Virus du jour, apparently - Virtumonde victim

Status
Not open for further replies.
L

loopdiloop

New member
Hello

We just scanned this computer tonite with Spybot S&D after it was painfully slow and unresponsive (did a CCleaner first just to make it semi-operable) and came up with Virtumonde twice.

Can you please help me finish my thesis by fixing my computer?:euro:

HJT log below:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:28:44 PM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Erinmartin\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ERINMARTIN\Application Data\Mozilla\Profiles\default\w85s1rzk.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [SpybotDeletingA3416] command /c del "C:\WINDOWS\SYSTEM32\~.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3079] cmd /c del "C:\WINDOWS\SYSTEM32\~.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6769] command /c del "C:\WINDOWS\SYSTEM32\~.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4490] cmd /c del "C:\WINDOWS\SYSTEM32\~.exe"
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6583 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.

1) You need to read the "Before you post" directions again, HJT is not located according to the directions, please do this to correct that:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until I ask for a log later.

2) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
Thank you for your very explicit directions PS Kelley.
Following is the: 1) Combo fix log 2) HJT log and 3) Uninstall log.


ComboFix 09-01-02.01 - Erinmartin 2009-01-03 14:31:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.97 [GMT -8:00]
Running from: c:\documents and settings\Erinmartin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-03 14:18 . 2009-01-03 14:18 <DIR> d-------- c:\program files\Trend Micro
2009-01-01 10:44 . 2005-09-10 09:34 102,520 --a------ c:\windows\TrueInstall.exe
2008-12-29 18:44 . 2008-12-29 18:49 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 18:44 . 2009-01-03 14:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 08:38 . 2008-12-23 08:38 <DIR> d-------- c:\windows\SYSTEM32\scripting
2008-12-23 08:38 . 2008-12-23 08:38 <DIR> d-------- c:\windows\SYSTEM32\en
2008-12-23 08:38 . 2008-12-23 08:38 <DIR> d-------- c:\windows\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 18:36 --------- d-----w c:\program files\Yahoo!
2009-01-01 18:33 --------- d-----w c:\program files\Common Files\Scanner
2008-12-31 04:44 --------- d-----w c:\program files\CCleaner
2008-11-04 03:07 --------- d-----w c:\documents and settings\Erinmartin\Application Data\Image Zone Express
2005-09-14 03:10 63,192 ----a-w c:\documents and settings\Erinmartin\Application Data\GDIPFONTCACHEV1.DAT
2004-05-31 01:45 15,183 ----a-w c:\program files\uninstal.log
2007-03-12 09:01 66,672 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-03-12 09:01 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-03-12 09:01 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-03-12 09:01 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-03-12 09:01 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyStartUp10.0"="c:\program files\Microsoft Money\System\Activation.exe" [2001-07-25 241714]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"MCAgentExe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2002-09-06 192512]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2002-09-04 151552]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2006-01-17 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-22 77824]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-12 180269]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.exe [2005-09-07 335979]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Erinmartin^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=c:\documents and settings\Erinmartin\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=c:\windows\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-12-17 09:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-10-19 07:59 126976 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-10-19 07:59 155648 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 15:45 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
--a------ 2004-04-13 19:45 290905 c:\windows\SYSTEM32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-22 21:39 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-09-12 08:06 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 03:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YPCService"=3 (0x3)
"VETMSGNT"=2 (0x2)
"Pml Driver HPZ12"=2 (0x2)
"CAISafe"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"35190:TCP"= 35190:TCP:PORT_35190
"5246:TCP"= 5246:TCP:PORT_5246
"14031:TCP"= 14031:TCP:PORT_14031
"40434:TCP"= 40434:TCP:PORT_40434
"6211:TCP"= 6211:TCP:PORT_6211
"8614:TCP"= 8614:TCP:PORT_8614
"57586:TCP"= 57586:TCP:PORT_57586
"56121:TCP"= 56121:TCP:PORT_56121
"22008:TCP"= 22008:TCP:PORT_22008
"58184:TCP"= 58184:TCP:PORT_58184
"61805:TCP"= 61805:TCP:PORT_61805
"51348:TCP"= 51348:TCP:PORT_51348
"10790:TCP"= 10790:TCP:PORT_10790
"49918:TCP"= 49918:TCP:PORT_49918
"54114:TCP"= 54114:TCP:PORT_54114
"52098:TCP"= 52098:TCP:PORT_52098
"63935:TCP"= 63935:TCP:PORT_63935
"59117:TCP"= 59117:TCP:PORT_59117
"57629:TCP"= 57629:TCP:PORT_57629
"53941:TCP"= 53941:TCP:PORT_53941
"60223:TCP"= 60223:TCP:PORT_60223
"40036:TCP"= 40036:TCP:PORT_40036
"15520:TCP"= 15520:TCP:PORT_15520
"33066:TCP"= 33066:TCP:PORT_33066
"45832:TCP"= 45832:TCP:PORT_45832
"43629:TCP"= 43629:TCP:PORT_43629
"21297:TCP"= 21297:TCP:PORT_21297
"32981:TCP"= 32981:TCP:PORT_32981
"23118:TCP"= 23118:TCP:PORT_23118
"17126:TCP"= 17126:TCP:PORT_17126
"23973:TCP"= 23973:TCP:PORT_23973
"34504:TCP"= 34504:TCP:PORT_34504
"8246:TCP"= 8246:TCP:PORT_8246
"43981:TCP"= 43981:TCP:PORT_43981
"31954:TCP"= 31954:TCP:PORT_31954
"43376:TCP"= 43376:TCP:PORT_43376
"13711:TCP"= 13711:TCP:PORT_13711
"28086:TCP"= 28086:TCP:PORT_28086
"24910:TCP"= 24910:TCP:PORT_24910
"43129:TCP"= 43129:TCP:PORT_43129
"61395:TCP"= 61395:TCP:PORT_61395
"61423:TCP"= 61423:TCP:PORT_61423
"56293:TCP"= 56293:TCP:PORT_56293
"48213:TCP"= 48213:TCP:PORT_48213
"41407:TCP"= 41407:TCP:PORT_41407
"61664:TCP"= 61664:TCP:PORT_61664
"46943:TCP"= 46943:TCP:PORT_46943
"7453:TCP"= 7453:TCP:PORT_7453
"11676:TCP"= 11676:TCP:PORT_11676
"41228:TCP"= 41228:TCP:PORT_41228
"22976:TCP"= 22976:TCP:PORT_22976
"22708:TCP"= 22708:TCP:PORT_22708
"49473:TCP"= 49473:TCP:PORT_49473
"41465:TCP"= 41465:TCP:PORT_41465
"19790:TCP"= 19790:TCP:PORT_19790
"36810:TCP"= 36810:TCP:PORT_36810
"58543:TCP"= 58543:TCP:PORT_58543
"47969:TCP"= 47969:TCP:PORT_47969
"17868:TCP"= 17868:TCP:PORT_17868
"40415:TCP"= 40415:TCP:PORT_40415
"42676:TCP"= 42676:TCP:PORT_42676
"29591:TCP"= 29591:TCP:PORT_29591
"20840:TCP"= 20840:TCP:PORT_20840
"7625:TCP"= 7625:TCP:PORT_7625
"33845:TCP"= 33845:TCP:PORT_33845
"43172:TCP"= 43172:TCP:PORT_43172
"28832:TCP"= 28832:TCP:PORT_28832
"59098:TCP"= 59098:TCP:PORT_59098
"37851:TCP"= 37851:TCP:PORT_37851
"63169:TCP"= 63169:TCP:PORT_63169
"52035:TCP"= 52035:TCP:PORT_52035
"64203:TCP"= 64203:TCP:PORT_64203
"25360:TCP"= 25360:TCP:PORT_25360
"23800:TCP"= 23800:TCP:PORT_23800
"7423:TCP"= 7423:TCP:PORT_7423
"51180:TCP"= 51180:TCP:PORT_51180
"61180:TCP"= 61180:TCP:PORT_61180
"14360:TCP"= 14360:TCP:PORT_14360
"41072:TCP"= 41072:TCP:PORT_41072
"5337:TCP"= 5337:TCP:PORT_5337
"28854:TCP"= 28854:TCP:PORT_28854
"11122:TCP"= 11122:TCP:PORT_11122
"37653:TCP"= 37653:TCP:PORT_37653
"40282:TCP"= 40282:TCP:PORT_40282
"22723:TCP"= 22723:TCP:PORT_22723
"60891:TCP"= 60891:TCP:PORT_60891
"51165:TCP"= 51165:TCP:PORT_51165
"41720:TCP"= 41720:TCP:PORT_41720
"52376:TCP"= 52376:TCP:PORT_52376
"10969:TCP"= 10969:TCP:PORT_10969
"9379:TCP"= 9379:TCP:PORT_9379
"54298:TCP"= 54298:TCP:PORT_54298
"47035:TCP"= 47035:TCP:PORT_47035
"42988:TCP"= 42988:TCP:PORT_42988
"11251:TCP"= 11251:TCP:PORT_11251
"54391:TCP"= 54391:TCP:PORT_54391
"32430:TCP"= 32430:TCP:PORT_32430
"20223:TCP"= 20223:TCP:PORT_20223
"13613:TCP"= 13613:TCP:PORT_13613
"45885:TCP"= 45885:TCP:PORT_45885
"16750:TCP"= 16750:TCP:PORT_16750
"18775:TCP"= 18775:TCP:PORT_18775
"23685:TCP"= 23685:TCP:PORT_23685
"38036:TCP"= 38036:TCP:PORT_38036
"57738:TCP"= 57738:TCP:PORT_57738
"32477:TCP"= 32477:TCP:PORT_32477
"38513:TCP"= 38513:TCP:PORT_38513
"36828:TCP"= 36828:TCP:PORT_36828
"33166:TCP"= 33166:TCP:PORT_33166
"38379:TCP"= 38379:TCP:PORT_38379
"27388:TCP"= 27388:TCP:PORT_27388
"23310:TCP"= 23310:TCP:PORT_23310
"38161:TCP"= 38161:TCP:PORT_38161
"61138:TCP"= 61138:TCP:PORT_61138
"13880:TCP"= 13880:TCP:PORT_13880
"38766:TCP"= 38766:TCP:PORT_38766
"23431:TCP"= 23431:TCP:PORT_23431
"11183:TCP"= 11183:TCP:PORT_11183
"24606:TCP"= 24606:TCP:PORT_24606
"24840:TCP"= 24840:TCP:PORT_24840
"34832:TCP"= 34832:TCP:PORT_34832
"15473:TCP"= 15473:TCP:PORT_15473
"22411:TCP"= 22411:TCP:PORT_22411
"43328:TCP"= 43328:TCP:PORT_43328
"50770:TCP"= 50770:TCP:PORT_50770
"6953:TCP"= 6953:TCP:PORT_6953
"5231:TCP"= 5231:TCP:PORT_5231
"6086:TCP"= 6086:TCP:PORT_6086
"24285:TCP"= 24285:TCP:PORT_24285
"46645:TCP"= 46645:TCP:PORT_46645
"37889:TCP"= 37889:TCP:PORT_37889
"40325:TCP"= 40325:TCP:PORT_40325
"27989:TCP"= 27989:TCP:PORT_27989
"63363:TCP"= 63363:TCP:PORT_63363
"10188:TCP"= 10188:TCP:PORT_10188
"64869:TCP"= 64869:TCP:PORT_64869
"50005:TCP"= 50005:TCP:PORT_50005
"56946:TCP"= 56946:TCP:PORT_56946
"46375:TCP"= 46375:TCP:PORT_46375
"51223:TCP"= 51223:TCP:PORT_51223
"54489:TCP"= 54489:TCP:PORT_54489
"51879:TCP"= 51879:TCP:PORT_51879
"30453:TCP"= 30453:TCP:PORT_30453
"58637:TCP"= 58637:TCP:PORT_58637
"20508:TCP"= 20508:TCP:PORT_20508
"9377:TCP"= 9377:TCP:PORT_9377
"52434:TCP"= 52434:TCP:PORT_52434
"53808:TCP"= 53808:TCP:PORT_53808
"23304:TCP"= 23304:TCP:PORT_23304
"8645:TCP"= 8645:TCP:PORT_8645
"16626:TCP"= 16626:TCP:PORT_16626
"52911:TCP"= 52911:TCP:PORT_52911
"41036:TCP"= 41036:TCP:PORT_41036
"63600:TCP"= 63600:TCP:PORT_63600
"15289:TCP"= 15289:TCP:PORT_15289
"7406:TCP"= 7406:TCP:PORT_7406
"40246:TCP"= 40246:TCP:PORT_40246
"5428:TCP"= 5428:TCP:PORT_5428
"12321:TCP"= 12321:TCP:PORT_12321
"31300:TCP"= 31300:TCP:PORT_31300
"18238:TCP"= 18238:TCP:PORT_18238
"61669:TCP"= 61669:TCP:PORT_61669
"38598:TCP"= 38598:TCP:PORT_38598
"48960:TCP"= 48960:TCP:PORT_48960
"59185:TCP"= 59185:TCP:PORT_59185
"14012:TCP"= 14012:TCP:PORT_14012
"36278:TCP"= 36278:TCP:PORT_36278
"24106:TCP"= 24106:TCP:PORT_24106
"29989:TCP"= 29989:TCP:PORT_29989
"28735:TCP"= 28735:TCP:PORT_28735
"22360:TCP"= 22360:TCP:PORT_22360
"37038:TCP"= 37038:TCP:PORT_37038
"31368:TCP"= 31368:TCP:PORT_31368
"21759:TCP"= 21759:TCP:PORT_21759
"8055:TCP"= 8055:TCP:PORT_8055
"29781:TCP"= 29781:TCP:PORT_29781
"45258:TCP"= 45258:TCP:PORT_45258
"35818:TCP"= 35818:TCP:PORT_35818
"10047:TCP"= 10047:TCP:PORT_10047
"27594:TCP"= 27594:TCP:PORT_27594
"12273:TCP"= 12273:TCP:PORT_12273
"59223:TCP"= 59223:TCP:PORT_59223
"25685:TCP"= 25685:TCP:PORT_25685
"27063:TCP"= 27063:TCP:PORT_27063
"37973:TCP"= 37973:TCP:PORT_37973
"26688:TCP"= 26688:TCP:PORT_26688
"9345:TCP"= 9345:TCP:PORT_9345
"41157:TCP"= 41157:TCP:PORT_41157
"6555:TCP"= 6555:TCP:PORT_6555
"18770:TCP"= 18770:TCP:PORT_18770
"64325:TCP"= 64325:TCP:PORT_64325
"8459:TCP"= 8459:TCP:PORT_8459
"49426:TCP"= 49426:TCP:PORT_49426
"39680:TCP"= 39680:TCP:PORT_39680
"19246:TCP"= 19246:TCP:PORT_19246
"38551:TCP"= 38551:TCP:PORT_38551
"18856:TCP"= 18856:TCP:PORT_18856
"16988:TCP"= 16988:TCP:PORT_16988
"5406:TCP"= 5406:TCP:PORT_5406
"38176:TCP"= 38176:TCP:PORT_38176
"42645:TCP"= 42645:TCP:PORT_42645
"57871:TCP"= 57871:TCP:PORT_57871
"25969:TCP"= 25969:TCP:PORT_25969
"24626:TCP"= 24626:TCP:PORT_24626
"18590:TCP"= 18590:TCP:PORT_18590
"16441:TCP"= 16441:TCP:PORT_16441
"12813:TCP"= 12813:TCP:PORT_12813
"46573:TCP"= 46573:TCP:PORT_46573
"12645:TCP"= 12645:TCP:PORT_12645
"60188:TCP"= 60188:TCP:PORT_60188
"43536:TCP"= 43536:TCP:PORT_43536
"15957:TCP"= 15957:TCP:PORT_15957
"24481:TCP"= 24481:TCP:PORT_24481
"9965:TCP"= 9965:TCP:PORT_9965
"38150:TCP"= 38150:TCP:PORT_38150
"35813:TCP"= 35813:TCP:PORT_35813
"34266:TCP"= 34266:TCP:PORT_34266
"33629:TCP"= 33629:TCP:PORT_33629
"44223:TCP"= 44223:TCP:PORT_44223
"24149:TCP"= 24149:TCP:PORT_24149
"62387:TCP"= 62387:TCP:PORT_62387
"12860:TCP"= 12860:TCP:PORT_12860
"40166:TCP"= 40166:TCP:PORT_40166
"59922:TCP"= 59922:TCP:PORT_59922
"30059:TCP"= 30059:TCP:PORT_30059
"23026:TCP"= 23026:TCP:PORT_23026
"59462:TCP"= 59462:TCP:PORT_59462
"7228:TCP"= 7228:TCP:PORT_7228
"6750:TCP"= 6750:TCP:PORT_6750
"63863:TCP"= 63863:TCP:PORT_63863
"55938:TCP"= 55938:TCP:PORT_55938
"13825:TCP"= 13825:TCP:PORT_13825
"20400:TCP"= 20400:TCP:PORT_20400
"10586:TCP"= 10586:TCP:PORT_10586
"41613:TCP"= 41613:TCP:PORT_41613
"62654:TCP"= 62654:TCP:PORT_62654
"46672:TCP"= 46672:TCP:PORT_46672
"24485:TCP"= 24485:TCP:PORT_24485
"40016:TCP"= 40016:TCP:PORT_40016
"40173:TCP"= 40173:TCP:PORT_40173
"27441:TCP"= 27441:TCP:PORT_27441
"44658:TCP"= 44658:TCP:PORT_44658
"39040:TCP"= 39040:TCP:PORT_39040
"8368:TCP"= 8368:TCP:PORT_8368
"15203:TCP"= 15203:TCP:PORT_15203
"22970:TCP"= 22970:TCP:PORT_22970
"53656:TCP"= 53656:TCP:PORT_53656
"28902:TCP"= 28902:TCP:PORT_28902
"51922:TCP"= 51922:TCP:PORT_51922
"45970:TCP"= 45970:TCP:PORT_45970
"30653:TCP"= 30653:TCP:PORT_30653
"17698:TCP"= 17698:TCP:PORT_17698
"65106:TCP"= 65106:TCP:PORT_65106
"40239:TCP"= 40239:TCP:PORT_40239
"13355:TCP"= 13355:TCP:PORT_13355
"58848:TCP"= 58848:TCP:PORT_58848
"63813:TCP"= 63813:TCP:PORT_63813
"32343:TCP"= 32343:TCP:PORT_32343
"19207:TCP"= 19207:TCP:PORT_19207
"7197:TCP"= 7197:TCP:PORT_7197
"10681:TCP"= 10681:TCP:PORT_10681
"39993:TCP"= 39993:TCP:PORT_39993
"56406:TCP"= 56406:TCP:PORT_56406
"11603:TCP"= 11603:TCP:PORT_11603
"22598:TCP"= 22598:TCP:PORT_22598
"62682:TCP"= 62682:TCP:PORT_62682
"15356:TCP"= 15356:TCP:PORT_15356
"21586:TCP"= 21586:TCP:PORT_21586
"9156:TCP"= 9156:TCP:PORT_9156
"39306:TCP"= 39306:TCP:PORT_39306
"63751:TCP"= 63751:TCP:PORT_63751
"36440:TCP"= 36440:TCP:PORT_36440
"7728:TCP"= 7728:TCP:PORT_7728
"22238:TCP"= 22238:TCP:PORT_22238
"48715:TCP"= 48715:TCP:PORT_48715
"39360:TCP"= 39360:TCP:PORT_39360
"26028:TCP"= 26028:TCP:PORT_26028
"37993:TCP"= 37993:TCP:PORT_37993
"53922:TCP"= 53922:TCP:PORT_53922
"49368:TCP"= 49368:TCP:PORT_49368
"49153:TCP"= 49153:TCP:PORT_49153
"45129:TCP"= 45129:TCP:PORT_45129
"17469:TCP"= 17469:TCP:PORT_17469
"57270:TCP"= 57270:TCP:PORT_57270
"62500:TCP"= 62500:TCP:PORT_62500
"47953:TCP"= 47953:TCP:PORT_47953
"54325:TCP"= 54325:TCP:PORT_54325
"29168:TCP"= 29168:TCP:PORT_29168
"52321:TCP"= 52321:TCP:PORT_52321
"35125:TCP"= 35125:TCP:PORT_35125
"12246:TCP"= 12246:TCP:PORT_12246
"25610:TCP"= 25610:TCP:PORT_25610
"6845:TCP"= 6845:TCP:PORT_6845
"10418:TCP"= 10418:TCP:PORT_10418
"61191:TCP"= 61191:TCP:PORT_61191
"55629:TCP"= 55629:TCP:PORT_55629
"19746:TCP"= 19746:TCP:PORT_19746
"47025:TCP"= 47025:TCP:PORT_47025
"8568:TCP"= 8568:TCP:PORT_8568
"31434:TCP"= 31434:TCP:PORT_31434
"52235:TCP"= 52235:TCP:PORT_52235
"22371:TCP"= 22371:TCP:PORT_22371
"14340:TCP"= 14340:TCP:PORT_14340
"50291:TCP"= 50291:TCP:PORT_50291
"42235:TCP"= 42235:TCP:PORT_42235
"52344:TCP"= 52344:TCP:PORT_52344
"22715:TCP"= 22715:TCP:PORT_22715
"33485:TCP"= 33485:TCP:PORT_33485
"31816:TCP"= 31816:TCP:PORT_31816
"17825:TCP"= 17825:TCP:PORT_17825
"44505:TCP"= 44505:TCP:PORT_44505
"28165:TCP"= 28165:TCP:PORT_28165
"28071:TCP"= 28071:TCP:PORT_28071
"64969:TCP"= 64969:TCP:PORT_64969
"30080:TCP"= 30080:TCP:PORT_30080
"53066:TCP"= 53066:TCP:PORT_53066
"55473:TCP"= 55473:TCP:PORT_55473
"57340:TCP"= 57340:TCP:PORT_57340
"46781:TCP"= 46781:TCP:PORT_46781
"28418:TCP"= 28418:TCP:PORT_28418
"13500:TCP"= 13500:TCP:PORT_13500
"32066:TCP"= 32066:TCP:PORT_32066
"60457:TCP"= 60457:TCP:PORT_60457
"58270:TCP"= 58270:TCP:PORT_58270
"16680:TCP"= 16680:TCP:PORT_16680
"29200:TCP"= 29200:TCP:PORT_29200
"55440:TCP"= 55440:TCP:PORT_55440
"55375:TCP"= 55375:TCP:PORT_55375
"6173:TCP"= 6173:TCP:PORT_6173
"40441:TCP"= 40441:TCP:PORT_40441
"56641:TCP"= 56641:TCP:PORT_56641
"34453:TCP"= 34453:TCP:PORT_34453
"7860:TCP"= 7860:TCP:PORT_7860
"28352:TCP"= 28352:TCP:PORT_28352
"32637:TCP"= 32637:TCP:PORT_32637
"17243:TCP"= 17243:TCP:PORT_17243
"31020:TCP"= 31020:TCP:PORT_31020
"16977:TCP"= 16977:TCP:PORT_16977
"36059:TCP"= 36059:TCP:PORT_36059
"23316:TCP"= 23316:TCP:PORT_23316
"53281:TCP"= 53281:TCP:PORT_53281
"8950:TCP"= 8950:TCP:PORT_8950
"49950:TCP"= 49950:TCP:PORT_49950
"52043:TCP"= 52043:TCP:PORT_52043
"40719:TCP"= 40719:TCP:PORT_40719
"52051:TCP"= 52051:TCP:PORT_52051
"47977:TCP"= 47977:TCP:PORT_47977
"28173:TCP"= 28173:TCP:PORT_28173
"53555:TCP"= 53555:TCP:PORT_53555
"35606:TCP"= 35606:TCP:PORT_35606
"8571:TCP"= 8571:TCP:PORT_8571
"30419:TCP"= 30419:TCP:PORT_30419
"57110:TCP"= 57110:TCP:PORT_57110
"30426:TCP"= 30426:TCP:PORT_30426
"54188:TCP"= 54188:TCP:PORT_54188
"52778:TCP"= 52778:TCP:PORT_52778
"53348:TCP"= 53348:TCP:PORT_53348
"57106:TCP"= 57106:TCP:PORT_57106
"24641:TCP"= 24641:TCP:PORT_24641
"53551:TCP"= 53551:TCP:PORT_53551

R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\SYSTEM32\DRIVERS\WlanUIG.sys [2005-09-07 347648]
S3 ALABULKO;OLYMPUS USB Media Adapter device driver;c:\windows\SYSTEM32\DRIVERS\ALABLK2O.SYS [2002-11-09 34914]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\McAfee.com Update Check (D7JX8P21-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 07:28]

2009-01-03 c:\windows\Tasks\McAfee.com Update Check (D7JX8P21-Owner).job
- c:\progra~1\McAfee.com\Agent [2008-12-29 21:42]

2009-01-03 c:\windows\Tasks\McAfee.com Update Check (ERIN-Erinmartin).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 07:28]

2009-01-03 c:\windows\Tasks\McAfee.com Update Check (ERIN-Erinmartin).job
- c:\progra~1\McAfee.com\Agent [2008-12-29 21:42]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-CaAvTray - c:\program files\Yahoo!\Antivirus\CAVTray.exe
MSConfigStartUp-CAVRID - c:\program files\Yahoo!\Antivirus\CAVRID.exe
MSConfigStartUp-Mozilla Quick Launch - c:\program files\Netscape\Netscape\Netscp.exe
MSConfigStartUp-YBrowser - c:\progra~1\Yahoo!\browser\ybrwicon.exe
MSConfigStartUp-YOP - c:\progra~1\Yahoo!\YOP\yop.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Erinmartin\Application Data\Mozilla\Firefox\Profiles\rtupph7m.default\
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 14:35:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-03 14:42:12
ComboFix-quarantined-files.txt 2009-01-03 22:41:28

Pre-Run: 40,174,379,008 bytes free
Post-Run: 40,234,807,296 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

521 --- E O F --- 2008-12-23 19:43:26



HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:53 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4609 bytes



UNINSTALL LIST:


2Wire Wireless Client
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Flash Player ActiveX
BCM V.92 56K Modem
Broadcom Advanced Control Suite
Broderbund Home Design 5.1
CCleaner (remove only)
DAO
Dell Digital Jukebox Driver
Dell File Manager
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DellConnect
DellSupport
Digital Line Detect
Easy CD Creator 5 Basic
Exploring Child Development Siegler
GdiplusUpgrade
Google Earth
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
Intel(R) Extreme Graphics Driver
iPod for Windows 2006-01-10
iTunes
Learn2 Player (Uninstall Only)
McAfee.com SecurityCenter
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft Data Access Components KB870669
Microsoft Interactive Training
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Small Business
Modem Helper
Mozilla Firefox (2.0.0.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch® Jukebox
OLYMPUS CAMEDIA Master 4.2
OLYMPUS USB Reader/Writer
Paint Shop Pro 7
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
SPSS 11.0.1 for Windows
Spybot - Search & Destroy
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Viewpoint Media Player
Windows Media Format Runtime
Windows XP Service Pack 3
WinZip Self-Extractor

Standing by for your further instructions, thanks again.

Loopy
 
You have any idea why all of these:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
why you have those TCP:PORTs? Maybe it has to do with your wireless connection?
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe

c:\windows\system32\drivers\fad.sys <<< combofix removed this:
http://www.bleepingcomputer.com/startups/FAD-15557.html
We will see what MBAM finds, but I see no sign of Virtumonde on this computer?

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

4) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now.

Thanks

This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Mozilla Firefox (2.0.0.3) <<< I suggest you run the newest, safest version if you are going to run the program:
http://www.mozilla.com/en-US/firefox/

Viewpoint Media Player
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm
 
PSKelley, a lot to absorb here, but I appreciate it.

To answer your questions first:

I don't know what this is specifically: [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

because I am not comp savvy enough; However, I do know that:

C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe

is the 2wire thingy that is definitely related to our wireless connection so probably need to keep that, but again, don't know what the first entry above is.

I suppose that combofix cleaned Virtumonde then because it was coming up repeatedly in Spybot.

I ran ATF cleaner, fixed the HJT you suggested and ran malewarebytes (log is below) but it showed no baddies.

The computer is definitely running better right now (but we still don't have any antivirus running).

I don't even know why my wife has Mozilla on her system. I'm not even really sure what it is....isn't it like internet explorer but just a different application? If she uses IE exclusively, can we get rid of Mozilla?

I dumped viewpoint media from the install list as you suggested.

Finally, attached are the new Malewarebytes and HJT logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1608
Windows 5.1.2600 Service Pack 3

1/3/2009 10:32:57 PM
mbam-log-2009-01-03 (22-32-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 107227
Time elapsed: 55 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:11 PM, on 1/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4162 bytes


Please advise what next steps are, if any. Thank you so much.
 
Thanks for the feedback, let's take care of the important issues, then I will try to answer your questions, you said:

The computer is definitely running better right now (but we still don't have any antivirus running).
Click to expand...
I see this: McAfee.com SecurityCenter
C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

Is this program obsolete or something, if you are talking about it being turned off while combofix ran, you should have activated it as soon as combofix was finished. You will need to explain in detail before I proceed.

If you no longer wish to use McAfee and need links to a good freeware program, you need to let me know that also.
 
PS-

Sorry about that, yes, that McAfee is old and not doing a thing (It does not have realtime activated). It came with her Dell system; it ran for 6-12 months and then we didn't renew the subscription. Everytime we start up the computer it puts an icon in the system tray and reminds you that "your computer may be at risk" and if you click on it (I opened McAfee app to check for her) and it pretty much looks like no protection is in place any longer.

So the long answer is we can probably get rid of it if we can get a good free virus protection off the web.

Finally, on another note, we have Verizon DSL and they have a pop-up from time to time that offers their proprietary antivirus/antispyware software - I have never installed this being dubious of its quality. I wonder what you think as to whether we go with something like that or something you might suggest off the web.

Thanks
 
Do what you want, but I just moved from Verizon DSL to Verizon FIOS and I do not use their security programs. I personally use AVG 8 free from Grisoft.

Uninstall McAfee in Add Remove programs, if you have any problems getting it off the system, use this tool:
McAfee Consumer Products Removal tool
http://www.majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

Here are three good freeware antivirus programs, install only one.
http://free.grisoft.com/ww.download-avg-anti-virus-free-edition
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm

http://www.avast.com/eng/avast_4_home.html

http://www.free-av.com/

Once installed, update and scan the system, post the results of the scan and a new HJT log so I can wrap this up.

Thanks
 
We are talking about antivirus programs, I can not say which antivirus scan not knowing the one you would choose. I never mentioned
Malwarebytes once in that post?
 
Sorry this is taking so long. I'm trying to download AVG 8 w/o the link searcher thingy and I'm not so adept at working in the files and this is getting frustrating....because now as i try to load it there is a potential conflict with Roxio CD platyer and it wants me to upgrade the software but I can't find any upgrades/updates for this particuliar product...

I don't know maybe I just have to delete it
 
PSKelley

First off, thanks for your patience. This has been a a little tough today due to my lack of computer experience.

Ok, so I installed updates to Roxio but AVG still detected issues so I scrapped that program and went to plan B: I downloaded AVAST and ran it...it fournd 24 bugs which I deleted (why didn't spyware blaster see these?)

So here is the log from AVAST and a new HJT log:


AVAST:

01/04/2009 15:36
Scan of all local drives

File C:\Program Files\Common Files\stsfbefs\smdbecbmat\aqaruupeu.exe is infected by Win32:Trojano-324 [Trj], Deleted
File C:\Program Files\Common Files\stsfbefs\ulrbcptu\nfaaupnn.exe is infected by Win32:Trojano-324 [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1293\A0105870.exe is infected by Win32:Trojan-gen {Other}, Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1293\A0105871.exe is infected by Win32:Agent-ABYG [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0106983.exe is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0106991.exe is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0106992.dll is infected by Win32:Gator-I [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0106994.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0106995.dll is infected by Win32:Gator-K [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0106996.dll is infected by Win32:Gator-J [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0106997.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107000.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107001.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107002.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107089.dll is infected by Win32:Gator-H [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107090.dll is infected by Win32:Gator-H [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107091.dll is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107092.dll is infected by Win32:Gator-H [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107094.exe is infected by Win32:Adware-gen [Adw], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107095.exe is infected by Win32:Gator-H [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107097.exe is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1295\A0107100.exe is infected by Win32:Spyware-gen [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1299\A0108306.exe is infected by Win32:Trojano-324 [Trj], Deleted
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1299\A0108307.exe is infected by Win32:Trojano-324 [Trj], Deleted
Number of searched folders: 5178
Number of tested files: 70955
Number of infected files: 24


Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:37 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4848 bytes


Follow up questions:

1) What is mozilla? and do we need it if there is IE installed? (especially if getting rid of it helps with security)

2) the "your computer may be at risk" dialogue is from Windows Security Center and not McAfee, but you probably already knew that.

Thanks again for your help and please advise as to the next steps

Loopy
 
1) What is mozilla? and do we need it if there is IE installed? (especially if getting rid of it helps with security)
Click to expand...
Mozilla is the Firefox browser, I personally maintain two browsers in the event one goes down, You may do as you wish, but if you keep it I suggest you update as I said.
2) the "your computer may be at risk" dialogue is from Windows Security Center and not McAfee, but you probably already knew that.
Click to expand...
It is possible you are right, but keep this in mind. Malware will produce that message because they want you to purchase rouge software that is worthless (fraud)

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update Avast 4 and scan the system, to be sure it is running right and scanning clean.

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
 
Hi PS

So I deleted combofix and unchecked system restore, but on reboot, I got a desktop that is about 3/4 black screen (icons still appear though) and about 1/4 of the photo that was the previously the desktop picture......
I thought I would check with you before I do anything else?

what do you suggest?
 
PS

Ok, corrected the above problem.

I ran malwarebytes and the log was clean. Just for the hell of it, I ran spybotS&D and it picked up a tracking cookie, which I deleted.

The burning question is, how is it that avast identifies 24 infected files, but Spybot didn't show anything before? It all seems so random, no?

Should re-enable spybot S&D teatimer at this time, to run concurrent with Avast?

Can I leave ATF cleaner on the desktop, for occasional cleaning?

Is there anything else you recommend or suggest I do at this time?
 
The burning question is, how is it that avast identifies 24 infected files, but Spybot didn't show anything before? It all seems so random, no?
Click to expand...
No...all but one files which Avast deleted:
File C:\Program Files\Common Files\stsfbefs\smdbecbmat\aqaruupeu.exe is infected by Win32:Trojano-324 [Trj], Deleted
were is infected System Restore files which we cleaned here:
Clean the System Restore files like this:
Click to expand...
Microsoft protects those files (the good and the bad) and no program can delete them though they try. The one file Avast did find looks random and old and programs can only find what is in their databases most times.
Should re-enable spybot S&D teatimer at this time, to run concurrent with Avast?
Click to expand...
Yes
Can I leave ATF cleaner on the desktop, for occasional cleaning?
Click to expand...
Yes
Is there anything else you recommend or suggest I do at this time?
Click to expand...
Yes...read the information in the links I posted.

Thanks
 
Sounds like it's all clean then. I will read those links.

Thank you very much for your help PS; I can't say what I would have done without this site and your assistance.

All the best

L
 
Status
Not open for further replies.
Back
Top