Tech Support Team

beelzebubbles · #1 (**permalink**) **Top** 13th March 2009, 02:01 AM

I got some sort of trojan/malware about 2 days ago, and have been trying to get rid of it. I tried running the Malwarebytes Anti-Malware multiple times, and could not get rid of it. It put a fake warning in my tray on the lower right of the screen, that kept opening a balloon telling me to run the antivirus program. Several times it opened my browser to show me some sort of antivirus program for sale. I tried running AVG a few times as well, and it showed a threat a couple times that was "SHeur___" -it was followed by numbers, but it dissappeared so quickly after I realized it was there that I didn't get the numbers that followed.

When I attempted to visit web sites, it made them behave strangely, and my mouse pad has been acting strangely, seeming to click on things I didn't intend to click on.

I thought I had this thing removed, but then last night, it started up again - the false warning with the balloon, and the opening browser windows. It also makes the tabs on my browser behave strangely, and some of them become unresponsive.

I spoke to my brother in law, who suggested I follow your steps for posting a malware removal problem. I have done so this evening, and the logs for SuperAntiSpyware, Malwarebytes, and HiJackThis are below.

Please let me know if you need anything further to help me get rid of this virus.

SuperAntiSpyware

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

Generated 03/12/2009 at 07:37 PM

Application Version : 4.25.1014

Core Rules Database Version : 3793
Trace Rules Database Version: 1749

Scan type : Complete Scan
Total Scan Time : 01:28:34

Memory items scanned : 827
Memory threats detected : 0
Registry items scanned : 5623
Registry threats detected : 25
File items scanned : 80381
File threats detected : 38

Rogue.Component/Trace
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#Aff
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#Lang
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#AdvancedScanType
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#FirstRunUrl
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#AfterRegisterUrl
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#LabelUrl
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#TermsUrl
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#HelpURL
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#BillingURL
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#BillingUrlApproved
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#TransactionKey
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#BillingRegURL
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#BillingURL2
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#BillingUrlApproved2
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#LastRun
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#InstallDate
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#pPath
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#pName
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#sc
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#zs
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#SecurityVector
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#Scans
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610\Opt ions#LastScan
HKU\S-1-5-21-152286861-1574269104-1087364416-1005\Software\40197302293074254477086400870610

Adware.Tracking Cookie
C:\Documents and Settings\Mike\Cookies\mike@bluestreak[1].txt
C:\Documents and Settings\Mike\Cookies\mike@advertising[3].txt
C:\Documents and Settings\Mike\Cookies\mike@twci.coremetrics[1].txt
C:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt
C:\Documents and Settings\Mike\Cookies\mike@atdmt[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ads.pointroll[1].txt
C:\Documents and Settings\Mike\Cookies\mike@hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Mike\Cookies\mike@mediaplex[1].txt
C:\Documents and Settings\Mike\Cookies\mike@hitbox[3].txt
C:\Documents and Settings\Mike\Cookies\mike@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Mike\Cookies\mike@2o7[1].txt
C:\Documents and Settings\Mike\Cookies\mike@tacoda[1].txt
C:\Documents and Settings\Mike\Cookies\mike@advertising[1].txt
.doubleclick.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
sales.liveperson.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
sales.liveperson.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.atdmt.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.advertising.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.advertising.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.advertising.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.advertising.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.advertising.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.mediaplex.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.mediaplex.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.2o7.net [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.bluestreak.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.twci.coremetrics.com [ C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\ry3hnbj7.default\coo kies.txt ]
.revsci.net [ C:\Documents and Settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\coo kies.txt ]
.revsci.net [ C:\Documents and Settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\coo kies.txt ]
.revsci.net [ C:\Documents and Settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\coo kies.txt ]
.questionmarket.com [ C:\Documents and Settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\coo kies.txt ]
.questionmarket.com [ C:\Documents and Settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\coo kies.txt ]
.doubleclick.net [ C:\Documents and Settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\coo kies.txt ]

Malwarebytes:

Malwarebytes' Anti-Malware 1.34
Database version: 1839
Windows 5.1.2600 Service Pack 2

3/12/2009 8:41:43 PM
mbam-log-2009-03-12 (20-41-43).txt

Scan type: Quick Scan
Objects scanned: 80474
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:04 PM, on 3/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\HP\Temp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\hphmon04.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Temp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Temp\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Temp\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Cheryl\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe
C:\DOCUME~1\Cheryl\LOCALS~1\Temp\Temporary Directory 3 for HiJackThis.zip\HijackThis.exe
C:\Program Files\New Folder\sniper.exe
C:\WINDOWS\system32\HPZinw12.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...date?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\YTSingl eInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [ImageItEncrypt] C:\WINDOWS\system32\ImageItEncrypt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe -hideGUI
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\Temp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 7.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Temp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID= {896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://69.58.13.31/XTSAC.cab
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://vpn.sfpaonline.com/NELX.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://vpn.sfpaonline.com/msrdp.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31F8721B-A9D4-4FE5-BA5B-ED76AD571E60}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{31F8721B-A9D4-4FE5-BA5B-ED76AD571E60}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - Unknown owner - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 16202 bytes

Thanks in advance for your help.

**evilfantasy** · #2 (**permalink**) **Top** 13th March 2009, 06:37 PM

Welcome to TST.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

beelzebubbles · #3 (**permalink**) **Top** 13th March 2009, 10:18 PM

Hello, and thanks for your help!
I ran the ComboFix, and here's the log:

ComboFix 09-03-12.01 - Cheryl 2009-03-13 17:55:53.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.500 [GMT -4:00]
Running from: c:\documents and settings\Cheryl\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\npf.sys
c:\windows\system32\init32.exe
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\uniq.tll
c:\windows\system32\WanPacket.dll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wpcap.dll

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{7FCE823D-1651-485D-A73E-665487398EF3}\RP200\A0051260.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-12 21:20 . 2009-03-12 21:20 <DIR> d-------- c:\program files\New Folder
2009-03-12 21:06 . 2009-03-12 21:06 <DIR> d-------- c:\program files\Microsoft
2009-03-12 20:56 . 2009-03-12 20:55 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-12 20:56 . 2009-03-12 20:55 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-12 20:55 . 2009-03-12 20:55 <DIR> d-------- c:\program files\Java
2009-03-12 17:57 . 2009-03-12 17:57 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-12 17:57 . 2009-03-12 17:57 <DIR> d-------- c:\documents and settings\Cheryl\Application Data\SUPERAntiSpyware.com
2009-03-12 17:57 . 2009-03-12 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-10 22:25 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\Cheryl\Application Data\Malwarebytes
2009-03-10 22:25 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 13:45 . 2009-03-08 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-08 13:44 . 2009-03-08 13:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:19 1,846,272 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-29 02:24 --------- d-----w c:\documents and settings\Cheryl\Application Data\acccore
2009-01-29 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-01-29 02:21 --------- d-----w c:\program files\AIM6
2009-01-17 01:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 08:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 08:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 04:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 04:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-03-10 11:02 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-10 11:02 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-10 11:02 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-10 11:02 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-10 11:02 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-03 68856]
"updateMgr"="d:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"LaunchApp"="Alaunch" [X]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-04-04 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 471040]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"ImageItEncrypt"="c:\windows\system32\ImageItEncry pt.exe" [2005-12-30 40960]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-03-08 590848]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2006-08-01 503808]
"HP Software Update"="c:\program files\HP\Temp\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.e xe" [2006-11-07 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-11-07 110592]
"Acrobat Assistant 7.0"="d:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 c:\windows\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-03 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Temp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-03-23 25214]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-07-20 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-07-20 78208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-27 24652]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2006-05-03 13824]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\ c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows \system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2157d53a-1638-11dc-bdc8-0016365898be}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{447a1d9c-dea1-11dd-be2f-0016365898be}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{4c457ea4-4ad6-11dd-be12-0016365898be}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-13 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe []

2009-03-13 c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
- c:\program files\MalwareRemovalBot []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HPHUPD04 - c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {31F8721B-A9D4-4FE5-BA5B-ED76AD571E60} = 192.168.0.1
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://vpn.sfpaonline.com/NELX.cab
FF - ProfilePath - c:\documents and settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components \qfaservices.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 18:01:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\acer\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\GRISOFT\AVG7\AVGAMSVR.EXE
c:\program files\GRISOFT\AVG7\AVGUPSVC.EXE
c:\program files\GRISOFT\AVG7\AVGEMC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\SONICWALL\SSL-VPN\NETEXTENDER\NESERVICE.EXE
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\program files\LAUNCH MANAGER\QTZGACER.EXE
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\windows\system32\igfxext.exe
c:\windows\SYSTEM32\IGFXSRVC.EXE
c:\windows\system32\wbem\unsecapp.exe
d:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Temp\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Temp\Digital Imaging\Product Assistant\bin\hprblog.exe
.
************************************************** ************************
.
Completion time: 2009-03-13 18:05:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 22:05:28

Pre-Run: 32,292,995,072 bytes free
Post-Run: 32,550,977,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

246 --- E O F --- 2009-03-12 18:02:00

My machine seems to be running a lot better, but I'm waiting to hear more from you and won't assume things are all hunky dory yet.

Thanks!

**evilfantasy** · #4 (**permalink**) **Top** 13th March 2009, 11:36 PM

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Service::
Viewpoint Manager Service

Folder::
c:\program files\MalwareRemovalBot

File::
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2157d53a-1638-11dc-bdc8-0016365898be}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

beelzebubbles · #5 (**permalink**) **Top** 14th March 2009, 12:36 AM

OK, I've run combofix with the codes provided. Here is the log........

ComboFix 09-03-13.01 - Cheryl 2009-03-13 20:19:16.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.388 [GMT -4:00]
Running from: c:\documents and settings\Cheryl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cheryl\Desktop\CFScript.txt
AV: AVG 7.5.557 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

2009-03-12 21:20 . 2009-03-12 21:20 <DIR> d-------- c:\program files\New Folder
2009-03-12 21:06 . 2009-03-12 21:06 <DIR> d-------- c:\program files\Microsoft
2009-03-12 20:56 . 2009-03-12 20:55 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-12 20:56 . 2009-03-12 20:55 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-12 20:55 . 2009-03-12 20:55 <DIR> d-------- c:\program files\Java
2009-03-12 17:57 . 2009-03-12 17:57 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-12 17:57 . 2009-03-12 17:57 <DIR> d-------- c:\documents and settings\Cheryl\Application Data\SUPERAntiSpyware.com
2009-03-12 17:57 . 2009-03-12 17:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-10 22:25 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\Cheryl\Application Data\Malwarebytes
2009-03-10 22:25 . 2009-03-10 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-08 13:45 . 2009-03-08 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-08 13:44 . 2009-03-08 13:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:19 1,846,272 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-29 02:24 --------- d-----w c:\documents and settings\Cheryl\Application Data\acccore
2009-01-29 02:22 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-01-29 02:21 --------- d-----w c:\program files\AIM6
2009-01-17 01:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 08:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 08:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 04:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 04:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-03-10 11:02 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-03-10 11:02 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-10 11:02 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-03-10 11:02 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-03-10 11:02 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-13_18.03.58.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-14 00:22:30 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_708.dat
+ 2009-03-14 00:23:16 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_9c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 692224]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-03 68856]
"updateMgr"="d:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"LaunchApp"="Alaunch" [X]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-25 53248]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-01-08 102491]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-01-08 692315]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-03-17 345088]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2006-03-31 204800]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-04-04 421888]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-03-30 471040]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-04-28 401408]
"ImageItEncrypt"="c:\windows\system32\ImageItEncry pt.exe" [2005-12-30 40960]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-03-08 590848]
"SonicWALLNetExtender"="c:\program files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe" [2006-08-01 503808]
"HP Software Update"="c:\program files\HP\Temp\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.e xe" [2006-11-07 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-11-07 110592]
"Acrobat Assistant 7.0"="d:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86 \3\hpztsb07.exe" [2006-01-06 188416]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2006-01-06 348160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-02 267048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 148888]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-16 c:\windows\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-02-27 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-03 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2006-03-27 45056]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Temp\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-03-23 25214]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-10-03 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Temp\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-07-20 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-07-20 78208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-27 24652]
R3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2006-05-03 13824]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\ c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows \system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2157d53a-1638-11dc-bdc8-0016365898be}]
\Shell\AutoRun\command - f:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{447a1d9c-dea1-11dd-be2f-0016365898be}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{4c457ea4-4ad6-11dd-be12-0016365898be}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.micros oft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {31F8721B-A9D4-4FE5-BA5B-ED76AD571E60} = 192.168.0.1
DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} - hxxps://vpn.sfpaonline.com/NELX.cab
FF - ProfilePath - c:\documents and settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components \qfaservices.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 20:23:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\INTEL\WIRELESS\BIN\EVTENG.EXE
c:\program files\INTEL\WIRELESS\BIN\S24EVMON.EXE
c:\acer\EMPOWERING TECHNOLOGY\EPERFORMANCE\MEMCHECK.EXE
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\GRISOFT\AVG7\AVGAMSVR.EXE
c:\program files\GRISOFT\AVG7\AVGUPSVC.EXE
c:\program files\GRISOFT\AVG7\AVGEMC.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\program files\EWIDO ANTI-SPYWARE 4.0\GUARD.EXE
c:\program files\COMMON FILES\LIGHTSCRIBE\LSSRVC.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
c:\program files\INTEL\WIRELESS\BIN\REGSRVC.EXE
c:\program files\SONICWALL\SSL-VPN\NETEXTENDER\NESERVICE.EXE
c:\windows\SYSTEM32\WBEM\WMIAPSRV.EXE
c:\program files\LAUNCH MANAGER\QTZGACER.EXE
c:\progra~1\MUSICM~1\MUSICM~1\MMDiag.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dwwin.exe
c:\windows\system32\igfxext.exe
c:\windows\SYSTEM32\IGFXSRVC.EXE
d:\program files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Temp\Digital Imaging\bin\hpqSTE08.exe
c:\progra~1\MUSICM~1\COMMON\COMPON~1\MMCOMP~1.EXE
c:\program files\HP\Temp\Digital Imaging\Product Assistant\bin\hprblog.exe
.
************************************************** ************************
.
Completion time: 2009-03-13 20:26:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-14 00:26:52
ComboFix2.txt 2009-03-13 22:05:34

Pre-Run: 32,506,544,128 bytes free
Post-Run: 32,492,126,208 bytes free

232 --- E O F --- 2009-03-12 18:02:00

**evilfantasy** · #6 (**permalink**) **Top** 14th March 2009, 03:30 AM

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2157d53a-1638-11dc-bdc8-0016365898be}]

:files
c:\program files\Viewpoint\Common\ViewpointService.exe

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

Also let me know how the computer is running now.

beelzebubbles · #7 (**permalink**) **Top** 14th March 2009, 02:22 PM

I ran OTMoveIt3, and it apparently couldn't move/delete some files
My computer seems to be running pretty well, with a couple strange things here and there - but it's definitely not as slow as it was
Here's the log:

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2157d53a-1638-11dc-bdc8-0016365898be}\\ deleted successfully.
========== FILES ==========
c:\program files\Viewpoint\Common\ViewpointService.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~DF9785.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\Perflib_Perfdata_ 288.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\JET3C44.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~ROMFN_00000F88 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\etilqs_AZxVpi4Xe5 KdZg5pJIwU scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_708.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_9c0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\url classifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03142009_100943

Files moved on Reboot...
C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~DF9785.tmp moved successfully.
File C:\DOCUME~1\Cheryl\LOCALS~1\Temp\Perflib_Perfdata_ 288.dat not found!
C:\DOCUME~1\Cheryl\LOCALS~1\Temp\hpodvd09.log moved successfully.
File C:\DOCUME~1\Cheryl\LOCALS~1\Temp\JET3C44.tmp not found!
File C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~ROMFN_00000F88 not found!
File C:\DOCUME~1\Cheryl\LOCALS~1\Temp\etilqs_AZxVpi4Xe5 KdZg5pJIwU not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_708.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_9c0.dat moved successfully.
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_001_ moved successfully.
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_002_ moved successfully.
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\Cac he\_CACHE_003_ moved successfully.
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Mozilla\Firefox\Profiles\zbh85lyq.default\url classifier3.sqlite moved successfully.

**evilfantasy** · #8 (**permalink**) **Top** 14th March 2009, 04:07 PM

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

----------

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

beelzebubbles · #9 (**permalink**) **Top** 15th March 2009, 01:03 PM

I ran the Kapersky Scan, and it found several items. So I am still infected? In general, my system is running much better, though I had some issues with my internet connection while the scan was running. Here is the report below:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 15, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 15, 2009 08:33:27
Records in database: 1907675
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 76760
Threat name: 4
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 03:16:01

File name / Threat name / Threats count
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Email-Worm.Win32.Mydoom.m.log 1
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Usbankfraud.p 2
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ae 2
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.HTML.Citifraud.ai 2
C:\clk\backup.pst Infected: Email-Worm.Win32.Mydoom.m.log 1
C:\clk\backup.pst Infected: Trojan-Spy.HTML.Usbankfraud.p 2
C:\clk\backup.pst Infected: Trojan-Spy.HTML.Citifraud.ae 2
C:\clk\backup.pst Infected: Trojan-Spy.HTML.Citifraud.ai 2

The selected area was scanned.

beelzebubbles · #10 (**permalink**) **Top** 15th March 2009, 06:50 PM

I thought I would add that, though my computer seems to be working better, the desktop keeps getting hijacked, and the image listed as being displayed is an internet explorer symbol and the name 'ahtn' - which disappears when i apply another desktop image.
I am also having trouble with Firefox, to the point I was told that it needs to be reinstalled to work. Any further information/assistance you can provide would be very much appreciated...

**evilfantasy** · #11 (**permalink**) **Top** 15th March 2009, 06:51 PM

* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:files
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst
C:\clk\backup.pst
C:\clk\backup.pst
C:\clk\backup.pst
C:\clk\backup.pst

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

beelzebubbles · #12 (**permalink**) **Top** 16th March 2009, 01:12 PM

I ran the OMoveIt.exe again, pasting the information from the code box into the window as directed. I was unable to connect to techsupportteam.org through the link since yesterday afternoon until now. Below is the result of the OMoveIt scan that I did...

Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst not found.
File/Folder C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst not found.
File/Folder C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst not found.
File/Folder C:\Documents and Settings\Cheryl\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst not found.
File/Folder C:\clk\backup.pst not found.
File/Folder C:\clk\backup.pst not found.
File/Folder C:\clk\backup.pst not found.
File/Folder C:\clk\backup.pst not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\Perflib_Perfdata_ 864.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~DF3A95.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\JET944D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~ROMFN_00000D28 scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_768.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_874.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03152009_170835
Files moved on Reboot...
C:\DOCUME~1\Cheryl\LOCALS~1\Temp\hpodvd09.log moved successfully.
File C:\DOCUME~1\Cheryl\LOCALS~1\Temp\Perflib_Perfdata_ 864.dat not found!
C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~DF3A95.tmp moved successfully.
File C:\DOCUME~1\Cheryl\LOCALS~1\Temp\JET944D.tmp not found!
File C:\DOCUME~1\Cheryl\LOCALS~1\Temp\~ROMFN_00000D28 not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_768.dat moved successfully.
C:\WINDOWS\temp\Perflib_Perfdata_874.dat moved successfully.

**evilfantasy** · #13 (**permalink**) **Top** 16th March 2009, 04:43 PM

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical security updates. (you will need to use Internet Explorer to do this)

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Use only trusted security software like the programs listed on this page. Trusted security tools & resources

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!