ihatemalwaretrace

hi maurice, first, thank you for all your help ive been on firefox for the past hour or so, and it looks good so far. how do the logs look? am i clean?

OTMoveIt Log ========== REGISTRY ========== Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}\\ deleted successfully. Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}\\ deleted successfully. ========== FILES ========== File/Folder D:\sxs2.exe not found. File/Folder C:\sxs2.exe not found. File/Folder c:\windows\system32\sxs2.exe not found. File/Folder c:\windows\sxs2.exe not found. ========== COMMANDS ========== File delete failed. C:\DOCUME~1\Jeremy\LOCALS~1\Temp\~DF7222.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2c0.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat scheduled to be deleted on reboot. Windows Temp folder emptied. Java cache emptied. FireFox cache emptied. Temp folders emptied. OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12242008_151842 Files moved on Reboot... C:\DOCUME~1\Jeremy\LOCALS~1\Temp\~DF7222.tmp moved successfully. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully. File C:\WINDOWS\temp\Perflib_Perfdata_2c0.dat not found! File C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat not found! --- HijackThis Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:30:52 PM, on 12/24/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\stsystra.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Rainlendar2\Rainlendar2.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\mozilla.org\Mozilla\mozilla.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://muss.cis.mcmaster.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7299 bytes --- when i got infected, my firefox was compromised.. and since then, i have used Mozilla browser to avoid pop ups and all that. So i'm going to restart my computer and then use firefox and reply back soon to tell you if i've noticed anything

C:\Combofix.txt ComboFix 08-12-23.01 - Jeremy 2008-12-24 1:06:26.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.488 [GMT -5:00] Running from: c:\documents and settings\Jeremy\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Jeremy\Local Settings\Temporary Internet Files\fbk.sts c:\windows\IE4 Error Log.txt c:\windows\system32\autoexec.bat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FCI ((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 ))))))))))))))))))))))))))))))) . 2008-12-24 00:59 . 2008-12-24 00:59 <DIR> d-------- c:\program files\Java 2008-12-24 00:59 . 2008-12-24 00:59 410,984 --a------ c:\windows\system32\deploytk.dll 2008-12-24 00:59 . 2008-12-24 00:59 73,728 --a------ c:\windows\system32\javacpl.cpl 2008-12-05 20:53 . 2008-12-05 20:53 <DIR> d-------- c:\program files\Trend Micro 2008-12-05 18:37 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys 2008-12-05 18:36 . 2008-12-05 18:36 <DIR> d-------- c:\program files\Panda Security 2008-12-05 18:35 . 2008-12-22 23:40 <DIR> d-------- c:\program files\EsetOnlineScanner 2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2008-12-05 17:19 . 2008-12-05 17:19 <DIR> d-------- c:\documents and settings\Administrator 2008-12-05 15:00 . 2008-12-05 15:00 <DIR> d-------- c:\documents and settings\Jeremy\Application Data\Malwarebytes 2008-12-05 14:59 . 2008-12-05 15:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-12-05 14:59 . 2008-12-05 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-05 14:59 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-05 14:59 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-12-05 14:51 . 2008-12-05 14:51 <DIR> d--hs---- C:\found.000 2008-12-05 13:45 . 2008-12-05 13:45 <DIR> d-------- c:\program files\Lavasoft 2008-12-05 13:45 . 2008-12-05 13:45 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2008-12-05 13:45 . 2008-12-05 13:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-12-05 12:13 . 2008-12-05 14:52 <DIR> d--hs---- c:\windows\SmVyZW15IFRhbmc 2008-11-27 01:16 . 2008-11-27 01:16 244 --ah----- C:\sqmnoopt11.sqm 2008-11-27 01:16 . 2008-11-27 01:16 232 --ah----- C:\sqmdata11.sqm 2008-11-27 01:11 . 2008-11-27 01:11 244 --ah----- C:\sqmnoopt10.sqm 2008-11-27 01:11 . 2008-11-27 01:11 232 --ah----- C:\sqmdata10.sqm 2008-11-26 14:46 . 2008-11-26 15:05 <DIR> d-------- c:\program files\Full Tilt Poker 2008-11-25 12:43 . 2008-11-25 12:43 244 --ah----- C:\sqmnoopt09.sqm 2008-11-25 12:43 . 2008-11-25 12:43 232 --ah----- C:\sqmdata09.sqm . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-16 16:03 --------- d-----w c:\documents and settings\Jeremy\Application Data\uTorrent 2008-12-05 17:59 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-12-05 16:48 --------- d-----w c:\documents and settings\Jeremy\Application Data\mIRC 2008-12-05 16:35 --------- d-----w c:\program files\mIRC 2008-11-26 20:11 --------- d-----w c:\program files\Steam 2008-11-26 20:05 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-20 02:52 --------- d-----w c:\documents and settings\Jeremy\Application Data\RCP 5 2008-11-20 02:37 --------- d-----w c:\program files\ReaConverter 5.5 Pro 2008-10-15 01:28 25,448 ----a-w c:\documents and settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT 2008-10-30 17:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-10-30 17:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-10-30 17:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-10-30 17:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-10-30 17:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352] "Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-07-24 1298432] "scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600] "SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-23 113664] AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-09-24 245760] Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0vcxx.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6jpxx.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService] @="service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-05-11 02:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] --a------ 2005-06-08 13:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] --a------ 2005-06-08 14:24 458752 c:\program files\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] --a------ 2005-06-08 14:14 217088 c:\program files\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX] --a------ 2005-07-19 16:32 221184 c:\windows\system32\LVCOMSX.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM] --------- 2005-07-03 02:20 372736 c:\windows\Samsung\ComSMMgr\SSMMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC] --a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Documents and Settings\\Jeremy\\Start Menu\\Programs\\DC++\\DCPlusPlus.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Steam\\SteamApps\\ihatestupid@hotmail.com\\counter-strike\\hl.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\SopCast\\sopvod.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-05 28544] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2007-09-24 104704] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2007-09-24 35584] R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [2008-10-23 69632] R2 SAVService;Sophos Anti-Virus;"c:\program files\Sophos\Sophos Anti-Virus\SavService.exe" [2008-09-30 98304] S0 ati0vcxx;ati0vcxx;c:\windows\system32\Drivers\ati0vcxx.sys [] S0 ati6jpxx;ati6jpxx;c:\windows\system32\Drivers\ati6jpxx.sys [] S1 dxgthkk;dxgthkk;c:\windows\system32\drivers\dxgthkk.sys [] S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [2007-11-30 558592] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-09-30 14976] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}] \Shell\Auto\command - sxs2.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}] \Shell\Auto\command - D:\sxs2.exe \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe . Contents of the 'Scheduled Tasks' folder 2008-12-23 c:\windows\Tasks\McMaster Scan.job - c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-09-30 05:24] . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe . ------- Supplementary Scan ------- . uStart Page = https://muss.cis.mcmaster.ca/ uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\og03m7l0.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.homeword.com/DailyDevotional/DevotionalDetail.aspx . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-24 01:21:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router] "ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(824) c:\windows\system32\Ati2evxx.dll c:\windows\System32\BCMLogon.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe c:\program files\Sophos\AutoUpdate\ALsvc.exe c:\program files\Sophos\Remote Management System\RouterNT.exe c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe . ************************************************************************** . Completion time: 2008-12-24 1:25:01 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-24 06:24:58 Pre-Run: 1,959,370,752 bytes free Post-Run: 1,828,921,344 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer 220 --- E O F --- 2008-09-02 05:48:37 Hijackthis Log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:26:46 AM, on 12/24/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\stsystra.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Rainlendar2\Rainlendar2.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\mozilla.org\Mozilla\mozilla.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://muss.cis.mcmaster.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7321 bytes

DDS.txt DDS (Version 1.1.0) - NTFSx86 Run by Jeremy at 1:45:49.23 on Tue 12/23/2008 Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.362 [GMT -5:00] AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe C:\Program Files\Sophos\AutoUpdate\ALsvc.exe C:\Program Files\Sophos\Remote Management System\RouterNT.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE C:\Program Files\Rainlendar2\Rainlendar2.exe C:\Program Files\Sophos\AutoUpdate\ALMon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\mozilla.org\Mozilla\mozilla.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jeremy\Desktop\dds.com ============== Pseudo HJT Report =============== uStart Page = https://muss.cis.mcmaster.ca/ uInternet Settings,ProxyOverride = *.local BHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe" mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [startCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: AtiExtEvent - Ati2evxx.dll AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL jacmms.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jeremy\applic~1\mozilla\firefox\profiles\og03m7l0.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.homeword.com/DailyDevotional/DevotionalDetail.aspx ============= SERVICES / DRIVERS =============== R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-5 28544] R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-9-24 104704] R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-9-24 35584] R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664] R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\sophos\sophos anti-virus\SAVAdminService.exe" [2008-10-23 69632] R2 SAVService;Sophos Anti-Virus;"c:\program files\sophos\sophos anti-virus\SavService.exe" [2008-9-30 98304] R2 Sophos Agent;Sophos Agent;"c:\program files\sophos\remote management system\ManagementAgentNT.exe" -service -name Agent [2008-10-23 266240] R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;"c:\program files\sophos\autoupdate\ALsvc.exe" [2008-9-30 172032] R2 Sophos Message Router;Sophos Message Router;"c:\program files\sophos\remote management system\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [2008-10-23 794624] S0 ati0vcxx;ati0vcxx;c:\windows\system32\drivers\ati0vcxx.sys [] S0 ati6jpxx;ati6jpxx;c:\windows\system32\drivers\ati6jpxx.sys [] S1 dxgthkk;dxgthkk;c:\windows\system32\drivers\dxgthkk.sys [] S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592] S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976] =============== Created Last 30 ================ 2008-12-05 20:53 <DIR> --d----- c:\program files\Trend Micro 2008-12-05 18:37 28,544 a------- c:\windows\system32\drivers\pavboot.sys 2008-12-05 18:36 <DIR> --d----- c:\program files\Panda Security 2008-12-05 18:35 <DIR> --d----- c:\program files\EsetOnlineScanner 2008-12-05 15:00 <DIR> --d----- c:\docume~1\jeremy\applic~1\Malwarebytes 2008-12-05 14:59 15,504 a------- c:\windows\system32\drivers\mbam.sys 2008-12-05 14:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-05 14:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2008-12-05 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2008-12-05 14:51 <DIR> --dsh--- C:\found.000 2008-12-05 13:45 <DIR> --d----- c:\program files\Lavasoft 2008-12-05 13:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard 2008-12-05 12:18 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy) 2008-12-05 12:18 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy) 2008-12-05 12:18 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy) 2008-12-05 12:18 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy) 2008-12-05 12:13 <DIR> --dsh--- c:\windows\SmVyZW15IFRhbmc 2008-12-05 12:12 47,598 a------- c:\windows\system32\iawuqolblmdzne.exe 2008-11-27 01:16 244 a---h--- C:\sqmnoopt11.sqm 2008-11-27 01:16 232 a---h--- C:\sqmdata11.sqm 2008-11-27 01:11 232 a---h--- C:\sqmdata10.sqm 2008-11-27 01:11 244 a---h--- C:\sqmnoopt10.sqm 2008-11-26 14:46 <DIR> --d----- c:\program files\Full Tilt Poker 2008-11-25 12:43 244 a---h--- C:\sqmnoopt09.sqm 2008-11-25 12:43 232 a---h--- C:\sqmdata09.sqm ==================== Find3M ==================== 2008-12-05 12:27 14,336 a------- c:\windows\system32\svchost.exe 2008-10-14 20:28 25,448 a------- c:\docume~1\jeremy\applic~1\GDIPFONTCACHEV1.DAT 2008-10-14 19:52 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat 2008-09-30 05:29 130,104 a------- c:\windows\system32\sdccoinstaller.dll 2008-09-30 05:28 23,552 a------- c:\windows\system32\sophosboottasks.exe ============= FINISH: 1:46:19.26 =============== -- ATTACH.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Version 1.0) Microsoft Windows XP Home Edition Boot Device: \Device\HarddiskVolume2 Install Date: 8/10/2007 2:52:34 AM System Uptime: 12/22/2008 11:02:46 PM (2 hours ago) Motherboard: Dell Inc. | | 0UW744 Processor: AMD Athlon 64 X2 Dual-Core Processor TK-53 | Socket M2/S1G1 | 1695/200mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 74 GiB total, 1.785 GiB free. E: is CDROM () ==== Disabled Device Manager Items ============= ==== System Restore Points =================== No restore point in system. ==== Installed Programs ======================

ESET Log.txt # version=4 # OnlineScanner.ocx=1.0.0.635 # OnlineScannerDLLA.dll=1, 0, 0, 79 # OnlineScannerDLLW.dll=1, 0, 0, 78 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3712 (20081222) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=ab2dc541ee72f042bd0838405cb0eb01 # end=finished # remove_checked=true # unwanted_checked=false # utc_time=2008-12-23 06:34:02 # local_time=2008-12-23 01:34:02 (-0500, Eastern Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=372048 # found=0 # scan_time=6768 While running this, my Sophos Anti-Virus popped up ( I dont know how to disable this thing... it was necessary in order to log in wirelessly to my university's campus.) Anyway, it popped up and said: "File C:\Documents and Settings\...\Temp\NOD62C7.tmp belongs to virus/spyware Mal/Behav-181." "File C:\Documents and Settings\...\Temp\NOD30A7.tmp belongs to virus/spyware Mal/Behav-181." "File C:\Documents and Settings\...\Temp\NOD31F7.tmp belongs to virus/spyware Mal/Behav-181." "File C:\Documents and Settings\...\Temp\NOD64CF.tmp belongs to virus/spyware Mal/Behav-181."

bump

any assistance would be greatly appreciated

i dont mean to sound pushy, but can a moderator please take a look at this? this is the only computer i've access to and it's slow and i cant reformat it..

anybody have an idea?

ive used spybot, adaware and mbam and have not had any luck ridding these darn viruses. if that helps at all.

1. MBAM Log Malwarebytes' Anti-Malware 1.31 Database version: 1464 Windows 5.1.2600 Service Pack 3 12/5/2008 7:37:18 PM mbam-log-2008-12-05 (19-37-18).txt Scan type: Quick Scan Objects scanned: 52660 Time elapsed: 5 minute(s), 31 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) 2. Panda ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-12-05 20:48:20 PROTECTIONS: 1 MALWARE: 8 SUSPECTS: 11 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== Sophos Antivirus 7.6.0 No No ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[3].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@ad.yieldmanager[2].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@serving-sys[1].txt 00429208 Adware/FBrowsingAdvisor Adware No 0 Yes No C:\Program Files\mozilla.org\Mozilla\regxpcom.exe 01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@adserver.easyad[1].txt 04247549 Trj/Zlob.KH Virus/Trojan No 1 Yes No C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O9QVWDE7\nww32[1].exe 04277170 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Patch.exe.GE2EGQCSXUITG5TYARUIYIXD6R2C4W4SFFOJAMI.dctmp.000 04277170 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Patch.exe.GE2EGQCSXUITG5TYARUIYIXD6R2C4W4SFFOJAMI.dctmp.antifrag.000 ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location P ;=============================================================================== ================================================================================ = =================== Yes C:\WINDOWS\System32\jacmms.dll P Yes C:\WINDOWS\system32\jacmms.dll P Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\eco98IV.exe.000 Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\eco98IV.exe.1.000 Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RM63TDG.exe.000 Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RM63TDG.exe.1.000 Yes C:\Documents and Settings\Jeremy\Local Settings\Temp\vrmB09.tmp[NN_Bar77_876984.dll] P Yes C:\Documents and Settings\Jeremy\My Documents\mirc631.exe[