Warning: Spyware threat has been detected on you PC

[ME2008]

Hi. I've been having this problem with the blue desktop that says Warning: Spyware threat has been detected on you PC. If anyone can help, that would be great. Thanks.

 

[kritius]

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please Attach the log into your next reply.
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Download and Run ComboFix

• Download this file to your desktop from either of the two below listed places :
  
  HERE or HERE
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Attach that log in your next reply

WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

HighjackThis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete attach the log into your reply.

Do not attempt to fix any item yet.
Do not add anything to the ignore list.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

 

[ME2008]

This is the Malwarebytes' Anti-Malware Log (Part 1):

Malwarebytes' Anti-Malware 1.11
Database version: 666

Scan type: Full Scan (C:\|)
Objects scanned: 107868
Time elapsed: 1 hour(s), 12 minute(s), 30 second(s)

Memory Processes Infected: 6
Memory Modules Infected: 2
Registry Keys Infected: 36
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 81

Memory Processes Infected:
c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\Common\ruranadq.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\Common\ruranadq.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Program Files\QdrModule\QdrModule15.exe (Adware.ISM) -> Unloaded process successfully.
C:\Program Files\QdrPack\QdrPack15.exe (Adware.ISM) -> Unloaded process successfully.
C:\WINDOWS\winself.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Unloaded module successfully.
C:\WINDOWS\system32\kavo0.dll (Rootkit.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15651c7c-e812-44a2-a9ac-b467a2233e7d} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{622cc208-b014-4fe0-801b-874a5e5e403a} (Adware.123Mania) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9c5b2f29-1f46-4639-a6b4-828942301d3e} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ffff0001-0002-101a-a3c9-08002b2f49fb} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c} (Fake.Dropped.Malware.Renos) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{1212bcb8-67dd-475e-8025-9d2198fb8f61} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8334a30c-49e5-489a-b63d-5b927c1ef46e} (Adware.AdBand) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ism (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MsSecurity1.209.4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BATCO (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgmon (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\PerfInfo (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\Bat (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\ISM (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Start Menu\Programs\Internet Speed Monitor (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\Bat\X_Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Common\ruranadq.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\Bat\Bat.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Local Settings\Temp\BatSetup.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Local Settings\Temp\fibuzobu.exe.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Local Settings\Temp\syswcc32.exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Local Settings\Temporary Internet Files\Content.IE5\PNNFT50E\syswcc32[1].exe (Adware.Webhancer) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Local Settings\Temporary Internet Files\Content.IE5\ULDABITG\BatSetup[1].exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Local Settings\Temporary Internet Files\Content.IE5\ULDABITG\msiexec[1].exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.exe (Adware.Rabio) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089030.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089040.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089045.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089052.dll (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089057.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089069.exe (Adware.Batco) -> Quarantined and deleted successfully.

 

[ME2008]

This is the Malwarebytes' Anti-Malware Log (Part 2):

C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089096.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0090347.exe (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\QdrDrive15.dll (Adware.AdBand) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089070.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{176631CA-1F51-4A69-8B5F-0EC5EA005914}\RP138\A0089089.exe (Adware.WebHancer) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive\qdrloader.exe (Adware.AdBand) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.dll.intermediate.manifest (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.info (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Bat.original (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\Info.dll (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\un_BatSetup_15041.txt (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\Bat\X_Bat.log (Adware.Batco) -> Quarantined and deleted successfully.
C:\Program Files\ISM\ism.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\ISM\Uninstall.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\dicy.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\kwdy.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\pckr.dat (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrModule\QdrModule15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\dicts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\QdrPack15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Program Files\QdrPack\trgts.gz (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk (Adware.AdSponsor) -> Quarantined and deleted successfully.
C:\WINDOWS\winself.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kavo0.dll (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\000060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\mssvr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\stcloader.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\2020search2.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\apphelp32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Local Settings\Temp\ismtpa15.exe (Adware.ISM) -> Quarantined and deleted successfully.
C:\Documents and Settings\m\Start Menu\Programs\Startup\Bat - Auto Update.lnk (Adware.Batco) -> Quarantined and deleted successfully.

 

[ME2008]

This is the ComboFix Log (Part 1):

ComboFix 08-04-20.5 - m 2008-04-21 17:02:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.153 [GMT -5:00]
Running from: C:\Documents and Settings\m\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\default.htm
C:\WINDOWS\Downloaded Program Files\setup.inf

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-21 14:43 . 2008-04-21 14:43 <DIR> d-------- C:\Documents and Settings\m\Application Data\Malwarebytes
2008-04-21 14:42 . 2008-04-21 15:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 14:42 . 2008-04-21 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 14:34 . 2008-04-21 16:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-21 14:34 . 2008-04-21 14:34 <DIR> d-------- C:\Documents and Settings\m\Application Data\SUPERAntiSpyware.com
2008-04-21 14:34 . 2008-04-21 14:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-21 13:23 . 2008-04-21 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Common
2008-04-21 13:07 . 2008-04-21 13:07 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-21 13:07 . 2008-04-21 13:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-21 13:06 . 2008-04-21 14:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 11:34 . 2008-04-21 15:53 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-21 11:32 . 2008-04-21 11:35 <DIR> d-------- C:\Documents and Settings\m\Application Data\AVG7
2008-04-21 11:32 . 2008-04-21 11:32 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-21 11:30 . 2008-04-21 11:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-20 23:12 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-20 23:12 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-20 23:12 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-20 23:12 . 2008-04-20 00:38 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-20 23:12 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-20 23:12 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-20 23:12 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-20 23:12 . 2008-04-20 23:13 1,298 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-20 23:09 . 2008-04-20 23:09 174 --a------ C:\WINDOWS\wininit.ini
2008-04-20 22:39 . 2008-04-20 22:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-20 22:39 . 2008-04-20 23:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-20 22:33 . 2008-04-21 11:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-20 22:33 . 2008-04-21 17:02 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-04-19 22:29 . 2008-04-19 22:29 <DIR> d-------- C:\Documents and Settings\m\Application Data\Grisoft
2008-04-19 22:29 . 2007-05-30 07:10 10,872 --a------

 

[ME2008]

This is the ComboFix Log (Part 2):

C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-04-19 22:04 . 2008-04-19 22:04 <DIR> d-------- C:\WINDOWS\mgwwgmke
2008-04-19 22:04 . 2008-04-21 16:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\otizadkp
2008-04-19 22:03 . 2008-04-19 22:03 192,512 --a------ C:\WINDOWS\vufcbedi.dll
2008-04-19 22:03 . 2008-04-19 22:03 65,024 --a------ C:\WINDOWS\bajonglo.dll
2008-04-19 22:03 . 2008-04-19 22:03 65,024 --a------ C:\Documents and Settings\All Users\Application Data\sxidyjen.dll
2008-04-19 22:02 . 2008-04-20 22:22 138 -r-hs---- C:\WINDOWS\mainms.vpi
2008-04-19 22:02 . 2008-04-21 11:23 33 -r-hs---- C:\WINDOWS\muotr.so
2008-04-19 22:02 . 2008-04-20 23:27 4 --------- C:\WINDOWS\megavid.cdt
2008-04-19 22:01 . 2008-04-19 22:01 6,656 --a------ C:\WINDOWS\ons.dll
2008-04-11 11:27 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-04-11 11:27 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-04-09 09:55 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-04-09 09:55 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-04-09 09:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-04-09 09:54 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-04-07 11:36 . 2008-04-07 11:36 244 --ah----- C:\sqmnoopt19.sqm
2008-04-07 11:36 . 2008-04-07 11:36 232 --ah----- C:\sqmdata19.sqm
2008-04-07 11:34 . 2008-04-07 11:34 244 --ah----- C:\sqmnoopt18.sqm
2008-04-07 11:34 . 2008-04-07 11:34 232 --ah----- C:\sqmdata18.sqm
2008-04-05 10:36 . 2008-04-07 13:07 <DIR> d-------- C:\Documents and Settings\m\Application Data\SecondLife

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 16:32 --------- d-----w C:\Program Files\BitComet
2008-04-21 16:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-18 23:11 --------- d-----w C:\Documents and Settings\m\Application Data\LimeWire
2008-04-18 21:24 --------- d-----w C:\Program Files\Viewpoint
2008-04-18 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-17 13:19 --------- d-----w C:\Documents and Settings\m\Application Data\U3
2008-03-11 20:43 --------- d-----w C:\Documents and Settings\m\Application Data\dvdcss
2008-03-08 21:38 --------- d-----w C:\Program Files\Photo Recovery
2008-03-08 21:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-08 21:37 --------- d-----w C:\Program Files\FreeUndelete
2008-03-08 18:50 --------- d-----w C:\Program Files\DiskInternals
2008-03-08 18:28 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-03-08 18:28 249,856 ------w C:\WINDOWS\Setup1.exe
2007-11-24 01:24 8 ----a-w C:\Documents and Settings\m\Application Data\usb.dat.bin
.

------- Sigcheck -------

2002-08-29 03:41 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-03 23:56 1134080 0657a5b234a9abb3f0b63e2f422220b5 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2004-08-03 23:56 1134080 0657a5b234a9abb3f0b63e2f422220b5 C:\WINDOWS\system32\wininet.dll

2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-12-21 12:33 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\dllcache\tcpip.sys
2007-12-21 12:33 359040 c81d6a930a7805f6daa0c7902b99037e C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-03 23:56 3194368 5ef48912206ff9225ba9cb3d26917db1 C:\WINDOWS\explorer.exe
2002-08-29 03:41 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-03 23:56 3194368 5ef48912206ff9225ba9cb3d26917db1 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe" [2006-05-14 15:47 344064]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-03 23:56 1667584]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 18:34 3084288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2007-01-13 08:47 131072]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2007-01-13 08:47 163840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-21 11:31 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-21 11:31 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-03 23:56 48128 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\m\Start Menu\Programs\Startup\
RocketDock.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe [2006-05-14 15:47:48 344064]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe [2006-02-05 07:20:14 180224]
Y'z Shadow.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe [2002-09-30 14:09:06 131072]
Y'z Toolbar.lnk - C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe [2002-09-29 07:41:10 90112]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMPro]
C:\Program Files\AIM\AIM Pro\aimpro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-26 23:47 31016 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kava]
C:\WINDOWS\system32\kavo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 11:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-01-13 08:46 135168 C:\WINDOWS\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Runonce]
C:\WINDOWS\smss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-19 18:34 3084288 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AddFiltr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19794:TCP"= 19794:TCP:BitComet 19794 TCP
"19794:UDP"= 19794:UDP:BitComet 19794 UDP

 

[ME2008]

This is the ComboFix Log (Part 2):


R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S3 PentaxUsb;PENTAX Optio E10 on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-11-24 14:34]
S3 PentaxVc;PENTAX Optio E10 Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2004-11-24 14:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d3b0d2e-a41f-11dc-b60e-001a730fbf3a}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d3b0d2f-a41f-11dc-b60e-001a730fbf3a}]
\Shell\Auto\command - G:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{166594d7-68af-11dc-b5c2-001a730fbf3a}]
\Shell\Auto\command - F:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a909ce2-0c08-11dd-b71b-001a730fbf3a}]
\Shell\AutoRun\command - E:\2y8la.exe
\Shell\explore\Command - E:\2y8la.exe
\Shell\open\Command - E:\2y8la.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31f979c6-ed23-11dc-b6da-001a730fbf3a}]
\Shell\AutoRun\command - F:\m6dqm2vd.exe
\Shell\explore\Command - F:\m6dqm2vd.exe
\Shell\open\Command - F:\m6dqm2vd.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361a856c-db27-11dc-b69d-001a730fbf3a}]
\Shell\AutoRun\command - E:\p3r1ud.exe
\Shell\explore\Command - E:\p3r1ud.exe
\Shell\open\Command - E:\p3r1ud.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{397b992c-f9d0-11dc-b6f3-001a730fbf3a}]
\Shell\AutoRun\command - E:\u3dsc.com
\Shell\explore\Command - E:\u3dsc.com
\Shell\open\Command - E:\u3dsc.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3da8288e-8b12-11dc-b5fa-001a730fbf3a}]
\Shell\Auto\command - F:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d9f4f66-6bb4-11dc-b5d4-001a730fbf3a}]
\Shell\Auto\command - F:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e02a518-96b7-11dc-b5ff-001a730fbf3a}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4e02a51a-96b7-11dc-b5ff-001a730fbf3a}]
\Shell\Auto\command - F:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bb6a51f-da5b-11dc-b69b-001a730fbf3a}]
\Shell\AutoRun\command - E:\p3r1ud.exe
\Shell\explore\Command - E:\p3r1ud.exe
\Shell\open\Command - E:\p3r1ud.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{892e865c-72a6-11dc-b5df-001a730fbf3a}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91777ed1-6c85-11dc-b5d7-001a730fbf3a}]
\Shell\AutoRun\command - E:\c.com
\Shell\explore\Command - E:\c.com
\Shell\open\Command - E:\c.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9f6e86-00f8-11dd-b703-001a730fbf3a}]
\Shell\AutoRun\command - E:\30ed3.exe
\Shell\explore\Command - E:\30ed3.exe
\Shell\open\Command - E:\30ed3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a78b04bb-6eb6-11dc-b5da-001a730fbf3a}]
\Shell\Auto\command - F:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b55d257e-2f38-11dd-b700-001a730fbf3a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b92485b6-7033-11dc-b5db-001a730fbf3a}]
\Shell\Auto\command - F:\Cn911.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Cn911.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2010c4a-707d-11dc-b5dd-001a730fbf3a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c4e5f5aa-68aa-11dc-b5be-0016d4a6bd85}]
\Shell\Auto\command - G:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d16abb0c-ce7e-11dc-b664-001a730fbf3a}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d16abb0d-ce7e-11dc-b664-001a730fbf3a}]
\Shell\Autoplay\Command - F:\smss.exe
\Shell\AutoRun\command - F:\smss.exe
\Shell\Explore\Command - F:\smss.exe
\Shell\Open\Command - F:\smss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1d7460d-07cc-11dd-b712-001a730fbf3a}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL NETSVCS.EXE
\Shell\é_†™\command - E:\NETSVCS.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8ba89cc-af4a-11dc-b61f-001a730fbf3a}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8ba89cd-af4a-11dc-b61f-001a730fbf3a}]
\Shell\Auto\command - G:\sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdd270dc-a2a7-11dc-b60c-001a730fbf3a}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fdd270de-a2a7-11dc-b60c-001a730fbf3a}]
\Shell\Auto\command - H:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-09 16:26:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 17:06:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-21 17:08:50
ComboFix-quarantined-files.txt 2008-04-21 22:08:43

Pre-Run: 46,294,294,528 bytes free
Post-Run: 47,423,827,968 bytes free

287

 

[ME2008]

This is the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:02 PM, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
C:\Documents and Settings\m\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [RocketDock] "C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\UberIcon\UberIcon Manager.exe
O4 - Startup: Y'z Shadow.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzShadow\YzShadow.exe
O4 - Startup: Y'z Toolbar.lnk = C:\WINDOWS\BricoPacks\Crystal Clear\YzToolbar\YzToolBar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7456 bytes

 

[kritius]

Ill go over your logs later and post a fix sometime tomorrow. Quite tired now.

 

[barelylegalrcc]

I am having the exact same problem and need help as well, it seems to be a common problem right now, i have done the same steps mentioned but i know it would only create confusion to post my logs here.. i have very minimal knowledge of computers, but can navigate through the basics.. where do i need to post my logs so that i can be helped as well?

 

[kritius]

@ barelylegalrcc

Go HERE and look at the top of the page you'll see a button called new thread, start a new thread and post the logs as attachments.

 

[kritius]

This next step is purely optional however viewpoint is considered foistware and is not needed on your computer,

'To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

COMBOFIX-Script

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\Documents and Settings\All Users\Application Data\sxidyjen.dll
  
  Folder::
  C:\Documents and Settings\All Users\Application Data\otizadkp

• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
  
  
• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Fix entries using HiJackThis

• Launch HiJackThis
• Click the Do a system scan only button
• Put a check next to the entries listed below

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1a8523dc-1dd2-11b2-8f50-a0f5b7cb9b7f} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
• Click the Fix checked button and close HiJackThis
• Reboot HijackThis if necessary

P2P Warning!

• IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
  
  LimeWire and BitComet
  
  Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
  Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
  
  I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  
  References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
  http://www.techweb.com/wire/160500554
  http://www.internetworldstats.com/articles/art053.htm
  See Clean/Infected P2P Programs here
  
  I would recommend that you uninstall LimeWire and BitComet, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
  
  If you wish to keep it, please do not use it until your computer is cleaned.

You should get a firewall as well, either,

• Comodo
• Kerio
• Online Armor
• Zonealarm

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder