-25 05:16 11,079 -c-ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 1,265,783 2004-02-18 14:51:44 C:\Program Files\Ahead\InCD\bak\InCD.exe

-c--a-w 892,928 2004-03-18 14:33:26 C:\Program Files\Logitech\iTouch\bak\iTouch.exe

-c--a-w 473,928 2005-07-12 20:35:18 C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe

-c--a-w 1,359,872 2006-05-15 02:59:20 C:\Program Files\PC TechZone\AuctionMagic7\bak\Snipe.exe
-c--a-w 1,372,160 2008-05-04 04:06:58 C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe

-c--a-w 77,824 2005-04-02 10:23:49 C:\Program Files\QuickTime\bak\qttask.exe

-c--a-w 1,976,544 2005-12-13 21:13:36 C:\Program Files\Spyware Doctor\bak\swdoctor.exe

-c--a-w 1,860,608 2002-04-22 20:40:12 C:\Program Files\TimeCalendarLE\bak\TCLE.exe
----a-w 1,860,608 2002-04-22 20:40:12 C:\Program Files\TimeCalendarLE\TCLE.exe

-c--a-w 3,896,832 2006-03-27 06:50:10 C:\Program Files\Yagoon\Time\bak\Time.exe

-c--a-r 28,672 2002-10-30 09:40:34 C:\WINDOWS\bak\htpatch.exe

-c--a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

-c--a-r 155,648 2001-07-09 10:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TimeCalendar"="C:\Program Files\TimeCalendarLE\TCLE.exe" [2002-04-22 1860608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MerlinSnipe"="C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe" [2008-05-04 1372160]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 323216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"Cmaudio"="cmicnfg.cpl" [2002-11-01 C:\WINDOWS\system32\CMICNFG.CPL]
"MsmqIntCert"="mqrt.dll" [2004-08-04 C:\WINDOWS\system32\mqrt.dll]
"RegistryMechanic"="" [N/A]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

C:\Documents and Settings\James T. Robson\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CallCenter Printer Interface.lnk - C:\Program Files\V3CallCenter\V3faxecp.exe [2005-03-22 32768]
Launch Outlook Express.lnk - C:\Program Files\Outlook Express\Msimn.exe [2005-02-25 60416]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\Findfast.exe [1996-11-17 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\Osa.exe [1996-11-17 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30000:TCP"= 30000:TCP:Web Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James T. Robson\Application Data\Mozilla\Firefox\Profiles\lkvhatoc.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 16:13:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat 16384 bytes
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat

scan completed successfully
hidden files: 15

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\WINDOWS\system32\msdtc.exe
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.exe
C:\Program Files\Mail Enable\Bin\MEMTA.exe
C:\Program Files\Mail Enable\Bin\MEPOC.exe
C:\Program Files\Mail Enable\Bin\MEPOPS.exe
C:\Program Files\Mail Enable\Bin\MESMTPC.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-10-14 16:23:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-14 20:23:27

Pre-Run: 62,386,860,032 bytes free
Post-Run: 63,638,523,904 bytes free

184 --- E O F --- 2007-08-27 03:10:48


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:21 PM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Napster\napster.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.194.230.197:3128
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223958421265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223958690312
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~2\LicenseManager\lmgrd.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 7630 bytes
 
Thanks for returning this information, this is indeed a very infected computer. You also have this infection:
http://research.sunbelt-software.co...e=Trojan-Downloader.Agent.AWF&threatid=134083

combofix will usually remove it, if not we have a complex manual removal on our hands. Please read and follow the directions carefully, and in the numbered order.

1) C:\Program Files\Java\jre1.6.0_02\ <<< out of date, see this information.
http://forums.spybot.info/showpost.php?p=12880&postcount=2

2) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open notepad and copy/paste the text in the codebox below into it:

Code: 
AWF::
C:\Program Files\Ahead\InCD\bak\InCD.exe
C:\Program Files\Logitech\iTouch\bak\iTouch.exe
C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe
C:\Program Files\PC TechZone\AuctionMagic7\bak\Snipe.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Spyware Doctor\bak\swdoctor.exe
C:\Program Files\TimeCalendarLE\bak\TCLE.exe
C:\Program Files\Yagoon\Time\bak\Time.exe
C:\WINDOWS\bak\htpatch.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\NeroCheck.exe

File::
C:\WINDOWS\system32\cdgjejep.exe
C:\WINDOWS\system32\wini10451631.exe
C:\WINDOWS\system32\hudklklw.exe
C:\WINDOWS\system32\kzwnqxuj.exe
C:\WINDOWS\system32\czanohgz.exe
C:\WINDOWS\system32\byxkbkrm.exe
C:\WINDOWS\system32\mbgjcdij.exe
C:\WINDOWS\system32\syvkqpiicj.exe
C:\WINDOWS\system32\msziptools.dll
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat 
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat

Folder::
C:\Documents and Settings\All Users\Application Data\wbszidij

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

6) Update MBAM and run another scan.

Post the log from CFScript, the log from MBAM and a new HJT log.

How is the computer running?

Thanks
 
Phil, Item 1: Good catch on the Java thing. That is an old problem which has been present for over a year. It seems that I have been robbed of my administrative privileges so I haven't been able to update anything including Windows and Java for a very long time. I can't install printer drivers or anything. Sorry I forgot to mention it. Should I proceed to the next item or do we need to work on that first? When I go to the control panel and try to change my logon it says that I am an administrator. Its just that my privileges don't work.

Thanks, Jim

P.S. Right now hyper links are not working from web pages but especially this one http://forums.spybot.info/showpost.p...80&postcount=2
looks like too many dots. I have cut and paste it into a browser and it won't work.
 
Last edited:
Hi Phil, Here are the logs you requested:

ComboFix 08-10-14.07 - James T. Robson 2008-10-14 20:03:18.3 - NTFSx86

Running from: C:\Documents and Settings\James T. Robson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James T. Robson\Desktop\cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\byxkbkrm.exe
C:\WINDOWS\system32\cdgjejep.exe
C:\WINDOWS\system32\czanohgz.exe
C:\WINDOWS\system32\hudklklw.exe
C:\WINDOWS\system32\kzwnqxuj.exe
C:\WINDOWS\system32\mbgjcdij.exe
C:\WINDOWS\system32\msziptools.dll
C:\WINDOWS\system32\syvkqpiicj.exe
C:\WINDOWS\system32\wini10451631.exe
C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat
.

((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-14 01:07 . 2008-10-14 01:07 <DIR> d--hsc--- C:\Documents and Settings\James T. Robson\PrivacIE
2008-10-14 00:53 . 2008-10-14 00:55 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-13 21:01 . 2008-10-13 21:02 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\James T. Robson\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-09-10 00:04 38,528 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-13 21:01 . 2008-09-10 00:03 17,200 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 15:33 . 2008-10-13 15:33 <DIR> d----c--- C:\Program Files\Trend Micro
2008-10-12 19:08 . 2008-10-12 19:08 <DIR> d----c--- C:\rsit
2008-10-12 14:44 . 2008-10-13 23:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-12 10:51 . 2008-10-12 10:51 <DIR> d----c--- C:\Documents and Settings\robie1\Application Data\AT&T
2008-10-12 02:06 . 2008-10-12 02:06 <DIR> d----c--- C:\Documents and Settings\okrobie.MUSIC\Application Data\AT&T
2008-10-09 23:44 . 2008-10-09 23:44 <DIR> d----c--- C:\NFRoot
2008-10-09 19:51 . 2008-10-09 19:51 357 --a--c--- C:\Shortcut to NFRoot.lnk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 22:15 --------- dc----w C:\Program Files\TimeCalendarLE
2008-10-14 22:15 --------- dc----w C:\Program Files\Spyware Doctor
2008-10-14 22:15 --------- dc----w C:\Program Files\QuickTime
2008-10-14 22:15 --------- dc----w C:\Program Files\Microsoft AntiSpyware
2008-10-14 03:32 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-10-12 18:24 --------- dc----w C:\Documents and Settings\James T. Robson\Application Data\Spybot - Search & Destroy
2008-10-10 00:54 --------- dc----w C:\Program Files\VCW VicMan's Photo Editor
2008-10-10 00:28 --------- dc----w C:\Program Files\TurboTax
2008-10-10 00:23 --------- dc----w C:\Program Files\Ahead
2008-08-22 07:08 878,592 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 07:08 43,008 -c--a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 07:07 18,944 -c--a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 07:06 72,704 -c--a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 07:06 71,680 -c--a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 07:06 434,176 -c--a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 07:05 48,640 -c----w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 07:05 48,128 -c--a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 07:05 35,840 -c--a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 07:04 45,568 -c--a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 06:57 156,160 -c--a-w C:\WINDOWS\system32\msls31.dll
2008-08-05 21:55 265,720 -c--a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-19 02:08 205,000 -c--a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:07 210,976 -c--a-w C:\WINDOWS\system32\muweb.dll
2003-04-08 03:50 36,199 -c--a-w C:\Program Files\auctionmagic.exe
2003-03-25 05:16 266 --sh--w C:\Program Files\desktop.ini
2003-03-25 05:16 11,079 -c-ha-w C:\Program Files\folder.htt
2001-11-23 18:08 712,704 -c--a-r C:\WINDOWS\inf\Other\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-10-14_16.22.13.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-10-30 09:40:34 28,672 -c--a-w C:\WINDOWS\htpatch.exe
+ 2001-07-09 10:50:42 155,648 -c--a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2008-10-14 23:52:40 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_700.dat
- 2008-10-14 20:19:39 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-15 00:03:21 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TimeCalendar"="C:\Program Files\TimeCalendarLE\TCLE.exe" [2002-04-22 1860608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MerlinSnipe"="C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe" [2006-05-14 1359872]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 323216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"Cmaudio"="cmicnfg.cpl" [2002-11-01 C:\WINDOWS\system32\CMICNFG.CPL]
"MsmqIntCert"="mqrt.dll" [2004-08-04 C:\WINDOWS\system32\mqrt.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

C:\Documents and Settings\James T. Robson\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CallCenter Printer Interface.lnk - C:\Program Files\V3CallCenter\V3faxecp.exe [2005-03-22 32768]
Launch Outlook Express.lnk - C:\Program Files\Outlook Express\Msimn.exe [2005-02-25 60416]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\Findfast.exe [1996-11-17 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\Osa.exe [1996-11-17 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30000:TCP"= 30000:TCP:Web Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 20:07:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat 16384 bytes
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat

scan completed successfully
hidden files: 15

**************************************************************************
.
Completion time: 2008-10-14 20:11:11
ComboFix-quarantined-files.txt 2008-10-15 00:10:40
ComboFix2.txt 2008-10-14 22:19:30
ComboFix3.txt 2008-10-14 20:23:35

Pre-Run: 63,623,327,744 bytes free
Post-Run: 63,607,615,488 bytes free

163 --- E O F --- 2007-08-27 03:10:48


Malwarebytes' Anti-Malware 1.28
Database version: 1267
Windows 5.1.2600 Service Pack 2

10/14/2008 9:38:53 PM
mbam-log-2008-10-14 (21-38-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 113781
Time elapsed: 1 hour(s), 17 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033296.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033297.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033298.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033299.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033300.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033301.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033302.exe (Trojan.Matcash) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033303.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033304.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F68C2305-30EE-4DFF-8F57-B648EEA8EC0D}\RP103\A0033353.dll (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:11 PM, on 10/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Mail Enable\Bin\MELSC.EXE
C:\Program Files\Mail Enable\Bin\MEMTA.EXE
C:\Program Files\Mail Enable\Bin\MEPOC.EXE
C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
C:\Program Files\TimeCalendarLE\TCLE.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\V3CallCenter\V3faxecp.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.194.230.197:3128
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [MerlinSnipe] C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe quiet
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe /P HelpCenter4.1
O4 - HKCU\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [TimeCalendar] "C:\Program Files\TimeCalendarLE\TCLE.exe" auto (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1957994488-706699826-725345543-1003\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User '?')
O4 - S-1-5-21-1957994488-706699826-725345543-1003 Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User '?')
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CallCenter Printer Interface.lnk = C:\Program Files\V3CallCenter\V3faxecp.exe
O4 - Global Startup: Launch Outlook Express.lnk = C:\Program Files\Outlook Express\MSIMN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Download using Download &Express - file://C:\Program Files\Download Express\Add_Url.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1223958421265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223958690312
O18 - Filter hijack: text/html - {8c7ead1f-0863-4758-b9a5-07979bb77561} - C:\WINDOWS\system32\msziptools.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\CADopia\INTELL~2\LicenseManager\lmgrd.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MailEnable List Connector (MELCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MELSC.EXE
O23 - Service: MailEnable Mail Transfer Agent (MEMTAS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEMTA.EXE
O23 - Service: MailEnable Postoffice Connector (MEPOCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MEPOC.EXE
O23 - Service: MailEnable POP Service (MEPOPS) - Unknown owner - C:\Program Files\Mail Enable\Bin\MEPOPS.EXE
O23 - Service: MailEnable SMTP Connector (MESMTPCS) - MailEnable Pty Ltd - C:\Program Files\Mail Enable\Bin\MESMTPC.EXE
O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - C:\PROGRA~1\FASTRE~1\IQWebFTPServerEngine.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

--
End of file - 7698 bytes
 
How is the computer running?
Click to expand...

See this information:
http://www.prevx.com/filenames/X882145234024887170-0/MSZIPTOOLS2EDLL.html

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O18 - Filter hijack: text/html - {8c7ead1f-0863-4758-b9a5-07979bb77561} - C:\WINDOWS\system32\msziptools.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\msziptools.dll <<< delete that file


This is the next step we must take:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

RC1-4.gif


Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif



Would you also post an uninstall list.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)

Thanks
 
Hi Phil, Thanks for all your help... and your patience.

The computer is running basically pretty good. The only anomalies are the failure of some hyper links to work, especially the truncated ones and my Merlin Snipe program can't logon to eBay. When I go to eBay through the browser I get a warning message about how I am about to view pages over a secure connection... Maybe I have increased my security level on the browser. Other than that it is operating "normally".

I did what you said on HJT with the msziptools.dll but it didn't work. I navigated to it manually and it was still there and I could not delete it manually. I got a message stating that it was in use. I went to the task manager and it was not on the list of active processes.

The recovery console was not installed because I did the drag and drop thing before it was allowed to run it obviously didn't realize this. It is running now and here is the log:

ComboFix 08-10-14.07 - James T. Robson 2008-10-15 9:39:37.4 - NTFSx86

Running from: C:\Documents and Settings\James T. Robson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James T. Robson\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.

2008-10-14 21:26 . 2008-10-14 21:26 7,704 --a--c--- C:\WINDOWS\system32\msziptools.dll
2008-10-14 01:07 . 2008-10-14 01:07 <DIR> d--hsc--- C:\Documents and Settings\James T. Robson\PrivacIE
2008-10-14 00:53 . 2008-10-14 00:55 <DIR> d--h-c--- C:\WINDOWS\ie8
2008-10-13 21:01 . 2008-10-13 21:02 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\James T. Robson\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-10-13 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-13 21:01 . 2008-09-10 00:04 38,528 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-13 21:01 . 2008-09-10 00:03 17,200 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-10-13 15:33 . 2008-10-13 15:33 <DIR> d----c--- C:\Program Files\Trend Micro
2008-10-12 19:08 . 2008-10-12 19:08 <DIR> d----c--- C:\rsit
2008-10-12 14:44 . 2008-10-13 23:32 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-12 10:51 . 2008-10-12 10:51 <DIR> d----c--- C:\Documents and Settings\robie1\Application Data\AT&T
2008-10-12 02:06 . 2008-10-12 02:06 <DIR> d----c--- C:\Documents and Settings\okrobie.MUSIC\Application Data\AT&T
2008-10-09 23:44 . 2008-10-09 23:44 <DIR> d----c--- C:\NFRoot
2008-10-09 19:51 . 2008-10-09 19:51 357 --a--c--- C:\Shortcut to NFRoot.lnk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 22:15 --------- dc----w C:\Program Files\TimeCalendarLE
2008-10-14 22:15 --------- dc----w C:\Program Files\Spyware Doctor
2008-10-14 22:15 --------- dc----w C:\Program Files\QuickTime
2008-10-14 22:15 --------- dc----w C:\Program Files\Microsoft AntiSpyware
2008-10-14 03:32 --------- dc----w C:\Program Files\Spybot - Search & Destroy
2008-10-12 18:24 --------- dc----w C:\Documents and Settings\James T. Robson\Application Data\Spybot - Search & Destroy
2008-10-10 00:54 --------- dc----w C:\Program Files\VCW VicMan's Photo Editor
2008-10-10 00:28 --------- dc----w C:\Program Files\TurboTax
2008-10-10 00:23 --------- dc----w C:\Program Files\Ahead
2008-08-22 07:08 878,592 -c--a-w C:\WINDOWS\system32\wininet.dll
2008-08-22 07:08 43,008 -c--a-w C:\WINDOWS\system32\licmgr10.dll
2008-08-22 07:07 18,944 -c--a-w C:\WINDOWS\system32\corpol.dll
2008-08-22 07:06 72,704 -c--a-w C:\WINDOWS\system32\admparse.dll
2008-08-22 07:06 71,680 -c--a-w C:\WINDOWS\system32\iesetup.dll
2008-08-22 07:06 434,176 -c--a-w C:\WINDOWS\system32\vbscript.dll
2008-08-22 07:05 48,640 -c----w C:\WINDOWS\system32\PrivacIE.dll
2008-08-22 07:05 48,128 -c--a-w C:\WINDOWS\system32\mshtmler.dll
2008-08-22 07:05 35,840 -c--a-w C:\WINDOWS\system32\imgutil.dll
2008-08-22 07:04 45,568 -c--a-w C:\WINDOWS\system32\mshta.exe
2008-08-22 06:57 156,160 -c--a-w C:\WINDOWS\system32\msls31.dll
2008-08-05 21:55 265,720 -c--a-w C:\WINDOWS\system32\msdbg2.dll
2008-07-19 02:08 205,000 -c--a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 02:07 210,976 -c--a-w C:\WINDOWS\system32\muweb.dll
2003-04-08 03:50 36,199 -c--a-w C:\Program Files\auctionmagic.exe
2003-03-25 05:16 266 --sh--w C:\Program Files\desktop.ini
2003-03-25 05:16 11,079 -c-ha-w C:\Program Files\folder.htt
2001-11-23 18:08 712,704 -c--a-r C:\WINDOWS\inf\Other\AUDIO3D.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-10-14_16.22.13.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-10-30 09:40:34 28,672 -c--a-w C:\WINDOWS\htpatch.exe
+ 2001-07-09 10:50:42 155,648 -c--a-w C:\WINDOWS\system32\NeroCheck.exe
+ 2008-10-15 03:33:48 16,384 -c--atw C:\WINDOWS\Temp\Perflib_Perfdata_588.dat
- 2008-10-14 20:19:39 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
+ 2008-10-15 13:39:40 16,171,008 -c--a-w C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TimeCalendar"="C:\Program Files\TimeCalendarLE\TCLE.exe" [2002-04-22 1860608]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2004-11-22 307200]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MerlinSnipe"="C:\Program Files\PC TechZone\AuctionMagic7\Snipe.exe" [2006-05-14 1359872]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2007-01-12 323216]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ISW.exe"="C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HelpCenter4.1"="C:\Program Files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe" [2007-06-28 198184]
"Cmaudio"="cmicnfg.cpl" [2002-11-01 C:\WINDOWS\system32\CMICNFG.CPL]
"MsmqIntCert"="mqrt.dll" [2004-08-04 C:\WINDOWS\system32\mqrt.dll]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 C:\WINDOWS\soundman.exe]

C:\Documents and Settings\James T. Robson\Start Menu\Programs\Startup\
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
CallCenter Printer Interface.lnk - C:\Program Files\V3CallCenter\V3faxecp.exe [2005-03-22 32768]
Launch Outlook Express.lnk - C:\Program Files\Outlook Express\Msimn.exe [2005-02-25 60416]
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\Findfast.exe [1996-11-17 111376]
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\Osa.exe [1996-11-17 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"30000:TCP"= 30000:TCP:Web Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James T. Robson\Application Data\Mozilla\Firefox\Profiles\lkvhatoc.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 09:42:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\Perflib_Perfdata_100.dat 16384 bytes
C:\WINDOWS\TEMP\Perflib_Perfdata_104.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_124.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_140.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_174.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_184.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1c4.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1f0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_1fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_318.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5e0.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5f8.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_5fc.dat
C:\WINDOWS\TEMP\Perflib_Perfdata_638.dat

scan completed successfully
hidden files: 15

**************************************************************************
.
Completion time: 2008-10-15 9:46:08
ComboFix-quarantined-files.txt 2008-10-15 13:45:53
ComboFix2.txt 2008-10-15 00:12:29
ComboFix3.txt 2008-10-14 22:19:30
ComboFix4.txt 2008-10-14 20:23:35

Pre-Run: 63,539,408,896 bytes free
Post-Run: 63,553,429,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

152 --- E O F --- 2007-08-27 03:10:48


Here is the uninstall list from HJT:

Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 7.0
AT&T Internet Security Wizard 1.5.11
ATT-NAP
AusLogics Disk Defrag
BellSouth Application Management
CADopia IntelliCAD 5 Standard
C-Media WDM Audio Driver
Cox Online Support Controls
e-AA
EASEUS Partition Manager 1.6.2
Enhancement Browser Tools Bigadnetwork
FastAccess® DSL Help Center 4.1
Fastream IQ Web/FTP Server Engine
Fastream IQ Web/FTP Server GUI
FREE CallCenter
GEAR Replicator
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
HTMLGATE FREE version 12.2.1B
InCD EasyWrite Reader
IntelliCAD 5 Standard v.5.1.5.05 Standard Edition
ItsDeductible Express
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 2
Logitech iTouch Software
MailEnable Messaging Services for Windows NT/2000
Malwarebytes' Anti-Malware
Merlin AuctionMagic
Merlin AuctionMagic

MSIDVD
MSN Music Assistant
Napster
Napster Burn Engine
Nero Media Player
Nero OEM
PHPRunner 2.0
R-Drive Image (remove only)
Realtek AC'97 Audio
Registry Mechanic 5.1
SafeCast Shared Components
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player 10 (KB936782)

SiS 650_650GL_650GX_651
Sony DPP-SV55
Spybot - Search & Destroy
SpywareBlaster v3.5.1
TimeCalendar LE 1.6.3
TurboTax Deluxe Deduction Maximizer 2006

VCW VicMan's Photo Editor 8.1
WexTech AnswerWorks
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8 Beta 2
Windows Media Format Runtime
Windows Media Player 10

Yagoon Time 2.31
Yahoo! Install Manager
Yahoo! Toolbar

Thanks again for everything. I'm 66 years old and a little slow sometimes.

Regards, Jim
 
Status
Not open for further replies.
Back
Top