Author Topic: Virus or malware. logs included (Read 4836 times)

blufog · « **on:** December 14, 2008, 10:36:42 PM »

I have avast but downloaded a movie or something, saw a quick dos program load and now my security center says my virus protection is not found.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/14/2008 at 04:24 PM

Application Version : 4.23.1006

Core Rules Database Version : 3674
Trace Rules Database Version: 1653

Scan type : Complete Scan
Total Scan Time : 02:46:03

Memory items scanned : 457
Memory threats detected : 0
Registry items scanned : 6111
Registry threats detected : 0
File items scanned : 87967
File threats detected : 0
Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 3

12/14/2008 10:35:09 PM
mbam-log-2008-12-14 (22-35-09).txt

Scan type: Quick Scan
Objects scanned: 55768
Time elapsed: 19 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:28 PM, on 12/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\XSoft\xworking\sysrts.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Adobe Flash CS4\Flash.exe
C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winxld] C:\Program Files\XSoft\xworking\xld.exe a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Max\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Login Service (SystemLoginService) - Unknown owner - C:\Program Files\XSoft\xworking\sysrts.exe

--
End of file - 7201 bytes

evilfantasy · « **Reply #1 on:** December 15, 2008, 05:07:14 PM »

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

blufog · « **Reply #2 on:** December 16, 2008, 04:44:07 AM »

Hey thanks for your help. Here are the new logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:58 AM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\XSoft\xworking\sysrts.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winxld] C:\Program Files\XSoft\xworking\xld.exe a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Max\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Login Service (SystemLoginService) - Unknown owner - C:\Program Files\XSoft\xworking\sysrts.exe

--
End of file - 6617 bytes

SDFix: Version 1.240
Run by Max on Mon 12/15/2008 at 09:20 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

evilfantasy · « **Reply #3 on:** December 16, 2008, 12:52:55 PM »

Uninstall XsoftSpy or XpcSpy. This is not a trusted program.

Download Malwarebytes' Anti-Malware (MBAM)

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

----------

Next post add:
MBAM log
ComboFix log

blufog · « **Reply #4 on:** December 16, 2008, 06:10:40 PM »

Thank you they are....

Malwarebytes' Anti-Malware 1.31
Database version: 1499
Windows 5.1.2600 Service Pack 3

12/16/2008 5:52:24 PM
mbam-log-2008-12-16 (17-52-24).txt

Scan type: Quick Scan
Objects scanned: 60377
Time elapsed: 24 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

blufog · « **Reply #5 on:** December 16, 2008, 06:14:42 PM »

it wouldnt fit in one post so I had to make a few:

ComboFix 08-12-16.03 - Max 2008-12-16 18:04:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.672 [GMT -7:00]
Running from: c:\documents and settings\Max\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_004064_.tmp.dll
c:\windows\system32\_004065_.tmp.dll
c:\windows\system32\_004066_.tmp.dll
c:\windows\system32\_004067_.tmp.dll
c:\windows\system32\_004074_.tmp.dll
c:\windows\system32\_004075_.tmp.dll
c:\windows\system32\_004076_.tmp.dll
c:\windows\system32\_004077_.tmp.dll
c:\windows\system32\_004079_.tmp.dll
c:\windows\system32\_004080_.tmp.dll
c:\windows\system32\_004083_.tmp.dll
c:\windows\system32\_004084_.tmp.dll
c:\windows\system32\_004086_.tmp.dll
c:\windows\system32\_004087_.tmp.dll
c:\windows\system32\_004088_.tmp.dll
c:\windows\system32\_004090_.tmp.dll
c:\windows\system32\_004093_.tmp.dll
c:\windows\system32\_004094_.tmp.dll
c:\windows\system32\_004098_.tmp.dll
c:\windows\system32\_004099_.tmp.dll
c:\windows\system32\_004101_.tmp.dll
c:\windows\system32\_004104_.tmp.dll
c:\windows\system32\_004106_.tmp.dll
c:\windows\system32\_004107_.tmp.dll
c:\windows\system32\_004108_.tmp.dll
c:\windows\system32\_004109_.tmp.dll
c:\windows\system32\_004110_.tmp.dll
c:\windows\system32\_004113_.tmp.dll
c:\windows\system32\_004114_.tmp.dll
c:\windows\system32\_004115_.tmp.dll
c:\windows\system32\_004116_.tmp.dll
c:\windows\system32\_004117_.tmp.dll
c:\windows\system32\_004122_.tmp.dll
c:\windows\system32\_004124_.tmp.dll
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll

blufog · « **Reply #6 on:** December 16, 2008, 06:15:01 PM »

.
((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
.
2008-12-15 21:18 . 2008-12-15 21:18   577,024   --a--c---   c:\windows\system32\dllcache\user32.dll
2008-12-15 21:15 . 2008-12-15 21:16   <DIR>   d--------   c:\windows\ERUNT
2008-12-15 21:12 . 2008-12-15 21:12   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-15 20:29 . 2008-12-15 22:39   <DIR>   d--------   C:\SDFix
2008-12-15 07:06 . 2008-12-16 17:21   <DIR>   d--------   c:\documents and settings\Rachel
2008-12-14 19:34 . 2008-12-14 19:34   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-14 13:29 . 2008-12-14 13:29   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-14 13:23 . 2008-12-14 13:23   <DIR>   d--------   c:\program files\CCleaner
2008-12-14 05:58 . 2008-12-14 05:58   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-14 05:57 . 2008-12-14 13:30   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-14 05:57 . 2008-12-14 13:30   <DIR>   d--------   c:\documents and settings\Max\Application Data\SUPERAntiSpyware.com
2008-12-14 05:53 . 2008-12-14 05:53   <DIR>   d--------   c:\program files\Trend Micro
2008-12-14 05:47 . 2008-12-15 00:16   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2008-12-14 05:47 . 2008-12-15 00:16   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 05:31 . 2008-12-14 05:31   <DIR>   d--------   c:\documents and settings\Max\Application Data\Malwarebytes
2008-12-14 05:31 . 2008-12-03 19:52   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 05:31 . 2008-12-03 19:52   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-14 05:30 . 2008-12-14 05:31   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-14 05:30 . 2008-12-14 05:30   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 20:11 . 2008-04-13 17:12   159,232   --a------   c:\windows\system32\ptpusd.dll
2008-12-13 20:11 . 2001-08-17 22:36   5,632   --a------   c:\windows\system32\ptpusb.dll
2008-12-13 19:51 . 2008-10-16 14:06   268,648   --a------   c:\windows\system32\mucltui.dll
2008-12-13 19:51 . 2008-10-16 14:06   208,744   --a------   c:\windows\system32\muweb.dll
2008-12-13 19:51 . 2008-10-16 14:06   27,496   --a------   c:\windows\system32\mucltui.dll.mui
2008-12-13 11:36 . 2008-12-15 07:03   69   --a------   c:\windows\NeroDigital.ini
2008-12-12 18:39 . 2008-12-15 07:01   <DIR>   d--------   c:\documents and settings\Max\Application Data\mjusbsp
2008-12-12 18:38 . 2008-04-13 11:45   60,032   --a------   c:\windows\system32\drivers\USBAUDIO.sys
2008-12-12 18:38 . 2008-04-13 11:45   60,032   --a--c---   c:\windows\system32\dllcache\usbaudio.sys
2008-12-09 20:19 . 2008-12-09 20:47   <DIR>   d--------   c:\documents and settings\Max\Application Data\Download Manager
2008-12-08 06:30 . 2008-12-16 17:19   3,400   --a------   c:\windows\system32\winxtm.dll
2008-12-07 15:35 . 2000-05-22 06:00   647,872   --a------   c:\windows\system32\mscomct2.ocx
2008-12-07 15:35 . 2004-03-09 00:00   224,016   --a------   c:\windows\system32\tabctl32.ocx
2008-12-07 15:35 . 2004-03-09 16:45   152,848   --a------   c:\windows\system32\Comdlg32.ocx
2008-12-07 15:34 . 2008-12-07 15:34   <DIR>   d--------   c:\program files\AML Products
2008-12-06 22:26 . 2008-09-17 23:55   201,050   --a------   c:\windows\system32\nvapps.nvb
2008-12-06 22:25 . 2008-12-07 02:17   <DIR>   d--------   c:\windows\NV1364152.TMP
2008-12-06 21:50 . 2008-12-06 21:51   <DIR>   d--------   c:\documents and settings\Guest
2008-12-06 20:38 . 2008-12-06 20:38   <DIR>   d--------   c:\documents and settings\Max\LocalLow
2008-12-06 20:38 . 2008-12-06 20:38   <DIR>   d--------   c:\documents and settings\All Users\Application Data\TVU Networks
2008-12-06 20:17 . 2008-12-06 22:02   <DIR>   d--------   c:\program files\WMCap
2008-12-06 18:36 . 2008-12-06 19:51   <DIR>   d--------   C:\downloads
2008-12-06 18:36 . 2008-12-06 20:11   <DIR>   d--------   c:\documents and settings\Max\Application Data\Orbit
2008-12-06 18:36 . 2008-12-06 18:36   <DIR>   d--------   c:\documents and settings\Max\Application Data\GrabPro
2008-12-06 14:42 . 2008-12-06 14:42   <DIR>   d--h-----   c:\windows\PIF
2008-12-06 12:14 . 2008-12-06 12:14   <DIR>   d--------   c:\documents and settings\Max\Application Data\Apple Computer
2008-12-06 12:10 . 2008-12-06 12:11   <DIR>   d--------   c:\program files\QuickTime
2008-12-06 12:10 . 2008-12-06 12:13   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-06 12:08 . 2008-12-06 12:09   <DIR>   d--------   c:\program files\Apple Software Update
2008-12-06 12:08 . 2008-12-06 12:08   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple
2008-12-06 09:10 . 2004-02-25 23:18   51,056   -ra------   c:\windows\system32\drivers\hpzid412.sys
2008-12-06 09:10 . 2004-02-25 23:18   16,496   -ra------   c:\windows\system32\drivers\HPZipr12.sys
2008-12-06 09:09 . 2004-02-25 23:18   21,488   -ra------   c:\windows\system32\drivers\HPZius12.sys
2008-12-06 09:09 . 2008-04-13 11:45   15,104   --a------   c:\windows\system32\drivers\usbscan.sys
2008-12-06 09:09 . 2008-04-13 11:45   15,104   --a--c---   c:\windows\system32\dllcache\usbscan.sys
2008-12-06 09:04 . 2003-12-11 11:15   44,544   -ra------   c:\windows\system32\MSXML4a.dll
2008-12-06 09:03 . 2008-12-06 09:03   <DIR>   d--------   c:\program files\Common Files\Hewlett-Packard
2008-12-06 08:56 . 2008-12-06 08:56   <DIR>   d--------   c:\program files\Common Files\HP
2008-12-06 08:53 . 2008-12-06 08:55   <DIR>   d--------   c:\windows\system32\URTTemp
2008-12-06 08:47 . 2008-12-06 09:04   <DIR>   d--------   c:\program files\HP
2008-12-06 08:46 . 2004-02-25 23:17   38,868   ---------   c:\windows\hpomdl03.dat
2008-12-06 08:46 . 2008-12-06 09:12   29,358   --a------   c:\windows\hpoins03.dat
2008-12-05 20:10 . 2008-12-14 13:27   <DIR>   d--------   c:\documents and settings\Max\Application Data\U3
2008-12-05 19:29 . 2008-12-05 19:29   <DIR>   d--------   c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-05 19:24 . 2008-12-05 19:24   <DIR>   d--------   c:\documents and settings\Max\Application Data\Yahoo!
2008-12-05 19:24 . 2008-12-06 04:47   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-05 19:23 . 2008-12-05 19:24   <DIR>   d--------   c:\program files\Yahoo!
2008-12-05 19:23 . 2008-12-05 19:25   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-05 19:21 . 2008-12-05 19:21   <DIR>   d--------   c:\program files\Adobe Media Player
2008-12-05 19:17 . 2008-12-05 19:17   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2008-12-05 19:15 . 2008-12-05 19:15   <DIR>   d--------   c:\program files\Common Files\Macrovision Shared
2008-12-05 19:11 . 2006-10-26 19:56   32,592   --a------   c:\windows\system32\msonpmon.dll
2008-12-05 19:09 . 2008-12-05 19:09   <DIR>   d--------   c:\program files\MSBuild
2008-12-05 19:09 . 2008-12-05 19:09   <DIR>   d--------   c:\program files\Microsoft Works
2008-12-05 19:06 . 2008-12-05 19:09   <DIR>   d--------   c:\windows\SHELLNEW
2008-12-05 19:05 . 2008-12-05 19:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 19:03 . 2008-12-05 21:20   <DIR>   d--------   c:\documents and settings\Max\Application Data\Ahead
2008-12-05 19:02 . 2008-12-05 19:02   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Ahead
2008-12-05 19:01 . 2008-12-05 19:01   <DIR>   d--------   c:\program files\Nero
2008-12-05 19:01 . 2008-12-05 19:02   <DIR>   d--------   c:\program files\Common Files\Ahead
2008-12-05 19:01 . 2008-12-05 19:01   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Nero
2008-12-05 18:48 . 2008-12-05 18:48   <DIR>   dr-h-----   C:\MSOCache
2008-12-05 18:38 . 2008-12-05 18:38   <DIR>   d--------   c:\program files\Windows Media Connect 2
2008-12-05 18:37 . 2008-12-05 18:37   <DIR>   d--------   C:\61bfea5f06dbd9346e53
2008-12-05 18:36 . 2008-12-05 18:36   <DIR>   d--------   c:\windows\system32\LogFiles
2008-12-05 18:36 . 2008-12-05 18:37   <DIR>   d--------   c:\windows\system32\drivers\UMDF
2008-12-05 18:20 . 2008-12-05 18:20   <DIR>   d--------   c:\program files\uTorrent
2008-12-05 18:20 . 2008-12-16 17:31   <DIR>   d--------   c:\documents and settings\Max\Application Data\uTorrent
2008-12-05 17:45 . 2008-12-05 17:45   <DIR>   d--------   c:\documents and settings\Max\Application Data\AdobeUM
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\system32\scripting
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\system32\en
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\system32\bits
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\l2schemas
2008-12-05 17:35 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\ServicePackFiles
2008-12-05 17:30 . 2008-12-05 17:30   <DIR>   d--------   c:\windows\EHome
2008-12-05 17:26 . 2008-12-05 17:26   13,646   --a------   c:\windows\system32\wpa.bak
2008-12-05 17:24 . 2008-12-05 17:24   <DIR>   d--------   c:\windows\system32\Lang
2008-12-05 17:24 . 2008-12-05 17:24   940,794   --a------   c:\windows\system32\LoopyMusic.wav
2008-12-05 17:24 . 2008-12-05 17:24   146,650   --a------   c:\windows\system32\BuzzingBee.wav
2008-12-05 10:48 . 2008-10-03 10:41   6,066,176   -----c---   c:\windows\system32\dllcache\ieframe.dll
2008-12-05 10:48 . 2007-04-17 02:32   2,455,488   -----c---   c:\windows\system32\dllcache\ieapfltr.dat
2008-12-05 10:48 . 2007-03-07 22:10   991,232   -----c---   c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-05 10:48 . 2008-08-26 00:24   459,264   -----c---   c:\windows\system32\dllcache\msfeeds.dll
2008-12-05 10:48 . 2008-08-26 00:24   383,488   -----c---   c:\windows\system32\dllcache\ieapfltr.dll
2008-12-05 10:48 . 2008-08-26 00:24   267,776   -----c---   c:\windows\system32\dllcache\iertutil.dll
2008-12-05 10:48 . 2008-08-26 00:24   63,488   -----c---   c:\windows\system32\dllcache\icardie.dll
2008-12-05 10:48 . 2008-08-26 00:24   52,224   -----c---   c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-05 10:48 . 2008-08-25 01:38   13,824   -----c---   c:\windows\system32\dllcache\ieudinit.exe
2008-12-05 10:40 . 2008-12-05 10:40   0   --a------   c:\windows\nsreg.dat
2008-12-05 10:37 . 2008-12-05 10:37   <DIR>   d--------   c:\program files\Alwil Software
2008-12-05 10:33 . 2008-12-05 10:33   <DIR>   d--hs----   c:\documents and settings\Max\UserData
2008-12-05 10:32 . 2008-08-14 03:11   2,189,184   -----c---   c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-05 10:32 . 2008-08-14 03:09   2,145,280   -----c---   c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-05 10:32 . 2008-08-14 02:33   2,066,048   -----c---   c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-05 10:32 . 2008-08-14 02:33   2,023,936   -----c---   c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-05 10:32 . 2008-09-15 05:12   1,846,400   -----c---   c:\windows\system32\dllcache\win32k.sys
2008-12-05 10:32 . 2008-10-24 04:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2008-12-05 10:32 . 2008-09-08 03:41   333,824   -----c---   c:\windows\system32\dllcache\srv.sys
2008-12-05 10:32 . 2008-06-13 04:05   272,128   ---------   c:\windows\system32\drivers\bthport.sys
2008-12-05 10:32 . 2008-06-13 04:05   272,128   -----c---   c:\windows\system32\dllcache\bthport.sys
2008-12-05 10:32 . 2008-05-08 07:02   203,136   -----c---   c:\windows\system32\dllcache\rmcast.sys
2008-12-05 10:32 . 2008-08-14 03:04   138,496   -----c---   c:\windows\system32\dllcache\afd.sys
2008-12-05 10:31 . 2008-12-05 10:49   <DIR>   d--h-----   c:\windows\$hf_mig$
2008-12-05 10:31 . 2008-09-04 10:15   1,106,944   --a------   c:\windows\system32\SET1375.tmp
2008-12-05 10:31 . 2008-04-11 12:04   691,712   -----c---   c:\windows\system32\dllcache\inetcomm.dll
2008-12-05 10:31 . 2008-10-15 09:34   337,408   ---------   c:\windows\system32\SET1397.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 16:59   ---------   d-----w   c:\program files\microsoft frontpage
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 21:13   202,776   ----a-w   c:\windows\system32\wuweb.dll
2008-10-16 21:13   1,809,944   ----a-w   c:\windows\system32\wuaueng.dll
2008-10-16 21:12   561,688   ----a-w   c:\windows\system32\wuapi.dll
2008-10-16 21:12   323,608   ----a-w   c:\windows\system32\wucltui.dll
2008-10-16 21:09   92,696   ----a-w   c:\windows\system32\cdm.dll
2008-10-16 21:09   51,224   ----a-w   c:\windows\system32\wuauclt.exe
2008-10-16 21:09   43,544   ----a-w   c:\windows\system32\wups2.dll
2008-10-16 21:08   34,328   ----a-w   c:\windows\system32\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 03:47   160496   --a------   c:\progra~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"cdloader"="c:\documents and settings\Max\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-05 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Max\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-05 111184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-05 20560]
S3 RTRSys;RTRSys;\??\c:\program files\XSoft\xworking\rsrsys.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{100bdf6f-c338-11dd-947f-00508dc3ce1f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25766375-c2b0-11dd-b39d-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
\Shell\phone\command - D:\autorun.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-winxld - c:\program files\XSoft\xworking\xld.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
FF - ProfilePath - c:\documents and settings\Max\Application Data\Mozilla\Firefox\Profiles\rs7cm6er.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Max\Application Data\Mozilla\Firefox\Profiles\rs7cm6er.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 18:07:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0

**************************************************************************
.--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-16 18:08:13
ComboFix-quarantined-files.txt 2008-12-17 01:08:03

Pre-Run: 100,729,114,624 bytes free
Post-Run: 100,737,097,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

279   --- E O F ---   2008-12-06 00:41:27

evilfantasy · « **Reply #7 on:** December 17, 2008, 03:30:34 PM »

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\program files\XSoft

File::
c:\windows\NV1364152.TMP
c:\windows\system32\SET1375.tmp
c:\windows\system32\SET1397.tmp

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{25766375-c2b0-11dd-b39d-806d6172696f}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

blufog · « **Reply #8 on:** December 17, 2008, 06:19:33 PM »

Thanks again

ComboFix 08-12-16.03 - Max 2008-12-17 18:02:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.212 [GMT -7:00]
Running from: c:\documents and settings\Max\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Max\Desktop\CFScript.txt

FILE ::
c:\windows\NV1364152.TMP
c:\windows\system32\SET1375.tmp
c:\windows\system32\SET1397.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\a.exe
c:\windows\system32\hpvaut32.dll
c:\windows\system32\hpvcp70.dll
c:\windows\system32\hpvcr70.dll
c:\windows\system32\SET1375.tmp
c:\windows\system32\SET1397.tmp

.
((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-17 17:58 . 2008-12-17 17:59   <DIR>   d--------   C:\32788R22FWJFW
2008-12-17 17:54 . 2008-12-17 17:54   <DIR>   d--------   c:\program files\AC3Filter
2008-12-17 17:54 . 2008-07-09 01:05   421,888   --a------   c:\windows\system32\ac3filter.acm
2008-12-17 06:26 . 2008-12-17 06:26   <DIR>   d--------   c:\documents and settings\Rachel\Application Data\Yahoo!
2008-12-15 21:18 . 2008-12-15 21:18   577,024   --a--c---   c:\windows\system32\dllcache\user32.dll
2008-12-15 21:15 . 2008-12-15 21:16   <DIR>   d--------   c:\windows\ERUNT
2008-12-15 21:12 . 2008-12-15 21:12   <DIR>   d--------   c:\documents and settings\Administrator
2008-12-15 20:29 . 2008-12-15 22:39   <DIR>   d--------   C:\SDFix
2008-12-15 07:06 . 2008-12-17 06:30   <DIR>   d--------   c:\documents and settings\Rachel
2008-12-14 19:34 . 2008-12-14 19:34   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-14 13:29 . 2008-12-14 13:29   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-14 13:23 . 2008-12-14 13:23   <DIR>   d--------   c:\program files\CCleaner
2008-12-14 05:58 . 2008-12-14 05:58   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-14 05:57 . 2008-12-14 13:30   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-14 05:57 . 2008-12-14 13:30   <DIR>   d--------   c:\documents and settings\Max\Application Data\SUPERAntiSpyware.com
2008-12-14 05:53 . 2008-12-14 05:53   <DIR>   d--------   c:\program files\Trend Micro
2008-12-14 05:47 . 2008-12-15 00:16   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2008-12-14 05:47 . 2008-12-15 00:16   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-14 05:31 . 2008-12-14 05:31   <DIR>   d--------   c:\documents and settings\Max\Application Data\Malwarebytes
2008-12-14 05:31 . 2008-12-03 19:52   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-14 05:31 . 2008-12-03 19:52   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2008-12-14 05:30 . 2008-12-14 05:31   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-12-14 05:30 . 2008-12-14 05:30   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 20:11 . 2008-04-13 17:12   159,232   --a------   c:\windows\system32\ptpusd.dll
2008-12-13 20:11 . 2001-08-17 22:36   5,632   --a------   c:\windows\system32\ptpusb.dll
2008-12-13 19:51 . 2008-10-16 14:06   268,648   --a------   c:\windows\system32\mucltui.dll
2008-12-13 19:51 . 2008-10-16 14:06   208,744   --a------   c:\windows\system32\muweb.dll
2008-12-13 19:51 . 2008-10-16 14:06   27,496   --a------   c:\windows\system32\mucltui.dll.mui
2008-12-13 11:36 . 2008-12-17 17:58   69   --a------   c:\windows\NeroDigital.ini
2008-12-12 18:39 . 2008-12-15 07:01   <DIR>   d--------   c:\documents and settings\Max\Application Data\mjusbsp
2008-12-12 18:38 . 2008-04-13 11:45   60,032   --a------   c:\windows\system32\drivers\USBAUDIO.sys
2008-12-12 18:38 . 2008-04-13 11:45   60,032   --a--c---   c:\windows\system32\dllcache\usbaudio.sys
2008-12-09 20:19 . 2008-12-09 20:47   <DIR>   d--------   c:\documents and settings\Max\Application Data\Download Manager
2008-12-08 06:30 . 2008-12-16 17:19   3,400   --a------   c:\windows\system32\winxtm.dll
2008-12-07 15:35 . 2000-05-22 06:00   647,872   --a------   c:\windows\system32\mscomct2.ocx
2008-12-07 15:35 . 2004-03-09 00:00   224,016   --a------   c:\windows\system32\tabctl32.ocx
2008-12-07 15:35 . 2004-03-09 16:45   152,848   --a------   c:\windows\system32\Comdlg32.ocx
2008-12-07 15:34 . 2008-12-07 15:34   <DIR>   d--------   c:\program files\AML Products
2008-12-06 22:26 . 2008-09-17 23:55   201,050   --a------   c:\windows\system32\nvapps.nvb
2008-12-06 22:25 . 2008-12-07 02:17   <DIR>   d--------   c:\windows\NV1364152.TMP
2008-12-06 21:50 . 2008-12-06 21:51   <DIR>   d--------   c:\documents and settings\Guest
2008-12-06 20:38 . 2008-12-06 20:38   <DIR>   d--------   c:\documents and settings\Max\LocalLow
2008-12-06 20:38 . 2008-12-06 20:38   <DIR>   d--------   c:\documents and settings\All Users\Application Data\TVU Networks
2008-12-06 20:17 . 2008-12-06 22:02   <DIR>   d--------   c:\program files\WMCap
2008-12-06 18:36 . 2008-12-06 19:51   <DIR>   d--------   C:\downloads
2008-12-06 18:36 . 2008-12-06 20:11   <DIR>   d--------   c:\documents and settings\Max\Application Data\Orbit
2008-12-06 18:36 . 2008-12-06 18:36   <DIR>   d--------   c:\documents and settings\Max\Application Data\GrabPro
2008-12-06 14:42 . 2008-12-06 14:42   <DIR>   d--h-----   c:\windows\PIF
2008-12-06 12:14 . 2008-12-06 12:14   <DIR>   d--------   c:\documents and settings\Max\Application Data\Apple Computer
2008-12-06 12:10 . 2008-12-06 12:11   <DIR>   d--------   c:\program files\QuickTime
2008-12-06 12:10 . 2008-12-06 12:13   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-06 12:08 . 2008-12-06 12:09   <DIR>   d--------   c:\program files\Apple Software Update
2008-12-06 12:08 . 2008-12-06 12:08   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Apple
2008-12-06 09:10 . 2004-02-25 23:18   51,056   -ra------   c:\windows\system32\drivers\hpzid412.sys
2008-12-06 09:10 . 2004-02-25 23:18   16,496   -ra------   c:\windows\system32\drivers\HPZipr12.sys
2008-12-06 09:09 . 2004-02-25 23:18   21,488   -ra------   c:\windows\system32\drivers\HPZius12.sys
2008-12-06 09:09 . 2008-04-13 11:45   15,104   --a------   c:\windows\system32\drivers\usbscan.sys
2008-12-06 09:09 . 2008-04-13 11:45   15,104   --a--c---   c:\windows\system32\dllcache\usbscan.sys
2008-12-06 09:04 . 2003-12-11 11:15   44,544   -ra------   c:\windows\system32\MSXML4a.dll
2008-12-06 09:03 . 2008-12-06 09:03   <DIR>   d--------   c:\program files\Common Files\Hewlett-Packard
2008-12-06 08:56 . 2008-12-06 08:56   <DIR>   d--------   c:\program files\Common Files\HP
2008-12-06 08:53 . 2008-12-06 08:55   <DIR>   d--------   c:\windows\system32\URTTemp
2008-12-06 08:47 . 2008-12-06 09:04   <DIR>   d--------   c:\program files\HP
2008-12-06 08:46 . 2004-02-25 23:17   38,868   ---------   c:\windows\hpomdl03.dat
2008-12-06 08:46 . 2008-12-06 09:12   29,358   --a------   c:\windows\hpoins03.dat
2008-12-05 20:10 . 2008-12-14 13:27   <DIR>   d--------   c:\documents and settings\Max\Application Data\U3
2008-12-05 19:29 . 2008-12-05 19:29   <DIR>   d--------   c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-05 19:24 . 2008-12-05 19:24   <DIR>   d--------   c:\documents and settings\Max\Application Data\Yahoo!
2008-12-05 19:24 . 2008-12-06 04:47   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-05 19:23 . 2008-12-05 19:24   <DIR>   d--------   c:\program files\Yahoo!
2008-12-05 19:23 . 2008-12-05 19:25   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Yahoo!
2008-12-05 19:21 . 2008-12-05 19:21   <DIR>   d--------   c:\program files\Adobe Media Player
2008-12-05 19:17 . 2008-12-05 19:17   <DIR>   d--------   c:\program files\Common Files\Adobe AIR
2008-12-05 19:15 . 2008-12-05 19:15   <DIR>   d--------   c:\program files\Common Files\Macrovision Shared
2008-12-05 19:11 . 2006-10-26 19:56   32,592   --a------   c:\windows\system32\msonpmon.dll
2008-12-05 19:09 . 2008-12-05 19:09   <DIR>   d--------   c:\program files\MSBuild
2008-12-05 19:09 . 2008-12-05 19:09   <DIR>   d--------   c:\program files\Microsoft Works
2008-12-05 19:06 . 2008-12-05 19:09   <DIR>   d--------   c:\windows\SHELLNEW
2008-12-05 19:05 . 2008-12-05 19:11   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-05 19:03 . 2008-12-05 21:20   <DIR>   d--------   c:\documents and settings\Max\Application Data\Ahead
2008-12-05 19:02 . 2008-12-05 19:02   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Ahead
2008-12-05 19:01 . 2008-12-05 19:01   <DIR>   d--------   c:\program files\Nero
2008-12-05 19:01 . 2008-12-05 19:02   <DIR>   d--------   c:\program files\Common Files\Ahead
2008-12-05 19:01 . 2008-12-05 19:01   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Nero
2008-12-05 18:48 . 2008-12-05 18:48   <DIR>   dr-h-----   C:\MSOCache
2008-12-05 18:38 . 2008-12-05 18:38   <DIR>   d--------   c:\program files\Windows Media Connect 2
2008-12-05 18:37 . 2008-12-05 18:37   <DIR>   d--------   C:\61bfea5f06dbd9346e53
2008-12-05 18:36 . 2008-12-05 18:36   <DIR>   d--------   c:\windows\system32\LogFiles
2008-12-05 18:36 . 2008-12-05 18:37   <DIR>   d--------   c:\windows\system32\drivers\UMDF
2008-12-05 18:20 . 2008-12-05 18:20   <DIR>   d--------   c:\program files\uTorrent
2008-12-05 18:20 . 2008-12-17 17:54   <DIR>   d--------   c:\documents and settings\Max\Application Data\uTorrent
2008-12-05 17:45 . 2008-12-05 17:45   <DIR>   d--------   c:\documents and settings\Max\Application Data\AdobeUM
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\system32\scripting
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\system32\en
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\system32\bits
2008-12-05 17:37 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\l2schemas
2008-12-05 17:35 . 2008-12-05 17:37   <DIR>   d--------   c:\windows\ServicePackFiles
2008-12-05 17:30 . 2008-12-05 17:30   <DIR>   d--------   c:\windows\EHome
2008-12-05 17:26 . 2008-12-05 17:26   13,646   --a------   c:\windows\system32\wpa.bak
2008-12-05 17:24 . 2008-12-05 17:24   <DIR>   d--------   c:\windows\system32\Lang
2008-12-05 17:24 . 2008-12-05 17:24   940,794   --a------   c:\windows\system32\LoopyMusic.wav
2008-12-05 17:24 . 2008-12-05 17:24   146,650   --a------   c:\windows\system32\BuzzingBee.wav
2008-12-05 10:48 . 2008-10-03 10:41   6,066,176   -----c---   c:\windows\system32\dllcache\ieframe.dll
2008-12-05 10:48 . 2007-04-17 02:32   2,455,488   -----c---   c:\windows\system32\dllcache\ieapfltr.dat
2008-12-05 10:48 . 2007-03-07 22:10   991,232   -----c---   c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-05 10:48 . 2008-08-26 00:24   459,264   -----c---   c:\windows\system32\dllcache\msfeeds.dll
2008-12-05 10:48 . 2008-08-26 00:24   383,488   -----c---   c:\windows\system32\dllcache\ieapfltr.dll
2008-12-05 10:48 . 2008-08-26 00:24   267,776   -----c---   c:\windows\system32\dllcache\iertutil.dll
2008-12-05 10:48 . 2008-08-26 00:24   63,488   -----c---   c:\windows\system32\dllcache\icardie.dll
2008-12-05 10:48 . 2008-08-26 00:24   52,224   -----c---   c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-05 10:48 . 2008-08-25 01:38   13,824   -----c---   c:\windows\system32\dllcache\ieudinit.exe
2008-12-05 10:40 . 2008-12-05 10:40   0   --a------   c:\windows\nsreg.dat
2008-12-05 10:37 . 2008-12-05 10:37   <DIR>   d--------   c:\program files\Alwil Software
2008-12-05 10:33 . 2008-12-05 10:33   <DIR>   d--hs----   c:\documents and settings\Max\UserData
2008-12-05 10:32 . 2008-08-14 03:11   2,189,184   -----c---   c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-05 10:32 . 2008-08-14 03:09   2,145,280   -----c---   c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-05 10:32 . 2008-08-14 02:33   2,066,048   -----c---   c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-05 10:32 . 2008-08-14 02:33   2,023,936   -----c---   c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-05 10:32 . 2008-09-15 05:12   1,846,400   -----c---   c:\windows\system32\dllcache\win32k.sys
2008-12-05 10:32 . 2008-10-24 04:21   455,296   -----c---   c:\windows\system32\dllcache\mrxsmb.sys
2008-12-05 10:32 . 2008-09-08 03:41   333,824   -----c---   c:\windows\system32\dllcache\srv.sys
2008-12-05 10:32 . 2008-06-13 04:05   272,128   ---------   c:\windows\system32\drivers\bthport.sys
2008-12-05 10:32 . 2008-06-13 04:05   272,128   -----c---   c:\windows\system32\dllcache\bthport.sys
2008-12-05 10:32 . 2008-05-08 07:02   203,136   -----c---   c:\windows\system32\dllcache\rmcast.sys
2008-12-05 10:32 . 2008-08-14 03:04   138,496   -----c---   c:\windows\system32\dllcache\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 16:59   ---------   d-----w   c:\program files\microsoft frontpage
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-16_18.07.40.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-18 01:09:09   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_5a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 03:47   160496   --a------   c:\progra~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 152872]
"cdloader"="c:\documents and settings\Max\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-05 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Max\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-05 111184]
R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-05 20560]
S3 RTRSys;RTRSys;\??\c:\program files\XSoft\xworking\rsrsys.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{100bdf6f-c338-11dd-947f-00508dc3ce1f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 13:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
FF - ProfilePath - c:\documents and settings\Max\Application Data\Mozilla\Firefox\Profiles\rs7cm6er.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Max\Application Data\Mozilla\Firefox\Profiles\rs7cm6er.default\extensions\[email protected]\plugins\npTVUAx.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-17 18:09:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\hpvaut32.dll 626960 bytes executable
c:\windows\system32\hpvcp70.dll 487424 bytes executable
c:\windows\system32\hpvcr70.dll 344064 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-12-17 18:15:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-18 01:15:54
ComboFix2.txt 2008-12-17 01:08:14

Pre-Run: 99,536,203,776 bytes free
Post-Run: 99,528,687,616 bytes free

258   --- E O F ---   2008-12-06 00:41:27

evilfantasy · « **Reply #9 on:** December 17, 2008, 06:21:06 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.
.
----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

How is the computer running now?

blufog · « **Reply #10 on:** December 17, 2008, 06:45:22 PM »

much, muchbetter

Thank you for all your assistance. I can see the virus is gone because the computer recognizes my avast software now. Thanks again.

evilfantasy · « **Reply #11 on:** December 17, 2008, 07:04:31 PM »

Sounds good.

Final suggestions.

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Computer Hope Forum

News:

Author Topic: Virus or malware. logs included (Read 4836 times)

blufog

Virus or malware. logs included

evilfantasy

Re: Virus or malware. logs included

blufog

Re: Virus or malware. logs included

evilfantasy

Re: Virus or malware. logs included

blufog

Re: Virus or malware. logs included

blufog

Re: Virus or malware. logs included

blufog

Re: Virus or malware. logs included

evilfantasy

Re: Virus or malware. logs included

blufog

Re: Virus or malware. logs included

evilfantasy

Re: Virus or malware. logs included

blufog

Re: Virus or malware. logs included

evilfantasy

Re: Virus or malware. logs included