Jump to content

Infected PC, Can't update Malware bytes


Marcos
 Share

Recommended Posts

Hello

I have an infected PC and was going thru the steps, installed Malwarebytes and am trying to update it before I run it. But the updating Malwarebytes Anti-Malware splash screen shows up and it just hangs there with the Connecting to malwarebytes.org and no progress whatsoever on the progress bar.

Baffled!

Link to post
Share on other sites

ok was able to run Malwarebytes, but not my antivirus program so I'm just going to see if I can run Hijack this! But I already know that it won't let me connect to the internet but I will try my hardest to connect to the site, I'm using a different pc to write this.

thanks for reading.

Link to post
Share on other sites

I'm back

Ok here are my logs

Malwarebytes' Anti-Malware 1.33

Database version: 1675

Windows 5.1.2600 Service Pack 2

1/22/2009 12:09:19 AM

mbam-log-2009-01-22 (00-09-18).txt

Scan type: Quick Scan

Objects scanned: 48925

Time elapsed: 33 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:11:56 AM, on 1/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\AOL\1148195820\ee\AOLSoftware.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Mcafee\MWL\MWLGui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Mcafee\MWL\MwlSvc.exe

C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Seekeen\seekeen.exe

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\Program Files\McAfee\MPS\mps.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll

O2 - BHO: Smart-Shopper - {4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll

O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - (no file)

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\SiteAdv.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148195820\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

O4 - HKLM\..\Run: [RelevantKnowledge] C:\Program Files\RelevantKnowledge\rlvknlg.exe -boot

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [MWLExe] C:\Program Files\Mcafee\MWL\MWLGui.exe /Start

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Policies\Explorer\Run: [dcomcfg.exe] dcomcfg.exe

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll

O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O22 - SharedTaskScheduler: ecosystems - {af3fd9a8-1287-4159-9212-9a5b4494af70} - (no file)

O23 - Service: McAfee Application Installer Cleanup (0211051232597223) (0211051232597223mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\021105~1.EXE

O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\Program Files\McAfee\MPS\mps.exe

O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

O23 - Service: McAfee Wireless Network Security Service (MWLSvc) - McAfee, Inc. - C:\Program Files\Mcafee\MWL\MwlSvc.exe

O23 - Service: Seekeen Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 8315 bytes

Hope you all can help!

Link to post
Share on other sites

  • Root Admin

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member
Marcos only

. If you are a lurker, do NOT try this on your system!

If you are not
Marcos
and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

STEP01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP02

    Download and install
    CCleaner
  • CCleaner

  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and under SYSTEM uncheck the Memory Dumps and Windows Log Files

  • Click on
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts

STEP03

Disable your AntiVirus and AntiSpyware

applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

This should apply to AVG8:

To
disable the Resident Shield
, please:

open AVG User Interface

double-click on the Resident Shield

un-tick the option Resident Shield active

save the changes.

STEP04

Please download and run the following file to repair file and registry permissions

STEP05

  • Download
    FixPolicies.exe
    by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.

  • Click on Install. It will create a folder named FixPolicies on your desktop.

  • Open the FixPolicies folder.

  • Double click on
    Fix_policies.cmd
    to run it. Command Prompt will open and close quickly this is normal.

  • Reboot your computer after it runs

  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

  • Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.

STEP06

Download this INF repair file by MS-MVP Miekiemoes:
http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder
VArestorepolicies
and
Right-click
the file inside,
VArestorepolicies.INF
and choose
Install

STEP07

icon_arrow.gif

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware
    applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.

  • If and only if you are prompted to download a new version of Combofix, reply NO .

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF

you should see a message like this:

Rookit_found.gif

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the
C:\ComboFix.txt
in your next reply.

-------------------------------------------------------

A caution -
Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

STEP08

IF

and only
IF
the Combofix has worked without exceptions, only then, do the following. IF it has exceptions, then please provide all details and put that in a reply pronto, and STOP, and await my reply.

Only if Combofix has a good finish:

I'm going to have you get and run a special tool. It will hopefully take out most remains of this beast. Keep in mind that not all files I list here will be found on your system; so do not be alarmed. This is a general-type list of typical infectors.

Download
The Avenger
by Swandog46 from
here
.
  • Unzip/extract it to a folder on your desktop.
  • Double click on
    avenger.exe
    to run
    The Avenger
    .

  • Click
    OK
    .

  • Make sure that the box next to
    Scan for rootkits
    has a tick in it and that the box next to
    Automatically disable any rootkits found
    does
    not
    have a tick in it.

  • Copy
    all
    of the text in the below textbox to the clibpboard by highlighting it and then pressing
    Ctrl+C
    .

    Files to delete:

    C:\WINDOWS\system32\brsvc01a.exe

    C:\WINDOWS\system32\brss01a.exe

    C:\WINDOWS\SYSTEM32\TDSSixgp.dll

    C:\WINDOWS\SYSTEM32\TDSSproc.log

    C:\WINDOWS\SYSTEM32\TDSSwkod.log

    C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp

    c:\windows\system32\drivers\msqpdxserv.sys

    C:\resycled

    D:\resycled

    e:\resycled

    f:\resycled

    g:\resycled

    c:\windows\system32\TDSSweat.dat

    C:\WINDOWS\system32\drivers\TDSSmqlt.sys

    C:\windows\system32\drivers\tdssserv.sys

    C:\WINDOWS\system32\drivers\TDSSmact.sys

    C:\WINDOWS\system32\TDSSfpmp.dll

    C:\WINDOWS\system32\TDSSwpyd.dat

    C:\WINDOWS\system32\TDSStkdv.log

    C:\WINDOWS\system32\TDSSotxb.dll

    C:\WINDOWS\system32\TDSScrrn.dll

    C:\WINDOWS\system32\TDSSbvqh.dll

    C:\WINDOWS\system32\TDSSjnmx.dll

    c:\windows\system32\TDSShrxr.dll

    c:\windows\system32\TDSSkkbi.log

    c:\windows\system32\TDSSlrvd.dat

    c:\windows\system32\TDSSlxwp.dll

    c:\windows\system32\TDSSnmxh.log

    c:\windows\system32\TDSSoiqt.dll

    c:\windows\system32\TDSSrhyp.log

    c:\windows\system32\TDSSrtqp.dll

    c:\windows\system32\TDSSsihc.dll

    c:\windows\system32\TDSSxfum.dll

    c:\windows\system32\TDSSmtve.dat

    c:\windows\system32\TDSSnirj.dat


    Drivers to delete:

    tdss

    tdssserv

    TDSSserv.SYS

    Service_TDSSSERV.SYS

    Legacy_TDSSSERV.SYS

    msqpdxserv.sys

    msqpdxserv


    Registry keys to delete:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata

    HKEY_LOCAL_MACHINE\SOFTWARE\tdss

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV


  • In the avenger window, click the
    Paste Script from Clipboard
    icon,
    pastets4.png
    button.

  • :!:
    Make sure that what appears in Avenger
    matches exactly
    what you were asked to Copy/Paste from the Code box above.

  • Click the
    Execute
    button.

  • You will be asked
    Are you sure you want to execute the current script?
    .

  • Click
    Yes
    .

  • You will now be asked
    First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
    .

  • Click
    Yes
    .

  • Your PC will now be rebooted.

  • Note:
    If the above script contains Drivers to delete: or Drivers to disable:, then
    The Avenger
    will require two reboots to complete its operation.

  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.

  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of
    c:\avenger.txt
    into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

STEP09

Download DDS and save it to your desktop from one of these 3 locations

1
http://www.techsupportforum.com/sectools/sUBs/dds

2
http://download.bleepingcomputer.com/sUBs/dds.scr

3
http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click
dds.scr
to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]
    Save both reports to your desktop.

Please include the following logs in your next reply:

DDS.txt

Attach.txt

STEP10

Please download
Lop S&D

Double-click on
Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

Please then reply with a copy of
C:\Combofix.txt
,
C:\Avenger.txt
, and a new
HijackThis

RE-Enable your AntiVirus and AntiSpyware

applications.
Link to post
Share on other sites

Hi

I got all the way to step 7, d/l ComboFix from link 1 and when I ran ComboFix it said that it had expired, and if I wanted to exit or continue. So I clicked on Continue and then it said it was going to operate in reduced functionality mode and if I want to exit or continue so I continued. It finished and I save the log to desktop and it just hung there, with only the Desktop background showing so I rebooted. I will post the combofix and a new hijackthis after I reboot.

Link to post
Share on other sites

Here is the combofix and hijackthis logs.

ComboFix 09-01-10.01 - cash america 2009-01-22 11:41:16.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126.25 [GMT -6:00]

Running from: c:\documents and settings\cash america\Desktop\Combo-Fix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\mmediacodec

c:\program files\mmediacodec\ot.ico

c:\program files\mmediacodec\ts.ico

c:\program files\security toolbar

c:\program files\security toolbar\Uninstall.bat

c:\windows\jestertb.dll

.

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-22 11:35 . 2009-01-22 11:35 <DIR> d-------- C:\32788R22FWJFW

2009-01-22 10:25 . 2009-01-22 10:26 <DIR> d-------- c:\program files\CCleaner

2009-01-21 22:55 . 2009-01-21 22:55 <DIR> d-------- c:\documents and settings\Administrator

2009-01-21 21:54 . 2009-01-21 21:54 <DIR> d-------- c:\program files\AnalogX

2009-01-21 21:51 . 2009-01-21 21:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-21 21:27 . 2009-01-21 21:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:26 . 2009-01-21 21:38 <DIR> d-------- c:\program files\SpywareBlaster

2009-01-21 21:26 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX

2009-01-21 21:26 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL

2009-01-21 20:15 . 2009-01-21 20:15 <DIR> d-------- c:\documents and settings\cash america\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-21 20:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 20:14 . 2009-01-21 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 20:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-21 19:29 . 2009-01-21 19:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Smart-Shopper

2009-01-21 18:15 . 2005-04-20 19:22 608,448 --a------ c:\windows\system32\comctl32.ocx

2009-01-21 18:15 . 2006-03-03 11:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2009-01-13 23:29 . 2009-01-13 23:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seekeen

2009-01-13 08:49 . 2009-01-13 08:49 <DIR> d-------- c:\documents and settings\Documents and Settings

2009-01-08 14:59 . 2009-01-08 14:59 <DIR> d-------- c:\windows\EHome

2009-01-07 16:57 . 2009-01-07 16:57 <DIR> d-------- c:\documents and settings\cash america\Application Data\MSNInstaller

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\program files\NOS

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-01-03 19:51 . 2009-01-03 19:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winferno

2009-01-03 19:42 . 2009-01-21 17:28 <DIR> d-------- c:\documents and settings\cash america\Application Data\Smart-Shopper

2009-01-03 19:41 . 2009-01-03 19:41 <DIR> d-------- c:\program files\Freeze.com

2009-01-03 19:41 . 2006-10-09 12:28 835,584 --a------ c:\windows\system32\WINCTL4.OCX

2009-01-03 19:41 . 2006-10-09 13:06 495,616 --a------ c:\windows\system32\WINUTIL5.DLL

2009-01-03 19:41 . 2006-05-17 08:40 393,216 --a------ c:\windows\system32\WINLCTL5.DLL

2009-01-03 19:40 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Winferno

2009-01-03 19:40 . 2009-01-03 19:43 <DIR> d-------- c:\program files\Smart-Shopper

2009-01-03 19:40 . 2009-01-15 03:17 <DIR> d-------- c:\program files\Seekeen

2009-01-03 19:39 . 2009-01-21 16:44 <DIR> d-------- c:\program files\My.Freeze.com Toolbar

2009-01-03 19:39 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Free Offers from Freeze.com

2009-01-03 18:19 . 2007-10-31 04:35 729,088 -ra------ c:\windows\system32\hpwwiax4.dll

2009-01-03 18:19 . 2007-10-31 04:35 593,920 -ra------ c:\windows\system32\hpwtscl3.dll

2009-01-03 18:19 . 2007-01-17 10:31 294,912 -ra------ c:\windows\system32\hpovst11.dll

2009-01-03 18:19 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2009-01-03 18:19 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2009-01-03 17:45 . 2007-01-17 10:37 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys

2009-01-03 17:45 . 2007-01-17 10:37 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys

2009-01-03 17:44 . 2009-01-03 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-01-03 17:43 . 2007-11-06 20:10 271,704 -ra------ c:\windows\system32\hpzids01.dll

2009-01-03 17:43 . 2007-11-05 19:07 118,272 --a------ c:\windows\system32\hpz3l5mu.dll

2009-01-03 17:41 . 2009-01-03 17:42 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-01-03 17:41 . 2007-01-17 10:37 364,544 -ra------ c:\windows\system32\hppldcoi.dll

2009-01-03 17:41 . 2007-01-17 10:37 309,760 -ra------ c:\windows\system32\difxapi.dll

2009-01-03 17:41 . 2007-01-17 10:37 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys

2008-12-24 05:34 . 2008-12-24 07:58 <DIR> d-------- c:\documents and settings\cash america\Application Data\OpenOffice.org2

2008-12-22 15:48 . 2008-12-22 15:48 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-22 15:18 --------- d-----w c:\documents and settings\cash america\Application Data\Yahoo!

2009-01-22 15:15 --------- d-----w c:\program files\Yahoo!

2009-01-22 15:15 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-21 22:59 --------- d-----w c:\program files\Google

2009-01-21 03:56 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-07 23:07 --------- d-----w c:\program files\OpenOffice.org 2.0

2009-01-07 22:49 --------- d-----w c:\program files\AOD

2008-12-16 01:51 --------- d-----w c:\documents and settings\cash america\Application Data\VCOM

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"HostManager"="c:\program files\Common Files\AOL\1148195820\ee\AOLSoftware.exe" [2006-05-09 50760]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-21 282624]

"Fix-It AV"="c:\progra~1\VCOM\Fix-It\MemCheck.exe" [2006-05-29 32768]

"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 128648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Internet Explorer\\iexplore.exe"=

R3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\DRIVERS\wind502u.sys [2004-03-25 336256]

S2 Seekeen Service;Seekeen Service;c:\documents and settings\All Users\Application Data\Seekeen\seekeen140.exe [2009-01-13 4608]

S2 tmpreflt;tmpreflt;c:\progra~1\VCOM\Fix-It\tmpreflt.sys [2007-03-02 32528]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD

*Deregistered* - Alerter

*Deregistered* - ALG

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - cdudf_xp

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fastfat

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - Fips

*Deregistered* - Fix-It Task Manager

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - gusvc

*Deregistered* - helpsvc

*Deregistered* - HidServ

*Deregistered* - HTTP

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - mmc_2K

*Deregistered* - mnmdd

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - Seekeen Service

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - tmpreflt

*Deregistered* - tmxpflt

*Deregistered* - TrkWks

*Deregistered* - UdfReadr_xp

*Deregistered* - Update

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - Vsapint

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - WS2IFSL

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\RegPowerClean.job

- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2008-10-28 14:48]

2009-01-18 c:\windows\Tasks\RPCReminder.job

- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2008-10-28 14:34]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

ShellExecuteHooks-{a5780613-492e-4a2a-a7fd-549610edf6cc} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll

LSP: c:\program files\VCOM\Fix-It\MxAVLsp.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 11:42:09

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(568)

c:\program files\VCOM\Fix-It\MxAVLsp.dll

c:\program files\VCOM\Fix-It\MXPM.DLL

c:\program files\VCOM\Fix-It\MXR.dll

.

Completion time: 2009-01-22 11:46:17

ComboFix-quarantined-files.txt 2009-01-22 17:46:12

Pre-Run: 25,684,701,184 bytes free

Post-Run: 25,685,233,664 bytes free

257 --- E O F --- 2009-01-21 23:44:10

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:58:44 AM, on 1/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\AOL\1148195820\ee\AOLSoftware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\Program Files\Seekeen\seekeen.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148195820\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Seekeen Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe

--

End of file - 3855 bytes

thanks for reading

Marcos

Link to post
Share on other sites

Hi

Okay, I used Link2 to d/l ComboFix and it worked and was able to finish the rest of the steps. Here are the rest of the Logs.

ComboFix 09-01-21.02 - cash america 2009-01-22 14:00:53.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126.9 [GMT -6:00]

Running from: c:\documents and settings\cash america\Desktop\Combo-Fix.exe

.

((((((((((((((((((((((((( Files Created from 2008-12-22 to 2009-01-22 )))))))))))))))))))))))))))))))

.

2009-01-22 13:26 . 2009-01-22 13:26 104 --a------ c:\windows\wininit.ini

2009-01-22 12:20 . 2009-01-22 13:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-22 12:20 . 2009-01-22 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-22 12:18 . 2009-01-22 12:18 <DIR> d-------- c:\program files\Bazooka Scanner

2009-01-22 10:25 . 2009-01-22 10:26 <DIR> d-------- c:\program files\CCleaner

2009-01-21 22:55 . 2009-01-21 22:55 <DIR> d-------- c:\documents and settings\Administrator

2009-01-21 21:54 . 2009-01-21 21:54 <DIR> d-------- c:\program files\AnalogX

2009-01-21 21:51 . 2009-01-21 21:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-21 21:27 . 2009-01-22 12:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:26 . 2009-01-22 12:17 <DIR> d-------- c:\program files\SpywareBlaster

2009-01-21 21:26 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX

2009-01-21 21:26 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL

2009-01-21 20:15 . 2009-01-21 20:15 <DIR> d-------- c:\documents and settings\cash america\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-21 20:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 20:14 . 2009-01-21 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 20:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-21 19:29 . 2009-01-21 19:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Smart-Shopper

2009-01-21 18:15 . 2005-04-20 19:22 608,448 --a------ c:\windows\system32\comctl32.ocx

2009-01-21 18:15 . 2006-03-03 11:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2009-01-13 23:29 . 2009-01-13 23:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seekeen

2009-01-13 08:49 . 2009-01-13 08:49 <DIR> d-------- c:\documents and settings\Documents and Settings

2009-01-08 14:59 . 2009-01-08 14:59 <DIR> d-------- c:\windows\EHome

2009-01-07 16:57 . 2009-01-07 16:57 <DIR> d-------- c:\documents and settings\cash america\Application Data\MSNInstaller

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\program files\NOS

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-01-03 19:51 . 2009-01-03 19:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winferno

2009-01-03 19:42 . 2009-01-21 17:28 <DIR> d-------- c:\documents and settings\cash america\Application Data\Smart-Shopper

2009-01-03 19:41 . 2009-01-03 19:41 <DIR> d-------- c:\program files\Freeze.com

2009-01-03 19:41 . 2006-10-09 12:28 835,584 --a------ c:\windows\system32\WINCTL4.OCX

2009-01-03 19:41 . 2006-10-09 13:06 495,616 --a------ c:\windows\system32\WINUTIL5.DLL

2009-01-03 19:41 . 2006-05-17 08:40 393,216 --a------ c:\windows\system32\WINLCTL5.DLL

2009-01-03 19:40 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Winferno

2009-01-03 19:40 . 2009-01-03 19:43 <DIR> d-------- c:\program files\Smart-Shopper

2009-01-03 19:40 . 2009-01-15 03:17 <DIR> d-------- c:\program files\Seekeen

2009-01-03 19:39 . 2009-01-21 16:44 <DIR> d-------- c:\program files\My.Freeze.com Toolbar

2009-01-03 19:39 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Free Offers from Freeze.com

2009-01-03 18:19 . 2007-10-31 04:35 729,088 -ra------ c:\windows\system32\hpwwiax4.dll

2009-01-03 18:19 . 2007-10-31 04:35 593,920 -ra------ c:\windows\system32\hpwtscl3.dll

2009-01-03 18:19 . 2007-01-17 10:31 294,912 -ra------ c:\windows\system32\hpovst11.dll

2009-01-03 18:19 . 2004-08-03 22:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2009-01-03 18:19 . 2004-08-03 22:58 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys

2009-01-03 17:45 . 2007-01-17 10:37 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys

2009-01-03 17:45 . 2007-01-17 10:37 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys

2009-01-03 17:44 . 2009-01-03 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-01-03 17:43 . 2007-11-06 20:10 271,704 -ra------ c:\windows\system32\hpzids01.dll

2009-01-03 17:43 . 2007-11-05 19:07 118,272 --a------ c:\windows\system32\hpz3l5mu.dll

2009-01-03 17:41 . 2009-01-03 17:42 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-01-03 17:41 . 2007-01-17 10:37 364,544 -ra------ c:\windows\system32\hppldcoi.dll

2009-01-03 17:41 . 2007-01-17 10:37 309,760 -ra------ c:\windows\system32\difxapi.dll

2009-01-03 17:41 . 2007-01-17 10:37 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys

2008-12-24 05:34 . 2008-12-24 07:58 <DIR> d-------- c:\documents and settings\cash america\Application Data\OpenOffice.org2

2008-12-22 15:48 . 2008-12-22 15:48 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Yahoo!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-22 15:18 --------- d-----w c:\documents and settings\cash america\Application Data\Yahoo!

2009-01-22 15:15 --------- d-----w c:\program files\Yahoo!

2009-01-22 15:15 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-22 05:24 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater

2009-01-21 22:59 --------- d-----w c:\program files\Google

2009-01-07 23:07 --------- d-----w c:\program files\OpenOffice.org 2.0

2009-01-07 22:49 --------- d-----w c:\program files\AOD

2008-12-16 01:51 --------- d-----w c:\documents and settings\cash america\Application Data\VCOM

2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]

"HostManager"="c:\program files\Common Files\AOL\1148195820\ee\AOLSoftware.exe" [2006-05-09 50760]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-21 282624]

"Fix-It AV"="c:\progra~1\VCOM\Fix-It\MemCheck.exe" [2006-05-29 32768]

"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 128648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

R3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\DRIVERS\wind502u.sys [2004-03-25 336256]

S2 Seekeen Service;Seekeen Service;c:\documents and settings\All Users\Application Data\Seekeen\seekeen140.exe [2009-01-13 4608]

S2 tmpreflt;tmpreflt;c:\progra~1\VCOM\Fix-It\tmpreflt.sys [2007-03-02 32528]

--- Other Services/Drivers In Memory ---

*Deregistered* - AFD

*Deregistered* - Alerter

*Deregistered* - ALG

*Deregistered* - AudioSrv

*Deregistered* - audstub

*Deregistered* - Beep

*Deregistered* - Browser

*Deregistered* - Cdfs

*Deregistered* - cdudf_xp

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - Fastfat

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - Fips

*Deregistered* - Fix-It Task Manager

*Deregistered* - FltMgr

*Deregistered* - Ftdisk

*Deregistered* - Gpc

*Deregistered* - gusvc

*Deregistered* - helpsvc

*Deregistered* - HidServ

*Deregistered* - HTTP

*Deregistered* - ImapiService

*Deregistered* - IpNat

*Deregistered* - IPSec

*Deregistered* - KSecDD

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LmHosts

*Deregistered* - mmc_2K

*Deregistered* - mnmdd

*Deregistered* - MountMgr

*Deregistered* - MRxDAV

*Deregistered* - MRxSmb

*Deregistered* - Msfs

*Deregistered* - mssmbios

*Deregistered* - Mup

*Deregistered* - NDIS

*Deregistered* - NdisTapi

*Deregistered* - Ndisuio

*Deregistered* - NdisWan

*Deregistered* - NDProxy

*Deregistered* - NetBIOS

*Deregistered* - NetBT

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - Npfs

*Deregistered* - Ntfs

*Deregistered* - Null

*Deregistered* - PartMgr

*Deregistered* - ParVdm

*Deregistered* - PolicyAgent

*Deregistered* - PptpMiniport

*Deregistered* - ProtectedStorage

*Deregistered* - PSched

*Deregistered* - RasAcd

*Deregistered* - Rasl2tp

*Deregistered* - RasMan

*Deregistered* - RasPppoe

*Deregistered* - Raspti

*Deregistered* - Rdbss

*Deregistered* - RDPCDD

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - Seekeen Service

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - swenum

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - tmpreflt

*Deregistered* - tmxpflt

*Deregistered* - TrkWks

*Deregistered* - UdfReadr_xp

*Deregistered* - Update

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - Vsapint

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - WS2IFSL

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\RegPowerClean.job

- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2008-10-28 14:48]

2009-01-18 c:\windows\Tasks\RPCReminder.job

- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2008-10-28 14:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

IE: {{3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll

LSP: c:\program files\VCOM\Fix-It\MxAVLsp.dll

FF - ProfilePath - c:\documents and settings\cash america\Application Data\Mozilla\Firefox\Profiles\ol6tp2r3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\Google\Google Updater\2.2.1273.1045\npCIDetect12.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 14:04:17

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(572)

c:\program files\VCOM\Fix-It\MxAVLsp.dll

c:\program files\VCOM\Fix-It\MXPM.DLL

c:\program files\VCOM\Fix-It\MXR.dll

.

Completion time: 2009-01-22 14:11:19

ComboFix-quarantined-files.txt 2009-01-22 20:11:07

ComboFix2.txt 2009-01-22 17:46:20

Pre-Run: 25,512,484,864 bytes free

Post-Run: 25,505,239,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

252 --- E O F --- 2009-01-21 23:44:10

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\brsvc01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brsvc01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\brss01a.exe" not found!

Deletion of file "C:\WINDOWS\system32\brss01a.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSixgp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSproc.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSproc.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" not found!

Deletion of file "C:\WINDOWS\SYSTEM32\TDSSwkod.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp"

Deletion of file "C:\Documents and Settings\Chelsea\Local Settings\Temp\TDSSe8db.tmp" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\drivers\msqpdxserv.sys" not found!

Deletion of file "c:\windows\system32\drivers\msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\resycled" not found!

Deletion of file "C:\resycled" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: could not open file "D:\resycled"

Deletion of file "D:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "e:\resycled"

Deletion of file "e:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "f:\resycled"

Deletion of file "f:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: could not open file "g:\resycled"

Deletion of file "g:\resycled" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Error: file "c:\windows\system32\TDSSweat.dat" not found!

Deletion of file "c:\windows\system32\TDSSweat.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmqlt.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\windows\system32\drivers\tdssserv.sys" not found!

Deletion of file "C:\windows\system32\drivers\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!

Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSfpmp.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSfpmp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSwpyd.dat" not found!

Deletion of file "C:\WINDOWS\system32\TDSSwpyd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSStkdv.log" not found!

Deletion of file "C:\WINDOWS\system32\TDSStkdv.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSotxb.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSotxb.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSScrrn.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSScrrn.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSbvqh.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSbvqh.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\WINDOWS\system32\TDSSjnmx.dll" not found!

Deletion of file "C:\WINDOWS\system32\TDSSjnmx.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSShrxr.dll" not found!

Deletion of file "c:\windows\system32\TDSShrxr.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSkkbi.log" not found!

Deletion of file "c:\windows\system32\TDSSkkbi.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlrvd.dat" not found!

Deletion of file "c:\windows\system32\TDSSlrvd.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSlxwp.dll" not found!

Deletion of file "c:\windows\system32\TDSSlxwp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnmxh.log" not found!

Deletion of file "c:\windows\system32\TDSSnmxh.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSoiqt.dll" not found!

Deletion of file "c:\windows\system32\TDSSoiqt.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrhyp.log" not found!

Deletion of file "c:\windows\system32\TDSSrhyp.log" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSrtqp.dll" not found!

Deletion of file "c:\windows\system32\TDSSrtqp.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSsihc.dll" not found!

Deletion of file "c:\windows\system32\TDSSsihc.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSxfum.dll" not found!

Deletion of file "c:\windows\system32\TDSSxfum.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSmtve.dat" not found!

Deletion of file "c:\windows\system32\TDSSmtve.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "c:\windows\system32\TDSSnirj.dat" not found!

Deletion of file "c:\windows\system32\TDSSnirj.dat" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdss" not found!

Deletion of driver "tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\tdssserv" not found!

Deletion of driver "tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\TDSSserv.SYS" not found!

Deletion of driver "TDSSserv.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Service_TDSSSERV.SYS" not found!

Deletion of driver "Service_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\Legacy_TDSSSERV.SYS" not found!

Deletion of driver "Legacy_TDSSSERV.SYS" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!

Deletion of driver "msqpdxserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv" not found!

Deletion of driver "msqpdxserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\TDSSserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\tdssserv.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdssserv" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" not found!

Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

DDS (Ver_09-01-19.01) - NTFSx86

Run by cash america at 14:38:17.18 on Thu 01/22/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.126.18 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\AOL\1148195820\ee\AOLSoftware.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Seekeen\seekeen.exe

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Documents and Settings\cash america\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: NoExplorer - No File

BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.1.1119.1736\swg.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"

mRun: [HostManager] c:\program files\common files\aol\1148195820\ee\AOLSoftware.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Fix-It AV] c:\progra~1\vcom\fix-it\MemCheck.exe

mRun: [iPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\GetFlash.exe

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {4CF088BD-BE95-40a5-BE9B-677F8683EDEA} - c:\program files\smart-shopper\bin\2.5.1\Smrt-Shpr.dll

LSP: c:\program files\vcom\fix-it\MxAVLsp.dll

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\casham~1\applic~1\mozilla\firefox\profiles\ol6tp2r3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\google\google updater\2.2.1273.1045\npCIDetect12.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-01-22 13:59 <DIR> a-dshr-- C:\cmdcons

2009-01-22 13:54 161,792 a------- c:\windows\SWREG.exe

2009-01-22 13:54 98,816 a------- c:\windows\sed.exe

2009-01-22 13:26 104 a------- c:\windows\wininit.ini

2009-01-22 12:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-01-22 12:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-01-22 12:18 <DIR> --d----- c:\program files\Bazooka Scanner

2009-01-22 10:25 <DIR> --d----- c:\program files\CCleaner

2009-01-21 21:54 <DIR> --d----- c:\program files\AnalogX

2009-01-21 21:51 <DIR> --d----- c:\program files\Trend Micro

2009-01-21 21:26 1,071,088 a------- c:\windows\system32\MSCOMCTL.OCX

2009-01-21 21:26 118,784 a------- c:\windows\system32\MSSTDFMT.DLL

2009-01-21 21:26 <DIR> --d----- c:\program files\SpywareBlaster

2009-01-21 20:15 <DIR> --d----- c:\docume~1\casham~1\applic~1\Malwarebytes

2009-01-21 20:14 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-01-21 20:14 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 20:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-01-21 20:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 18:15 608,448 a------- c:\windows\system32\comctl32.ocx

2009-01-21 18:15 143,360 a------- c:\windows\system32\dunzip32.dll

2009-01-13 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Seekeen

2009-01-08 14:59 <DIR> --d----- c:\windows\EHome

2009-01-07 16:57 <DIR> --d----- c:\docume~1\casham~1\applic~1\MSNInstaller

2009-01-03 19:42 <DIR> --d----- c:\docume~1\casham~1\applic~1\Smart-Shopper

2009-01-03 19:41 495,616 a------- c:\windows\system32\WINUTIL5.DLL

2009-01-03 19:41 393,216 a------- c:\windows\system32\WINLCTL5.DLL

2009-01-03 19:41 835,584 a------- c:\windows\system32\WINCTL4.OCX

2009-01-03 19:41 <DIR> --d----- c:\program files\Freeze.com

2009-01-03 19:40 <DIR> --d----- c:\program files\Smart-Shopper

2009-01-03 19:40 <DIR> --d----- c:\program files\Seekeen

2009-01-03 19:40 <DIR> --d----- c:\program files\Winferno

2009-01-03 19:39 <DIR> --d----- c:\program files\My.Freeze.com Toolbar

2009-01-03 19:39 <DIR> --d----- c:\program files\Free Offers from Freeze.com

2009-01-03 18:19 294,912 a----r-- c:\windows\system32\hpovst11.dll

2009-01-03 18:19 593,920 a----r-- c:\windows\system32\hpwtscl3.dll

2009-01-03 18:19 729,088 a----r-- c:\windows\system32\hpwwiax4.dll

2009-01-03 18:19 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys

2009-01-03 18:19 15,104 a------- c:\windows\system32\drivers\usbscan.sys

2009-01-03 17:45 16,496 a----r-- c:\windows\system32\drivers\HPZipr12.sys

2009-01-03 17:45 49,920 a----r-- c:\windows\system32\drivers\HPZid412.sys

2009-01-03 17:43 118,272 a------- c:\windows\system32\hpz3l5mu.dll

2009-01-03 17:43 271,704 a----r-- c:\windows\system32\hpzids01.dll

2009-01-03 17:41 309,760 a----r-- c:\windows\system32\difxapi.dll

2009-01-03 17:41 364,544 a----r-- c:\windows\system32\hppldcoi.dll

2009-01-03 17:41 21,568 a----r-- c:\windows\system32\drivers\HPZius12.sys

==================== Find3M ====================

2008-12-11 05:57 333,184 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 14:39:34.76 ===============

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2

X86-based PC ( Uniprocessor Free : Intel® Celeron CPU 1200MHz )

BIOS : Version 3.07

USER : cash america ( Administrator )

BOOT : Normal boot

A:\ (USB)

C:\ (Local Disk) - NTFS - Total:27 Go (Free:23 Go)

D:\ (CD or DVD)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( Thu 01/22/2009|14:44 )

--------------------\\ Listing folders in APPLIC~1

[01/21/2009|10:55] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[07/09/2008|05:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[07/12/2008|03:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL

[06/30/2007|08:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads

[06/30/2007|08:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP

[05/21/2006|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[01/21/2009|04:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google

[01/21/2009|11:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google Updater

[01/03/2009|05:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Hewlett-Packard

[01/21/2009|08:14] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes

[05/20/2006|05:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[06/28/2006|04:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NCH Swift Sound

[01/07/2009|05:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NOS

[01/13/2009|11:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Seekeen

[01/22/2009|01:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[01/22/2009|12:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP

[07/09/2008|05:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint

[05/15/2006|02:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[01/03/2009|07:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Winferno

[01/22/2009|09:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!

[12/17/2008|09:26] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Google

[10/06/2008|10:23] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Identities

[12/15/2008|08:10] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Macromedia

[01/21/2009|08:15] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Malwarebytes

[12/19/2008|08:39] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Microsoft

[01/22/2009|12:14] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Mozilla

[01/07/2009|04:57] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> MSNInstaller

[12/24/2008|07:58] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> OpenOffice.org2

[01/21/2009|05:28] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Smart-Shopper

[12/15/2008|07:51] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> VCOM

[01/22/2009|09:18] C:\DOCUME~1\CASHAM~1\APPLIC~1\<DIR> Yahoo!

[05/15/2006|12:20] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[12/29/2008|07:48] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Google

[12/29/2008|07:49] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Macromedia

[05/15/2006|12:45] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[01/22/2009|12:13] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Mozilla

[01/21/2009|07:40] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Smart-Shopper

[05/26/2006|10:00] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> VCOM

[12/22/2008|03:48] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Yahoo!

[05/15/2006|12:28] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[01/18/2009 03:23 PM][--a------] C:\WINDOWS\tasks\RPCReminder.job

[01/22/2009 02:30 PM][--a------] C:\WINDOWS\tasks\RegPowerClean.job

[01/22/2009 02:30 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT

[08/04/2004 06:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[07/24/2006|06:53] C:\Program Files\<DIR> Admiresoft

[01/21/2009|09:54] C:\Program Files\<DIR> AnalogX

[01/07/2009|04:49] C:\Program Files\<DIR> AOD

[11/08/2006|02:10] C:\Program Files\<DIR> AOL

[01/22/2009|12:18] C:\Program Files\<DIR> Bazooka Scanner

[01/22/2009|10:26] C:\Program Files\<DIR> CCleaner

[01/22/2009|02:02] C:\Program Files\<DIR> Common Files

[05/15/2006|12:14] C:\Program Files\<DIR> ComPlus Applications

[05/29/2006|11:32] C:\Program Files\<DIR> DivX

[01/03/2009|07:40] C:\Program Files\<DIR> Free Offers from Freeze.com

[01/03/2009|07:41] C:\Program Files\<DIR> Freeze.com

[01/21/2009|04:59] C:\Program Files\<DIR> Google

[05/25/2006|12:03] C:\Program Files\<DIR> iMesh Applications

[05/21/2006|02:46] C:\Program Files\<DIR> InstallShield Installation Information

[12/16/2008|03:11] C:\Program Files\<DIR> Internet Explorer

[07/09/2008|05:04] C:\Program Files\<DIR> Java

[05/24/2006|11:47] C:\Program Files\<DIR> LimeWire

[01/21/2009|08:15] C:\Program Files\<DIR> Malwarebytes' Anti-Malware

[12/16/2008|03:21] C:\Program Files\<DIR> Messenger

[05/15/2006|12:21] C:\Program Files\<DIR> microsoft frontpage

[05/15/2006|12:15] C:\Program Files\<DIR> Movie Maker

[01/22/2009|12:16] C:\Program Files\<DIR> Mozilla Firefox

[01/07/2009|04:58] C:\Program Files\<DIR> MSN

[05/15/2006|12:12] C:\Program Files\<DIR> MSN Gaming Zone

[01/21/2009|04:44] C:\Program Files\<DIR> My.Freeze.com Toolbar

[07/09/2008|05:13] C:\Program Files\<DIR> NCH Swift Sound

[05/15/2006|12:15] C:\Program Files\<DIR> NetMeeting

[01/07/2009|05:09] C:\Program Files\<DIR> NOS

[05/15/2006|12:16] C:\Program Files\<DIR> Online Services

[01/07/2009|05:07] C:\Program Files\<DIR> OpenOffice.org 2.0

[06/28/2007|02:11] C:\Program Files\<DIR> Outlook Express

[07/09/2008|05:06] C:\Program Files\<DIR> PartyGaming

[05/21/2006|02:45] C:\Program Files\<DIR> QuickTime

[05/15/2006|02:17] C:\Program Files\<DIR> Roxio

[01/15/2009|03:17] C:\Program Files\<DIR> Seekeen

[01/03/2009|07:43] C:\Program Files\<DIR> Smart-Shopper

[01/22/2009|01:37] C:\Program Files\<DIR> Spybot - Search & Destroy

[01/22/2009|12:17] C:\Program Files\<DIR> SpywareBlaster

[01/21/2009|09:51] C:\Program Files\<DIR> Trend Micro

[05/15/2006|12:49] C:\Program Files\<DIR> Uninstall Information

[07/10/2008|04:50] C:\Program Files\<DIR> VCOM

[07/09/2008|05:13] C:\Program Files\<DIR> Viewpoint

[05/15/2006|02:57] C:\Program Files\<DIR> Windows Media Player

[05/15/2006|12:12] C:\Program Files\<DIR> Windows NT

[05/15/2006|12:16] C:\Program Files\<DIR> WindowsUpdate

[01/03/2009|07:40] C:\Program Files\<DIR> Winferno

[05/15/2006|12:21] C:\Program Files\<DIR> xerox

[01/22/2009|09:15] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[05/15/2006|02:17] C:\Program Files\Common Files\<DIR> Adaptec Shared

[07/09/2008|05:16] C:\Program Files\Common Files\<DIR> Adobe

[07/02/2006|09:27] C:\Program Files\Common Files\<DIR> AOL

[07/02/2006|09:22] C:\Program Files\Common Files\<DIR> aolshare

[05/21/2006|02:24] C:\Program Files\Common Files\<DIR> InstallShield

[05/15/2006|12:50] C:\Program Files\Common Files\<DIR> Microsoft Shared

[05/15/2006|12:15] C:\Program Files\Common Files\<DIR> MSSoap

[05/21/2006|01:17] C:\Program Files\Common Files\<DIR> Nullsoft

[05/17/2006|10:49] C:\Program Files\Common Files\<DIR> ODBC

[05/15/2006|12:15] C:\Program Files\Common Files\<DIR> Services

[05/17/2006|10:49] C:\Program Files\Common Files\<DIR> SpeechEngines

[06/28/2007|02:11] C:\Program Files\Common Files\<DIR> System

--------------------\\ Process

( 31 Processes )

iexplore.exe ~ [PID:2944]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-22 14:46:55

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

No other infections found !

[F:2][D:1]-> C:\DOCUME~1\CASHAM~1\LOCALS~1\Temp

[F:10][D:0]-> C:\DOCUME~1\CASHAM~1\Cookies

[F:115][D:4]-> C:\DOCUME~1\CASHAM~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Thu 01/22/2009|14:48 - Option : [1]

--------------------\\ Scan completed at 14:48:43

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:01:51 PM, on 1/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\AOL\1148195820\ee\AOLSoftware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Seekeen\seekeen.exe

C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\internet explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148195820\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Fix-It Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\VCOM\Fix-It\mxtask.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Seekeen Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe

--

End of file - 3870 bytes

Hope I didn't mess up too bad, don't know if I want to reinstall McAfee or not.

Thanks for all your help, Marcos

Attach.txt

Attach.txt

Link to post
Share on other sites

  • Root Admin

Hi Marcos.

I'm going to give you the benefit of the doubt but these logs certainly look like they were edited, which is cause for us to close the post.

Please do not edit logs before posting as it makes our work harder to do and take longer.

I would remove the SHOPPING software in Add/Remove.

Update you Anti-Virus and do a FULL SCAN of your system, then let me know what it finds and fixes.

Then run the following again.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Removed the shopper program, ran a full scan with avast, found the same file 3 instances, moved all 3 to chest. Rebooted

ran hijack this.

1/22/2009 9:13:54 PM SYSTEM 1248 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe" file.

1/22/2009 10:13:06 PM cash america 3388 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\Seekeen\seekeen.exe" file.

1/22/2009 10:20:04 PM cash america 3388 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{62ABC0C3-0A21-4D2B-92A3-64956591BC9E}\RP6\A0005255.exe" file.

1/22/2009 10:24:37 PM cash america 3388 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{62ABC0C3-0A21-4D2B-92A3-64956591BC9E}\RP6\A0005374.exe" file.

Malwarebytes' Anti-Malware 1.33

Database version: 1682

Windows 5.1.2600 Service Pack 2

1/22/2009 11:04:23 PM

mbam-log-2009-01-22 (23-04-23).txt

Scan type: Quick Scan

Objects scanned: 46454

Time elapsed: 8 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:20:14 PM, on 1/22/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AnalogX\MaxMem\maxmem.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - S-1-5-18 Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe (User 'Default user')

O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

--

End of file - 4169 bytes

Link to post
Share on other sites

  • Root Admin

STEP01

Please download Avenger 2.0 from here

Open and copy the program file avenger.exe to your Desktop then double click to start it.

Copy and paste the following text from the code box below into the main window of Avenger.

Files to delete:
C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe
C:\Program Files\Seekeen\seekeen.exe

Folders to delete:
C:\Program Files\Seekeen
  • Do not check any other boxes, uncheck Scan for Rootkits if it's checked
  • Close all other running applications
  • After pasting the text into the main window, click on Execute

Once Avenger is done run MBAM, go to the UDPATE tab and update the program again and do a Quick Scan.

Fix anything found and reboot the computer. Then run a new HJT log and post back all logs.

STEP02

Start HJT and run Do a system scan only and place a check mark on the following items.

  • O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
  • O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
  • O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

The logs show that you still have McAfee Anti-Virus running on this system. Please review this information to fully remove it.

STEP03

Removing McAfee Automatically

Removing incompatible third-party applications (2008)

Summary: Some third-party applications are incompatible with 2008 McAfee software. This article explains how to remove programs using Windows standard program removal tools and provides links to remove specific applications.

McAfee has created an automatic removal program to remove the following software products when the normal removal methods fail. It does not work with Windows 98 or Windows ME. The removal tool deletes all traces of the following products in Windows 2000 Pro, Windows XP Home and Professional, and Windows Vista.

  • McAfee Security Center
  • McAfee VirusScan
  • McAfee Personal Firewall Plus
  • McAfee Privacy Service
  • McAfee SpamKiller
  • McAfee Wireless Network Security
  • McAfee SiteAdvisor
  • McAfee Data Backup
  • McAfee Network Manager
  • McAfee Easy Network
  • McAfee AntiSpyware

Follow these directions to download the McAfee Removal Tool and run it to remove the above programs.

  1. Click on the following link to download the MCPR removal tool
    McAfee MCPR.exe
  2. Click Save and save the file to your desktop
  3. Close all McAfee Application windows you may have open, and double-click on MCPR.exe to start the removal tool. Windows Vista users will have to right-click on the file and select "Run as Administrator"
  4. After the removal tool finishes, you should be prompted to restart your computer.
  5. Once the computer restarts, your McAfee product should be uninstalled.
  6. If for any reason there appears a red X during the uninstall, go to the following location for more advanced uninstall instructions involving the registry.
    McAfee Document ID: TS100507
  7. If you're still having issues removing McAfee software please check out their support forum

Extra Optional Steps

  1. Open My Computer, double-click on Drive C
  2. Double-click on Program Files
  3. Look for any McAfee product folders that remain. Right-click on them and choose Delete
  4. Close My Computer and other folders

STEP04

Disable your Avast Anti-Virus and run this Anti-Virus scanner please.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites

Here are the Avenger, MBAM and HiJackThis logs. Will continue with step 2 now.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Error: file "C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe" not found!

Deletion of file "C:\Documents and Settings\All Users\Application Data\Seekeen\seekeen140.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Error: file "C:\Program Files\Seekeen\seekeen.exe" not found!

Deletion of file "C:\Program Files\Seekeen\seekeen.exe" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Folder "C:\Program Files\Seekeen" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Malwarebytes' Anti-Malware 1.33

Database version: 1683

Windows 5.1.2600 Service Pack 3

1/23/2009 8:26:14 AM

mbam-log-2009-01-23 (08-26-13).txt

Scan type: Quick Scan

Objects scanned: 46682

Time elapsed: 7 minute(s), 45 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:37:18 AM, on 1/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AnalogX\MaxMem\maxmem.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - c:\program files\common files\mcafee\mna\mcnasvc.exe (file missing)

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

--

End of file - 4192 bytes

Link to post
Share on other sites

Disabled Avast, ran Dr.Web Cure It did not find anything, so no log. Rebooted turned on Avast. Ran HiJackThis had 2 errors while running and here is that log. Am going to delete both 02 BHO's with no files too.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:12:16 PM, on 1/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AnalogX\MaxMem\maxmem.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--

End of file - 3098 bytes

Link to post
Share on other sites

Here are my latest MBAM and HiJackThis logs. Had also noticed that my system folders were hidden again so I unhid them.

Malwarebytes' Anti-Malware 1.33

Database version: 1683

Windows 5.1.2600 Service Pack 3

1/23/2009 2:16:43 PM

mbam-log-2009-01-23 (14-16-43).txt

Scan type: Quick Scan

Objects scanned: 46383

Time elapsed: 9 minute(s), 32 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:29:55 PM, on 1/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AnalogX\MaxMem\maxmem.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--

End of file - 2924 bytes

Link to post
Share on other sites

Am going to run Kapersky online scanner and see if it finds anything. If it does I will post back anything it finds. See if it's close to being done.

Thanks for reading.

Marcos

Never mind, need more memory 128MB don't cut it. Will have to see if can max this to 512MB.

Then I'll run F-Secure online scan.

I don't believe this! I installed more ram, installed pagedefrag, and ran it. Then I opened up firefox and an Add-ons box popped up. 2 add-ons have been installed.

Java Quick Starter 1.0 and Seekeen 1.0 (Search from address bar). The only add-on I did was for IE7 (installed Java) to run Kapersky and or Panda, but neither ran because of "not enough memory" sure glad I didn't tell my friend it was all clean already.

Well at least now I can run Kapersky online scanner.

Thanks for reading Marcos

Here is my Kaspersky log.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Friday, January 23, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Friday, January 23, 2009 17:01:56

Records in database: 1675780

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

Scan statistics:

Files scanned: 30358

Threat name: 0

Infected objects: 0

Suspicious objects: 0

Duration of the scan: 01:24:34

No malware has been detected. The scan area is clean.

The selected area was scanned.

Am presently running a Panda online scan.

Well my Panda Scan is still running and it's said it has found 523 infected files at only30% will post more info once it finishes.

Link to post
Share on other sites

ComboFix 09-01-10.01 - cash america 2009-01-23 23:02:00.3 - NTFSx86

Running from: c:\documents and settings\cash america\Desktop\Combo-Fix.exe

.

- REDUCED FUNCTIONALITY MODE -

.

((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))

.

2009-01-23 19:43 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2009-01-23 19:42 . 2009-01-23 19:42 <DIR> d-------- c:\program files\Panda Security

2009-01-23 19:00 . 2009-01-23 19:00 <DIR> d-------- c:\windows\LastGood

2009-01-23 18:11 . 2009-01-23 18:11 <DIR> d-------- c:\windows\UltraDefrag

2009-01-23 17:38 . 2009-01-23 17:46 25,992 --a------ c:\windows\system32\pgdfgsvc.exe

2009-01-23 15:03 . 2009-01-23 15:01 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-23 15:03 . 2009-01-23 15:01 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-01-23 10:28 . 2009-01-23 10:28 <DIR> d-------- c:\documents and settings\cash america\DoctorWeb

2009-01-23 00:40 . 2009-01-23 00:41 <DIR> d-------- c:\windows\system32\scripting

2009-01-23 00:40 . 2009-01-23 00:40 <DIR> d-------- c:\windows\system32\en

2009-01-23 00:40 . 2009-01-23 00:40 <DIR> d-------- c:\windows\system32\bits

2009-01-23 00:40 . 2009-01-23 00:40 <DIR> d-------- c:\windows\l2schemas

2009-01-23 00:34 . 2009-01-23 00:42 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-22 17:34 . 2009-01-22 17:34 <DIR> d-------- c:\program files\Alwil Software

2009-01-22 13:26 . 2009-01-22 13:26 104 --a------ c:\windows\wininit.ini

2009-01-22 12:20 . 2009-01-22 13:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-22 12:20 . 2009-01-22 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-22 12:18 . 2009-01-22 12:18 <DIR> d-------- c:\program files\Bazooka Scanner

2009-01-22 10:25 . 2009-01-22 10:26 <DIR> d-------- c:\program files\CCleaner

2009-01-21 22:55 . 2009-01-21 22:55 <DIR> d-------- c:\documents and settings\Administrator

2009-01-21 21:54 . 2009-01-21 21:54 <DIR> d-------- c:\program files\AnalogX

2009-01-21 21:51 . 2009-01-21 21:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-21 21:27 . 2009-01-22 12:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:26 . 2009-01-22 12:17 <DIR> d-------- c:\program files\SpywareBlaster

2009-01-21 21:26 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX

2009-01-21 21:26 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL

2009-01-21 20:15 . 2009-01-21 20:15 <DIR> d-------- c:\documents and settings\cash america\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-21 20:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 20:14 . 2009-01-21 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 20:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-21 19:29 . 2009-01-21 19:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Smart-Shopper

2009-01-21 18:15 . 2005-04-20 19:22 608,448 --a------ c:\windows\system32\comctl32.ocx

2009-01-21 18:15 . 2006-03-03 11:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2009-01-13 23:29 . 2009-01-22 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seekeen

2009-01-13 08:49 . 2009-01-22 17:05 <DIR> d-------- c:\documents and settings\Documents and Settings

2009-01-08 14:59 . 2009-01-23 00:09 <DIR> d-------- c:\windows\EHome

2009-01-07 16:57 . 2009-01-07 16:57 <DIR> d-------- c:\documents and settings\cash america\Application Data\MSNInstaller

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\program files\NOS

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-01-03 19:51 . 2009-01-03 19:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winferno

2009-01-03 19:41 . 2009-01-03 19:41 <DIR> d-------- c:\program files\Freeze.com

2009-01-03 19:41 . 2006-10-09 12:28 835,584 --a------ c:\windows\system32\WINCTL4.OCX

2009-01-03 19:41 . 2006-10-09 13:06 495,616 --a------ c:\windows\system32\WINUTIL5.DLL

2009-01-03 19:41 . 2006-05-17 08:40 393,216 --a------ c:\windows\system32\WINLCTL5.DLL

2009-01-03 19:40 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Winferno

2009-01-03 19:39 . 2009-01-21 16:44 <DIR> d-------- c:\program files\My.Freeze.com Toolbar

2009-01-03 19:39 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Free Offers from Freeze.com

2009-01-03 18:19 . 2007-10-31 04:35 729,088 -ra------ c:\windows\system32\hpwwiax4.dll

2009-01-03 18:19 . 2007-10-31 04:35 593,920 -ra------ c:\windows\system32\hpwtscl3.dll

2009-01-03 18:19 . 2007-01-17 10:31 294,912 -ra------ c:\windows\system32\hpovst11.dll

2009-01-03 18:19 . 2008-04-13 12:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2009-01-03 17:45 . 2007-01-17 10:37 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys

2009-01-03 17:45 . 2007-01-17 10:37 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys

2009-01-03 17:44 . 2009-01-03 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-01-03 17:43 . 2007-11-06 20:10 271,704 -ra------ c:\windows\system32\hpzids01.dll

2009-01-03 17:43 . 2007-11-05 19:07 118,272 --a------ c:\windows\system32\hpz3l5mu.dll

2009-01-03 17:41 . 2009-01-03 17:42 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-01-03 17:41 . 2007-01-17 10:37 364,544 -ra------ c:\windows\system32\hppldcoi.dll

2009-01-03 17:41 . 2007-01-17 10:37 309,760 -ra------ c:\windows\system32\difxapi.dll

2009-01-03 17:41 . 2007-01-17 10:37 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys

2008-12-24 05:34 . 2008-12-24 07:58 <DIR> d-------- c:\documents and settings\cash america\Application Data\OpenOffice.org2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-23 21:01 --------- d-----w c:\program files\Java

2009-01-23 16:01 --------- d-----w c:\program files\Google

2009-01-22 15:18 --------- d-----w c:\documents and settings\cash america\Application Data\Yahoo!

2009-01-22 15:15 --------- d-----w c:\program files\Yahoo!

2009-01-22 15:15 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-07 23:07 --------- d-----w c:\program files\OpenOffice.org 2.0

2009-01-07 22:49 --------- d-----w c:\program files\AOD

2008-12-22 21:48 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo!

2008-12-16 01:51 --------- d-----w c:\documents and settings\cash america\Application Data\VCOM

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-13 09:52 91,648 ----a-w c:\windows\system32\lua5.1a.dll

2008-11-13 09:52 9,728 ----a-w c:\windows\system32\udefrag.dll

2008-11-13 09:52 9,728 ----a-w c:\windows\system32\lua5.1a.exe

2008-11-13 09:52 9,728 ----a-w c:\windows\system32\defrag_native.exe

2008-11-13 09:52 86,016 ----a-w c:\windows\system32\ultradefrag.exe

2008-11-13 09:52 7,680 ----a-w c:\windows\system32\udefrag.exe

2008-11-13 09:52 6,656 ----a-w c:\windows\system32\udefrag-gui.exe

2008-11-13 09:52 6,656 ----a-w c:\windows\system32\bootexctrl.exe

2008-11-13 09:52 17,408 ----a-w c:\windows\system32\zenwinx.dll

2008-11-13 09:52 13,824 ----a-w c:\windows\system32\lua5.1a_gui.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 128648]

c:\documents and settings\cash america\Start Menu\Programs\Startup\

MaxMem.lnk - c:\program files\AnalogX\MaxMem\maxmem.exe [2009-01-21 75780]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

--a------ 2002-12-17 11:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2006-05-09 18:24 50760 c:\program files\Common Files\AOL\1148195820\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

--a------ 2006-02-17 10:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-05-21 02:40 282624 c:\program files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-22 111184]

R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-22 20560]

S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [2006-05-20 336256]

--- Other Services/Drivers In Memory ---

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - PolicyAgent

*Deregistered* - ProtectedStorage

*Deregistered* - RasMan

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - srservice

*Deregistered* - SSDPSRV

*Deregistered* - stisvc

*Deregistered* - TapiSrv

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - W32Time

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\RegPowerClean.job

- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2008-10-28 14:48]

2009-01-23 c:\windows\Tasks\RPCReminder.job

- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2008-10-28 14:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\cash america\Application Data\Mozilla\Firefox\Profiles\ol6tp2r3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-23 23:02:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-01-23 23:06:24

ComboFix-quarantined-files.txt 2009-01-24 05:05:58

Pre-Run: 23,543,439,360 bytes free

Post-Run: 23,602,020,352 bytes free

190 --- E O F --- 2009-01-23 08:36:12

Link to post
Share on other sites

Ran SuperAntiSpyware found 1 trojan, didn't know if it produced a log or not. Here is my latest MBAM and after reboot Hijackthis logs.

Malwarebytes' Anti-Malware 1.33

Database version: 1683

Windows 5.1.2600 Service Pack 3

1/24/2009 6:12:49 AM

mbam-log-2009-01-24 (06-12-49).txt

Scan type: Quick Scan

Objects scanned: 46188

Time elapsed: 5 minute(s), 50 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:18:09 AM, on 1/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AnalogX\MaxMem\maxmem.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--

End of file - 4148 bytes

Thanks for reading

Marcos

Link to post
Share on other sites

Ran Adaware and it found 3 instances of trojans, have a log of that, rebooted ran MBAM, rebooted ran HiJackThis, no errors or stops, yay. Here are the 3 logs. And am definitely going to remove program Relevant Knowledge with add/remove, I knew that program looked fishy.

Logfile created: 1/24/2009 9:34:31

Lavasoft Ad-Aware version: 8.0

Extended engine version: 8.1

User performing scan: cash america

*********************** Definitions database information ***********************

Lavasoft definition file: 146.0

Extended engine definition file: 8.1

******************************** Scan results: *********************************

Scan profile name: Smart Scan (ID: smart)

Objects scanned: 20914

Objects detected: 8

Type Detected

==========================

Processes.......: 0

Registry entries: 5

Hostfile entries: 0

Files...........: 0

Folders.........: 0

LSPs............: 0

Cookies.........: 3

Browser hijacks.: 0

MRU objects.....: 0

Removed items:

Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0

Description: *kontera* Family Name: Cookies Clean status: Success Item ID: 409363 Family ID: 0

Description: *revsci* Family Name: Cookies Clean status: Success Item ID: 409137 Family ID: 0

Quarantined items:

Description: HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}: Family Name: Adware.Relevant Clean status: Success Item ID: 446311 Family ID: 5102

Description: HKU:s-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser:{01e04581-4eee-11d0-bfe9-00aa005b4383} Family Name: Win32.TrojanDownloader.NewMedia Clean status: Success Item ID: 39819 Family ID: 1017

Description: HKU:S-1-5-21-1454471165-329068152-1417001333-1005\software\microsoft\windows\currentversion\policies\explorer:nodrives Family Name: Win32.TrojanDownloader.NewMedia Clean status: Success Item ID: 39774 Family ID: 1017

Description: HKU:.default\software\microsoft\internet explorer\toolbar:locked Family Name: Win32.TrojanDownloader.NewMedia Clean status: Success Item ID: 39817 Family ID: 1017

Description: HKU:s-1-5-18\software\microsoft\internet explorer\toolbar:locked Family Name: Win32.TrojanDownloader.NewMedia Clean status: Failed Item ID: 39818 Family ID: 1017

Scan and cleaning complete: Finished correctly after 661 seconds

*********************************** Settings ***********************************

Scan profile:

ID: smart, enabled:1, value: Smart Scan

ID: scancriticalareas, enabled:1, value: true

ID: scanrunningapps, enabled:1, value: true

ID: scanregistry, enabled:1, value: true

ID: scanlsp, enabled:1, value: true

ID: scanads, enabled:1, value: false

ID: scanhostsfile, enabled:1, value: false

ID: scanmru, enabled:1, value: false

ID: scanbrowserhijacks, enabled:1, value: true

ID: scantrackingcookies, enabled:1, value: true

ID: closebrowsers, enabled:1, value: false

ID: folderstoscan, enabled:1, value:

ID: scanrootkits, enabled:1, value: true

ID: usespywareheuristics, enabled:1, value: true

ID: extendedengine, enabled:0, value: true

ID: useheuristics, enabled:0, value: true

ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict

ID: filescanningoptions, enabled:1

ID: archives, enabled:1, value: false

ID: onlyexecutables, enabled:1, value: true

ID: skiplargerthan, enabled:1, value: 20480

Scan global:

ID: global, enabled:1

ID: addtocontextmenu, enabled:1, value: true

ID: playsoundoninfection, enabled:1, value: false

ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:

<Empty>

Update settings:

ID: updates, enabled:1

ID: launchthreatworksafterscan, enabled:1, value: silently, domain: normal,off,silently

ID: displaystatus, enabled:1, value: false

ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: autodetectproxy, enabled:1, value: false

ID: useautoconfigscript, enabled:1, value: false

ID: autoconfigurl, enabled:0, value:

ID: useproxy, enabled:1, value: false

ID: proxyserver, enabled:0, value:

ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall

ID: schedules, enabled:1, value: true

ID: updatedaily, enabled:1, value: Daily

ID: time, enabled:1, value: Sat Jan 24 06:30:00 2009

ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: false

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: false

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

ID: updateweekly, enabled:1, value: Weekly

ID: time, enabled:1, value: Sat Jan 24 06:30:00 2009

ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly

ID: weekdays, enabled:1

ID: monday, enabled:1, value: true

ID: tuesday, enabled:1, value: false

ID: wednesday, enabled:1, value: false

ID: thursday, enabled:1, value: false

ID: friday, enabled:1, value: false

ID: saturday, enabled:1, value: true

ID: sunday, enabled:1, value: false

ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31

ID: scanprofile, enabled:1, value:

ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:

ID: appearance, enabled:1

ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource

ID: showtrayicon, enabled:1, value: true

ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:

ID: realtime, enabled:1

ID: processprotection, enabled:1, value: false

ID: registryprotection, enabled:0, value: false

ID: networkprotection, enabled:0, value: false

ID: loadatstartup, enabled:1, value: true

ID: usespywareheuristics, enabled:0, value: false

ID: extendedengine, enabled:0, value: false

ID: useheuristics, enabled:0, value: true

ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict

ID: infomessages, enabled:1, value: animated, domain: animated,display,dontnotify

****************************** System information ******************************

Computer name: ANTU

Processor name: Intel® Celeron CPU 1200MHz

Processor identifier: x86 Family 6 Model 11 Stepping 1

Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 2817, number of processors 1

Physical memory available: 295559168 bytes

Physical memory total: 535281664 bytes

Virtual memory available: 2049368064 bytes

Virtual memory total: 2147352576 bytes

Memory load: 44%

Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Windows startup mode:

Running processes:

PID: 444 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 500 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY

PID: 524 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY

PID: 568 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY

PID: 580 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY

PID: 732 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 780 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 848 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 908 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY

PID: 968 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 1196 name: C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1212 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1292 name: C:\Program Files\Alwil Software\Avast4\ashServ.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1412 name: C:\WINDOWS\Explorer.EXE owner: cash america domain: ANTU

PID: 1556 name: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe owner: cash america domain: ANTU

PID: 1564 name: C:\Program Files\Java\jre6\bin\jusched.exe owner: cash america domain: ANTU

PID: 1624 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: cash america domain: ANTU

PID: 1680 name: C:\WINDOWS\system32\ctfmon.exe owner: cash america domain: ANTU

PID: 1700 name: C:\Program Files\AnalogX\MaxMem\maxmem.exe owner: cash america domain: ANTU

PID: 1852 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 836 name: C:\Program Files\Java\jre6\bin\jqs.exe owner: SYSTEM domain: NT AUTHORITY

PID: 1024 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY

PID: 128 name: C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 204 name: C:\Program Files\Alwil Software\Avast4\ashWebSv.exe owner: SYSTEM domain: NT AUTHORITY

PID: 336 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY

PID: 408 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY

PID: 2144 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY

PID: 3696 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: cash america domain: ANTU

Startup items:

Name: FlashPlayerUpdate

imagepath: C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe

Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}

imagepath: Browseui preloader

Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}

imagepath: Component Categories cache daemon

Name: PostBootReminder

imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}

Name: CDBurn

imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}

Name: WebCheck

imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

Name: SysTray

imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}

Name: avast!

imagepath: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

Name: SunJavaUpdateSched

imagepath: "C:\Program Files\Java\jre6\bin\jusched.exe"

Name: Ad-Watch

imagepath: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

Bootexecute items:

Name:

imagepath: autocheck autochk *

Running services:

Name: ALG

displayname: Application Layer Gateway Service

Name: aswUpdSv

displayname: avast! iAVS4 Control Service

Name: AudioSrv

displayname: Windows Audio

Name: avast! Antivirus

displayname: avast! Antivirus

Name: avast! Mail Scanner

displayname: avast! Mail Scanner

Name: avast! Web Scanner

displayname: avast! Web Scanner

Name: Browser

displayname: Computer Browser

Name: CryptSvc

displayname: Cryptographic Services

Name: DcomLaunch

displayname: DCOM Server Process Launcher

Name: Dhcp

displayname: DHCP Client

Name: Dnscache

displayname: DNS Client

Name: ERSvc

displayname: Error Reporting Service

Name: Eventlog

displayname: Event Log

Name: EventSystem

displayname: COM+ Event System

Name: FastUserSwitchingCompatibility

displayname: Fast User Switching Compatibility

Name: helpsvc

displayname: Help and Support

Name: HidServ

displayname: HID Input Service

Name: JavaQuickStarterService

displayname: Java Quick Starter

Name: lanmanserver

displayname: Server

Name: lanmanworkstation

displayname: Workstation

Name: Lavasoft Ad-Aware Service

displayname: Lavasoft Ad-Aware Service

Name: LmHosts

displayname: TCP/IP NetBIOS Helper

Name: Netman

displayname: Network Connections

Name: Nla

displayname: Network Location Awareness (NLA)

Name: PlugPlay

displayname: Plug and Play

Name: PolicyAgent

displayname: IPSEC Services

Name: ProtectedStorage

displayname: Protected Storage

Name: RasMan

displayname: Remote Access Connection Manager

Name: RpcSs

displayname: Remote Procedure Call (RPC)

Name: SamSs

displayname: Security Accounts Manager

Name: Schedule

displayname: Task Scheduler

Name: seclogon

displayname: Secondary Logon

Name: SENS

displayname: System Event Notification

Name: SharedAccess

displayname: Windows Firewall/Internet Connection Sharing (ICS)

Name: ShellHWDetection

displayname: Shell Hardware Detection

Name: Spooler

displayname: Print Spooler

Name: srservice

displayname: System Restore Service

Name: SSDPSRV

displayname: SSDP Discovery Service

Name: stisvc

displayname: Windows Image Acquisition (WIA)

Name: TapiSrv

displayname: Telephony

Name: TermService

displayname: Terminal Services

Name: Themes

displayname: Themes

Name: TrkWks

displayname: Distributed Link Tracking Client

Name: W32Time

displayname: Windows Time

Name: WebClient

displayname: WebClient

Name: winmgmt

displayname: Windows Management Instrumentation

Name: wscsvc

displayname: Security Center

Name: wuauserv

displayname: Automatic Updates

Name: WZCSVC

displayname: Wireless Zero Configuration

Malwarebytes' Anti-Malware 1.33

Database version: 1683

Windows 5.1.2600 Service Pack 3

1/24/2009 10:11:14 AM

mbam-log-2009-01-24 (10-11-14).txt

Scan type: Quick Scan

Objects scanned: 46389

Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:27:36 AM, on 1/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AnalogX\MaxMem\maxmem.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--

End of file - 4351 bytes

Will do a few more quick scans with AdAware, Spybot, and SUPERAntispyware.

Thanks for reading Marocs

Link to post
Share on other sites

OK, I was using the links here to d/l ComboFix, apparently they weren't working for me. Link1 would say expired do u want to continue, I didn't know not to continue so I did, in reduced funtionality mode which I knew was wrong. Link2 would run but apparently it was not good either. I thought you had to d/l ComboFix from 1 of the 2 links here. But I did not know you could d/l from other locations, I know now. So I d/l CombFix from another location. Ran it with no problems whatsoever and rebooted. Then I also noticed that my default browser was no longer firefox either. Well here is a GOOD ComboFix log. Will run MBAM, reboot and run HiJack this afterwards, and send in those logs. Then I will shut down this PC and wait for a response, thanks Marcos.

Almost forgot, when i noticed that firefox was no longer default, I checked my view folders options, the Display contents of system folders was unchecked, the do not show hidden files and folders radio button was checked and the 2 boxes right below were also checked, so I reversed them all again. Went to remove program Relevant Knowledge but I think AdAware took care of that.

ComboFix 09-01-21.04 - cash america 2009-01-24 11:10:05.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.290 [GMT -6:00]

Running from: c:\documents and settings\cash america\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1296 [VPS 090123-0] *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))

.

2009-01-24 10:49 . 2009-01-24 10:50 <DIR> d-------- C:\Combo-Fix

2009-01-24 09:57 . 2009-01-24 06:30 15,688 --a------ c:\windows\system32\lsdelete.exe

2009-01-24 07:08 . 2009-01-24 07:08 20,269 --a------ C:\fraglist.luar

2009-01-24 06:30 . 2009-01-24 06:30 64,160 --a------ c:\windows\system32\drivers\Lbd.sys

2009-01-24 06:29 . 2009-01-24 06:29 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-01-24 06:28 . 2009-01-24 06:28 <DIR> d-------- c:\program files\Lavasoft

2009-01-24 06:28 . 2009-01-24 06:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-01-24 02:48 . 2009-01-24 02:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-24 02:47 . 2009-01-24 02:47 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-01-24 02:47 . 2009-01-24 02:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-01-24 02:47 . 2009-01-24 02:47 <DIR> d-------- c:\documents and settings\cash america\Application Data\SUPERAntiSpyware.com

2009-01-23 19:43 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2009-01-23 19:42 . 2009-01-23 19:42 <DIR> d-------- c:\program files\Panda Security

2009-01-23 18:11 . 2009-01-23 18:11 <DIR> d-------- c:\windows\UltraDefrag

2009-01-23 17:38 . 2009-01-23 17:46 25,992 --a------ c:\windows\system32\pgdfgsvc.exe

2009-01-23 15:03 . 2009-01-23 15:01 410,984 --a------ c:\windows\system32\deploytk.dll

2009-01-23 15:03 . 2009-01-23 15:01 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-01-23 10:28 . 2009-01-23 10:28 <DIR> d-------- c:\documents and settings\cash america\DoctorWeb

2009-01-23 00:40 . 2009-01-23 00:41 <DIR> d-------- c:\windows\system32\scripting

2009-01-23 00:40 . 2009-01-23 00:40 <DIR> d-------- c:\windows\system32\en

2009-01-23 00:40 . 2009-01-23 00:40 <DIR> d-------- c:\windows\system32\bits

2009-01-23 00:40 . 2009-01-23 00:40 <DIR> d-------- c:\windows\l2schemas

2009-01-23 00:34 . 2009-01-23 00:42 <DIR> d-------- c:\windows\ServicePackFiles

2009-01-22 17:34 . 2009-01-22 17:34 <DIR> d-------- c:\program files\Alwil Software

2009-01-22 13:26 . 2009-01-22 13:26 104 --a------ c:\windows\wininit.ini

2009-01-22 12:20 . 2009-01-22 13:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2009-01-22 12:20 . 2009-01-22 13:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-22 12:18 . 2009-01-22 12:18 <DIR> d-------- c:\program files\Bazooka Scanner

2009-01-22 10:25 . 2009-01-22 10:26 <DIR> d-------- c:\program files\CCleaner

2009-01-21 22:55 . 2009-01-21 22:55 <DIR> d-------- c:\documents and settings\Administrator

2009-01-21 21:54 . 2009-01-21 21:54 <DIR> d-------- c:\program files\AnalogX

2009-01-21 21:51 . 2009-01-21 21:51 <DIR> d-------- c:\program files\Trend Micro

2009-01-21 21:27 . 2009-01-22 12:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP

2009-01-21 21:26 . 2009-01-22 12:17 <DIR> d-------- c:\program files\SpywareBlaster

2009-01-21 21:26 . 2005-04-15 20:58 1,071,088 --a------ c:\windows\system32\MSCOMCTL.OCX

2009-01-21 21:26 . 2005-08-25 19:18 118,784 --a------ c:\windows\system32\MSSTDFMT.DLL

2009-01-21 20:15 . 2009-01-21 20:15 <DIR> d-------- c:\documents and settings\cash america\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-21 20:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-21 20:14 . 2009-01-21 20:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-21 20:14 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-21 20:14 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-21 19:29 . 2009-01-21 19:40 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Smart-Shopper

2009-01-21 18:15 . 2005-04-20 19:22 608,448 --a------ c:\windows\system32\comctl32.ocx

2009-01-21 18:15 . 2006-03-03 11:07 143,360 --a------ c:\windows\system32\dunzip32.dll

2009-01-13 23:29 . 2009-01-22 21:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seekeen

2009-01-13 08:49 . 2009-01-22 17:05 <DIR> d-------- c:\documents and settings\Documents and Settings

2009-01-08 14:59 . 2009-01-23 00:09 <DIR> d-------- c:\windows\EHome

2009-01-07 16:57 . 2009-01-07 16:57 <DIR> d-------- c:\documents and settings\cash america\Application Data\MSNInstaller

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\program files\NOS

2009-01-04 16:54 . 2009-01-07 17:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-01-03 19:51 . 2009-01-03 19:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Winferno

2009-01-03 19:41 . 2009-01-03 19:41 <DIR> d-------- c:\program files\Freeze.com

2009-01-03 19:41 . 2006-10-09 12:28 835,584 --a------ c:\windows\system32\WINCTL4.OCX

2009-01-03 19:41 . 2006-10-09 13:06 495,616 --a------ c:\windows\system32\WINUTIL5.DLL

2009-01-03 19:41 . 2006-05-17 08:40 393,216 --a------ c:\windows\system32\WINLCTL5.DLL

2009-01-03 19:40 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Winferno

2009-01-03 19:39 . 2009-01-21 16:44 <DIR> d-------- c:\program files\My.Freeze.com Toolbar

2009-01-03 19:39 . 2009-01-03 19:40 <DIR> d-------- c:\program files\Free Offers from Freeze.com

2009-01-03 18:19 . 2007-10-31 04:35 729,088 -ra------ c:\windows\system32\hpwwiax4.dll

2009-01-03 18:19 . 2007-10-31 04:35 593,920 -ra------ c:\windows\system32\hpwtscl3.dll

2009-01-03 18:19 . 2007-01-17 10:31 294,912 -ra------ c:\windows\system32\hpovst11.dll

2009-01-03 18:19 . 2008-04-13 12:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2009-01-03 17:45 . 2007-01-17 10:37 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys

2009-01-03 17:45 . 2007-01-17 10:37 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys

2009-01-03 17:44 . 2009-01-03 17:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard

2009-01-03 17:43 . 2007-11-06 20:10 271,704 -ra------ c:\windows\system32\hpzids01.dll

2009-01-03 17:43 . 2007-11-05 19:07 118,272 --a------ c:\windows\system32\hpz3l5mu.dll

2009-01-03 17:41 . 2009-01-24 06:30 <DIR> d----c--- c:\windows\system32\DRVSTORE

2009-01-03 17:41 . 2007-01-17 10:37 364,544 -ra------ c:\windows\system32\hppldcoi.dll

2009-01-03 17:41 . 2007-01-17 10:37 309,760 -ra------ c:\windows\system32\difxapi.dll

2009-01-03 17:41 . 2007-01-17 10:37 21,568 -ra------ c:\windows\system32\drivers\HPZius12.sys

2008-12-24 05:34 . 2008-12-24 07:58 <DIR> d-------- c:\documents and settings\cash america\Application Data\OpenOffice.org2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-23 21:01 --------- d-----w c:\program files\Java

2009-01-23 16:01 --------- d-----w c:\program files\Google

2009-01-22 15:18 --------- d-----w c:\documents and settings\cash america\Application Data\Yahoo!

2009-01-22 15:15 --------- d-----w c:\program files\Yahoo!

2009-01-22 15:15 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-07 23:07 --------- d-----w c:\program files\OpenOffice.org 2.0

2009-01-07 22:49 --------- d-----w c:\program files\AOD

2008-12-22 21:48 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo!

2008-12-16 01:51 --------- d-----w c:\documents and settings\cash america\Application Data\VCOM

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-13 09:52 91,648 ----a-w c:\windows\system32\lua5.1a.dll

2008-11-13 09:52 9,728 ----a-w c:\windows\system32\udefrag.dll

2008-11-13 09:52 9,728 ----a-w c:\windows\system32\lua5.1a.exe

2008-11-13 09:52 9,728 ----a-w c:\windows\system32\defrag_native.exe

2008-11-13 09:52 86,016 ----a-w c:\windows\system32\ultradefrag.exe

2008-11-13 09:52 7,680 ----a-w c:\windows\system32\udefrag.exe

2008-11-13 09:52 6,656 ----a-w c:\windows\system32\udefrag-gui.exe

2008-11-13 09:52 6,656 ----a-w c:\windows\system32\bootexctrl.exe

2008-11-13 09:52 17,408 ----a-w c:\windows\system32\zenwinx.dll

2008-11-13 09:52 13,824 ----a-w c:\windows\system32\lua5.1a_gui.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-23 136600]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-24 507224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\GetFlash.exe" [2006-06-22 128648]

c:\documents and settings\cash america\Start Menu\Programs\Startup\

MaxMem.lnk - c:\program files\AnalogX\MaxMem\maxmem.exe [2009-01-21 75780]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0\0\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]

--a------ 2002-12-17 11:28 684032 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

--a------ 2006-05-09 18:24 50760 c:\program files\Common Files\AOL\1148195820\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

--a------ 2006-02-17 10:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-05-21 02:40 282624 c:\program files\QuickTime\qttask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1148195820\\ee\\aim6.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-24 64160]

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-23 28544]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-22 111184]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]

R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-22 20560]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]

S3 ultradfg;ultradfg;c:\windows\system32\drivers\ultradfg.sys [2008-11-13 24576]

S3 wind502u;Motorola Wireless USB Adapter WU830G Windows Driver;c:\windows\system32\drivers\wind502u.sys [2006-05-20 336256]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 942416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PROCEXP113

*Deregistered* - PROCEXP113

.

Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-24 06:30]

2009-01-24 c:\windows\Tasks\RegPowerClean.job

- c:\program files\Winferno\RegistryPowerCleaner\RegPowerClean.exe [2008-10-28 14:48]

2009-01-24 c:\windows\Tasks\RPCReminder.job

- c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe [2008-10-28 14:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

FF - ProfilePath - c:\documents and settings\cash america\Application Data\Mozilla\Firefox\Profiles\ol6tp2r3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 11:13:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-01-24 11:16:41

ComboFix-quarantined-files.txt 2009-01-24 17:16:36

ComboFix2.txt 2009-01-24 05:06:26

Pre-Run: 23,711,625,216 bytes free

Post-Run: 23,702,511,616 bytes free

198 --- E O F --- 2009-01-24 05:11:47

Link to post
Share on other sites

Here are my latest MBAM and HiJackThis logs

Malwarebytes' Anti-Malware 1.33

Database version: 1683

Windows 5.1.2600 Service Pack 3

1/24/2009 11:56:58 AM

mbam-log-2009-01-24 (11-56-58).txt

Scan type: Quick Scan

Objects scanned: 46344

Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:05:52 PM, on 1/24/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AnalogX\MaxMem\maxmem.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - Startup: MaxMem.lnk = C:\Program Files\AnalogX\MaxMem\maxmem.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--

End of file - 4397 bytes

Thanks for reading Marcos

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.