Trojan Gone?

[VikeBoy]

Had what I think was rootkit trojan... one of the ones that tries to get you to submit credit card info in an 'Advanced Card Verification' popup. I think it's gone now, but I'm no expert. Is there anything alarming in this log? TIA!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:53:13 PM, on 5/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\cisvc.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\Program Files\Logitech\Video\FxSvr2.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://*.mcafee.com

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A494F27-66F4-4E6F-A414-705A7C473598}: NameServer = 68.87.75.194,68.87.64.146

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--

End of file - 5168 bytes

[negster22]

Hi and Welcome!

Your HJT log is clean but we can run some additional tools to see if you're still infected!

First, please remove this site from the trusted zone of internet explorer.

O15 - Trusted Zone: http://www.amazon.com

It doesn't need to be there.

Next, clean the clutter:

Download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• 
  
• No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Uninstall your current copy of Malwarebytes' Anti-Malware (MBAM) - if installed.

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from:

BestTechie.net

http://www.besttechie.net/tools/mbam-setup.exe

or

MajorGeeks.com:

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

Rename the installer as you download it from mbam-setup.exe to aurina-setup.exe.

Double-click aurina-setup.exe and follow the prompts to install the program. At the end of the install, UNcheck the following two options:

• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware
  

• Click Finish.
  
• Close MBAM and rename "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" -> "C:\Program Files\Malwarebytes' Anti-Malware\aurina.exe"
  
• Now relaunch MBAM by double-clicking aurina.exe in the MBAM folder.
  
• Select the Update tab -> Check for Updates
  
• After MBAM updates, select the Scanner tab.
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK -> Show Results to view the scan results.
  
• Check all items found, and then choose the 'Remove Selected' option to move the selected items to the quarantine.
  
• When the scan is done, a log will open in Notepad with the scan results. Please post the results in your next reply.
  

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Download DDS and save it to your desktop from here or here

Disable any script blocking programs you may have installed such McAfee scriptproxy

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

Then double-click dss.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
    
  • Attach.txt
    

  [*]Save both reports to your desktop

  [*]Please copy and paste both logs into your next reply,

===============================================================

Please post the MBAM log, the DDS scan reports, and a new HJT log in your next reply

[VikeBoy]

Thanks Negster! Okay, I did everything and here are the logs. (The dds attach.txt is zipped and attached as per its instructions. Others are pasted...) Thanks again!!!

MBAM

Malwarebytes' Anti-Malware 1.36

Database version: 2071

Windows 5.1.2600 Service Pack 3

5/3/2009 5:00:51 PM

mbam-log-2009-05-03 (17-00-51).txt

Scan type: Quick Scan

Objects scanned: 100824

Time elapsed: 10 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{bb05bd70-4605-4829-93fc-ad80d8cc5b66} (Rogue.PerformanceCenter) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\SysRestore.dll (Adware.Ascentive) -> Quarantined and deleted successfully.

DDS.TXT

DDS (Ver_09-03-16.01) - NTFSx86

Run by Mick at 17:13:41.95 on Sun 05/03/2009

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.111 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)

FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\Mick\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank

uWindow Title = Microsoft Internet Explorer provided by Comcast

uInternet Settings,ProxyOverride = hxxp://localhost

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim6]

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\mick\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE

StartupFolder: c:\docume~1\mick\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

Trusted Zone: ameritrade.com

Trusted Zone: ameritrade.com\wwws

Trusted Zone: intuit.com

Trusted Zone: mcafee.com

Trusted Zone: tdameritrade.com

Trusted Zone: turbotax.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab

DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cab

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: {3A494F27-66F4-4E6F-A414-705A7C473598} = 68.87.75.194,68.87.64.146

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-11-9 214024]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-9 359952]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-11-9 144704]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-11-9 606736]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-11-9 79880]

R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-11-9 35272]

R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-11-9 40552]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-11-9 34216]

S3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2004-7-30 217472]

S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2004-7-30 17277]

S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2004-7-30 86648]

S3 VisorUsb;Handspring USB;c:\windows\system32\drivers\VisorUsb.sys [2003-5-4 19968]

S4 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]

S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-29 24652]

=============== Created Last 30 ================

2009-05-03 16:43 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-05-03 16:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-03 16:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-05-03 16:11 <DIR> --d----- C:\ATF Cleaner

2009-05-02 18:33 <DIR> --d----- c:\program files\Trend Micro

2009-05-02 08:49 <DIR> --d----- c:\docume~1\mick\applic~1\Malwarebytes

2009-05-02 08:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-05-02 06:39 22,345 a------- C:\BitDefendersScanLog.html

2009-05-01 21:00 410,984 a------- c:\windows\system32\deploytk.dll

2009-05-01 21:00 73,728 a------- c:\windows\system32\javacpl.cpl

2009-05-01 20:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ascentive

2009-05-01 20:45 <DIR> --d----- c:\docume~1\mick\applic~1\Ascentive

2009-05-01 18:52 578,560 a------- c:\windows\system32\dllcache\user32.dll

2009-05-01 18:48 <DIR> --d----- c:\windows\ERUNT

2009-05-01 18:39 <DIR> --d----- C:\SDFix

2009-05-01 18:23 <DIR> --d----- C:\SDFix Download

2009-04-28 15:01 223,232 a------- c:\windows\system32\sqlite3.dll

2009-04-28 15:00 36,864 a------- c:\windows\system32\ascbalon.dll

2009-04-28 15:00 217,088 a------- c:\windows\system32\ConTest.dll

2009-04-28 15:00 86,016 a------- c:\windows\system32\SQLiteWrapper.dll

2009-04-28 15:00 <DIR> --d----- c:\program files\Ascentive

2009-04-18 07:58 2,560 -------- c:\windows\system32\xpsp4res.dll

2009-04-18 07:58 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb

2009-04-18 07:58 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

2009-04-18 07:57 284,160 -------- c:\windows\system32\dllcache\pdh.dll

2009-04-18 07:57 35,328 -------- c:\windows\system32\dllcache\sc.exe

2009-04-18 07:57 401,408 -------- c:\windows\system32\dllcache\rpcss.dll

2009-04-18 07:56 110,592 -------- c:\windows\system32\dllcache\services.exe

2009-04-18 07:56 473,600 -------- c:\windows\system32\dllcache\fastprox.dll

2009-04-18 07:56 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe

2009-04-18 07:56 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-18 07:56 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll

2009-04-18 07:56 617,472 -------- c:\windows\system32\dllcache\advapi32.dll

2009-04-18 07:56 714,752 -------- c:\windows\system32\dllcache\ntdll.dll

==================== Find3M ====================

2009-03-25 11:06 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys

2009-03-25 11:06 214,024 a------- c:\windows\system32\drivers\mfehidk.sys

2009-03-25 11:06 79,880 a------- c:\windows\system32\drivers\mfeavfk.sys

2009-03-25 11:06 35,272 a------- c:\windows\system32\drivers\mfebopk.sys

2009-03-25 11:05 34,216 a------- c:\windows\system32\drivers\mferkdk.sys

2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

2009-03-17 12:09 6 a------- c:\windows\fonts\wfonts.key

2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll

2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll

2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll

2009-02-28 12:14 1,409 a------- c:\windows\fonts\HELSS___.FOT

2009-02-28 12:14 1,409 a------- c:\windows\fonts\HELSM___.FOT

2009-02-28 12:14 1,409 a------- c:\windows\fonts\HELSINKI.FOT

2009-02-28 00:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe

2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe

2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe

2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll

2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll

2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll

2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys

2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys

2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe

2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe

2009-02-06 07:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe

2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe

2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe

2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe

2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll

2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll

2008-09-29 11:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092920080930\index.dat

============= FINISH: 17:15:22.98 ===============

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:25:02 PM, on 5/3/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\cisvc.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\System32\svchost.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\Office\OSA.EXE

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://*.mcafee.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A494F27-66F4-4E6F-A414-705A7C473598}: NameServer = 68.87.75.194,68.87.64.146

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--

End of file - 4908 bytes

Attach.zip

Attach.zip

[negster22]

Hello

There are just a few more items left to remove.

Please remove the following program in Control Panel Add/Remove programs:

Viewpoint Manager

Exit the Control Panel

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Do NOT run Combofix yet - we are going to launch it using with a script that we will use to manually specify items for deletion .

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.

On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).

Copy/paste the text in the code box below into Notepad.

Save this to your desktop as CFScript.txt by selecting File -> Save as.

KillAll::
Files::c:\windows\system32\ascbalon.dllc:\windows\system32\ConTest.dllc:\windows\system32\SQLiteWrapper.dllc:\windows\system32\sqlite3.dll
Folder::c:\program files\Ascentivec:\program files\viewpoint\
DDS::DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_03-win.cabDPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cabuRun: [Aim6]
Registry::[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}]

IMPORTANT!! Disable your McAfee AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Referring to the picture above, drag CFScript.txt into ComboFix.exe

• This will cause ComboFix to run.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HJT log, and a new MBAM quick scan log (don't forget to update first!).

[VikeBoy]

Thanks! Here are the logs... Thanks Again!

COMBOFIX

ComboFix 09-05-03.1 - Mick 05/03/2009 20:36.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.99 [GMT -4:00]

Running from: c:\documents and settings\Mick\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Mick\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated)

FW: McAfee Personal Firewall *enabled*

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Ascentive

c:\program files\Ascentive\Performance Center\APCLang.dll

c:\program files\Ascentive\Performance Center\ApcMain.exe

c:\program files\Ascentive\Performance Center\GUID

c:\program files\Ascentive\Performance Center\SOUND.WAV

c:\windows\IE4 Error Log.txt

c:\windows\Readme.txt

c:\windows\system32\drivers\fad.sys

c:\windows\winhelp.ini

.

((((((((((((((((((((((((( Files Created from 2009-04-04 to 2009-05-04 )))))))))))))))))))))))))))))))

.

2009-05-03 20:43 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-03 20:43 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-03 20:43 . 2009-05-03 20:45 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-03 20:11 . 2009-05-03 20:12 -------- d-----w C:\ATF Cleaner

2009-05-02 22:33 . 2009-05-02 22:33 -------- d-----w c:\program files\Trend Micro

2009-05-02 12:49 . 2009-05-02 12:49 -------- d-----w c:\documents and settings\Mick\Application Data\Malwarebytes

2009-05-02 12:49 . 2009-05-02 12:49 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-02 06:21 . 2009-05-02 08:34 -------- d-----w c:\windows\BDOSCAN8

2009-05-02 01:06 . 2009-05-02 01:06 -------- d-----w c:\windows\Sun

2009-05-02 01:00 . 2009-05-02 00:59 410984 ----a-w c:\windows\system32\deploytk.dll

2009-05-02 00:50 . 2009-05-02 00:50 -------- d-----w c:\documents and settings\All Users\Application Data\Ascentive

2009-05-02 00:45 . 2009-05-02 00:45 -------- d-----w c:\documents and settings\Mick\Application Data\Ascentive

2009-05-01 22:52 . 2009-05-01 22:52 578560 ----a-w c:\windows\system32\dllcache\user32.dll

2009-05-01 22:48 . 2009-05-01 22:49 -------- d-----w c:\windows\ERUNT

2009-05-01 22:39 . 2009-05-02 11:48 -------- d-----w C:\SDFix

2009-05-01 22:23 . 2009-05-01 22:28 -------- d-----w C:\SDFix Download

2009-04-28 19:01 . 2008-11-07 21:58 223232 ----a-w c:\windows\system32\sqlite3.dll

2009-04-28 19:00 . 2008-11-06 20:04 36864 ----a-w c:\windows\system32\ascbalon.dll

2009-04-28 19:00 . 2009-04-02 19:55 217088 ----a-w c:\windows\system32\ConTest.dll

2009-04-28 19:00 . 2008-11-07 21:58 86016 ----a-w c:\windows\system32\SQLiteWrapper.dll

2009-04-18 11:58 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll

2009-04-18 11:58 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

2009-04-18 11:57 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll

2009-04-18 11:57 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-04-18 11:57 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll

2009-04-18 11:56 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe

2009-04-18 11:56 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll

2009-04-18 11:56 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-04-18 11:56 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-04-18 11:56 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll

2009-04-18 11:56 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll

2009-04-18 11:56 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-04 00:46 . 2003-04-15 12:49 6 ---ha-w c:\windows\Tasks\SA.DAT

2009-05-03 14:59 . 2003-04-15 12:59 -------- d--h--w c:\program files\InstallShield Installation Information

2009-05-02 22:50 . 2003-08-09 23:58 -------- d-----w c:\program files\Google

2009-05-02 00:59 . 2003-05-10 13:24 -------- d-----w c:\program files\Java

2009-05-01 05:00 . 2007-11-09 18:41 330 ----a-w c:\windows\Tasks\McQcTask.job

2009-04-17 23:23 . 2007-11-09 18:40 -------- d-----w c:\program files\McAfee

2009-04-15 05:00 . 2007-11-09 18:41 338 ----a-w c:\windows\Tasks\McDefragTask.job

2009-03-31 11:53 . 2003-04-20 14:49 68136 ----a-w c:\documents and settings\Mick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-03-31 11:52 . 2009-03-31 11:52 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0

2009-03-31 11:46 . 2004-02-03 15:55 -------- d-----w c:\program files\Common Files\Intuit

2009-03-31 11:41 . 2003-04-20 15:27 -------- d-----w c:\program files\TurboTax

2009-03-25 15:06 . 2007-11-09 18:42 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys

2009-03-25 15:06 . 2007-11-09 18:42 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys

2009-03-25 15:06 . 2007-11-09 18:42 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys

2009-03-25 15:06 . 2007-11-09 18:42 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys

2009-03-25 15:05 . 2007-11-09 18:42 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys

2009-03-17 16:09 . 2009-03-17 16:09 6 ----a-w c:\windows\Fonts\wfonts.key

2009-03-06 14:22 . 2002-08-29 10:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-05 01:37 . 2009-02-28 21:30 -------- d-----w c:\program files\Guitar Speed Trainer

2009-03-03 00:18 . 2004-02-06 22:05 826368 ----a-w c:\windows\system32\wininet.dll

2009-02-28 16:14 . 2006-12-09 14:51 1409 ----a-w c:\windows\Fonts\HELSS___.FOT

2009-02-28 16:14 . 2006-12-09 14:51 1409 ----a-w c:\windows\Fonts\HELSM___.FOT

2009-02-28 16:14 . 2006-12-09 14:51 1409 ----a-w c:\windows\Fonts\HELSINKI.FOT

2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll

2009-02-09 12:10 . 2002-08-29 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll

2009-02-09 12:10 . 2004-04-17 12:35 401408 ----a-w c:\windows\system32\rpcss.dll

2009-02-09 12:10 . 2002-08-29 10:00 714752 ----a-w c:\windows\system32\ntdll.dll

2009-02-09 12:10 . 2002-08-29 10:00 617472 ----a-w c:\windows\system32\advapi32.dll

2009-02-09 11:13 . 2002-08-29 10:00 1846784 ----a-w c:\windows\system32\win32k.sys

2009-02-07 23:02 . 1980-01-01 05:00 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe

2009-02-06 11:11 . 2002-08-29 10:00 110592 ----a-w c:\windows\system32\services.exe

2009-02-06 11:08 . 1980-01-01 05:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe

2009-02-06 10:39 . 2002-08-29 10:00 35328 ----a-w c:\windows\system32\sc.exe

2009-02-03 19:59 . 2002-08-29 10:00 56832 ----a-w c:\windows\system32\secur32.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-02-25 221184]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Mick\Start Menu\Programs\Startup\

Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-17 111376]

Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\Sherry\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\program files\Handspring\HOTSYNC.EXE [2003-5-4 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Mick^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

path=c:\documents and settings\Mick\Start Menu\Programs\Startup\PowerReg Scheduler.exe

backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ERSvc"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R3 US122;US122 Driver;c:\windows\system32\Drivers\US122.sys [2004-07-30 217472]

R3 US122DL;US122 Firmware Downloader;c:\windows\system32\Drivers\US122DL.sys [2004-07-30 17277]

R3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\Drivers\US122Wdm.sys [2004-07-30 86648]

R3 VisorUsb;Handspring USB;c:\windows\system32\DRIVERS\VisorUsb.sys [2001-08-30 19968]

R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2009-02-25 13088]

.

Contents of the 'Scheduled Tasks' folder

2009-04-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-09 15:53]

2009-05-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-11-09 15:53]

.

- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-DelayShred - c:\program files\mcafee.com\shredder\SHRED32.EXE

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uInternet Settings,ProxyOverride = hxxp://localhost

Trusted Zone: ameritrade.com

Trusted Zone: ameritrade.com\wwws

Trusted Zone: intuit.com

Trusted Zone: mcafee.com

Trusted Zone: tdameritrade.com

Trusted Zone: turbotax.com

TCP: {3A494F27-66F4-4E6F-A414-705A7C473598} = 68.87.75.194,68.87.64.146

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.mcafee.com

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{3A494F27-66F4-4E6F-A414-705A7C473598}: NameServer = 68.87.75.194,68.87.64.146

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

--

End of file - 4650 bytes

MBAM

Malwarebytes' Anti-Malware 1.36

Database version: 2072

Windows 5.1.2600 Service Pack 3

5/3/2009 9:24:51 PM

mbam-log-2009-05-03 (21-24-51).txt

Scan type: Quick Scan

Objects scanned: 100821

Time elapsed: 10 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix.txt

ComboFix.txt

[negster22]

Good job!

Can you please post this file for me:

C:\Qoobox\ComboFix-quarantined-files.txt

Click start -> run

Copy/paste the following in the open box:

C:\Qoobox\ComboFix-quarantined-files.txt

Click OK.

The file should open in Notepad. Please post the contents in your next reply.

[VikeBoy]

I think I see the finish line from here... Here's the combofix quarantine log. Thanks!

2009-05-04 00:57:19 . 2009-05-04 00:57:19 599 ----a-w C:\Qoobox\Quarantine\Registry_backups\HKCU-RunOnce-DelayShred.reg.dat

2009-05-04 00:42:18 . 2009-05-04 00:42:18 5,827 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2009-05-04 00:36:06 . 2009-05-04 00:36:06 0 ----a-w C:\Qoobox\Quarantine\catchme.txt

2009-05-04 00:30:37 . 2009-05-04 00:30:37 58 ----a-w C:\Qoobox\Quarantine\catchme.log

2009-04-28 19:00:37 . 2009-03-06 21:35:20 49,152 ----a-w C:\Qoobox\Quarantine\C\Program Files\Ascentive\Performance Center\APCLang.dll.vir

2009-04-28 19:00:33 . 2009-01-23 14:44:30 3,231,744 ----a-w C:\Qoobox\Quarantine\C\Program Files\Ascentive\Performance Center\ApcMain.exe.vir

2009-04-28 19:00:23 . 2008-11-06 20:03:58 8,932 ----a-w C:\Qoobox\Quarantine\C\Program Files\Ascentive\Performance Center\SOUND.WAV.vir

2009-04-28 19:00:22 . 2009-05-02 18:33:34 637 ----a-w C:\Qoobox\Quarantine\C\Program Files\Ascentive\Performance Center\GUID.vir

2005-12-10 17:31:14 . 2005-12-10 17:31:14 262 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\readme.txt.vir

2004-09-19 16:15:24 . 2004-09-19 16:15:24 1,079 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir

2003-05-06 20:51:40 . 2003-05-06 20:51:40 247 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\WINHELP.INI.vir

2002-02-19 03:22:14 . 2002-02-19 03:22:14 12,008 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\fad.sys.vir

[negster22]

You have a good sense of intuition!

Make files and folders visible:

Click Start > Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

It doesn't look like Combofix removed these adware files - can you check and if found delete?

c:\windows\system32\ascbalon.dll

c:\windows\system32\ConTest.dll

Let's try to capture and submit this malicious file please:

Go to the upload page here:

http://www.bleepingcomputer.com/submit-mal....php?channel=75

Copy and paste the following link to this topic, for the "Link to topic where this file was requested":

http://www.malwarebytes.org/forums/index.php?showtopic=15019&st=0&gopid=78451entry78451

Click Browse

Find this file:

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\fad.sys.vir

Select the file, then click Open

Click Send File

Thanks!

Now, one final scan before I give you the green light:

Please perform a scan with the ESET online virus scanner:

http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
  
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
  
• Check the "Yes, I accept the terms of use" box.
  
• Click "Start"
  
• Check the boxes the following two boxes:
  • enable "Remove found threats"
    
  • Scan unwanted applications
    

  [*]Click the Scan button to begin scanning.

  [*]When the scan is done the log is automatically saved. To retrieve it

  • Close the ESET scan Window.
    
  • Now open a run line by clicking Start >> Run...
    
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
    
  • The Scan results will now display in Notepad
    

  [*]Please copy and paste the ESET scan report that can be found in this location

  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

=====================

Please post back the ESET scan report.

[VikeBoy]

Thanks again! Okay...

- Deleted ascbalon.dll and ConTest.dll

- Submitted fad.sys.vir to BleepingCopmuter

- ESET log follows...

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=4052 (20090504)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.066 (20070917)

# EOSSerial=31f2cb1623997b459edb607d2a325f11

# end=finished

# remove_checked=true

# unwanted_checked=true

# utc_time=2009-05-04 11:52:15

# local_time=2009-05-04 07:52:15 (-0500, Eastern Daylight Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 3

# scanned=247917

# found=4

# scan_time=3848

C:\Qoobox\Quarantine\C\Program Files\Ascentive\Performance Center\APCLang.dll.vir Win32/Adware.Ascentive application (unable to clean - deleted) 00000000000000000000000000000000

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2077\A0276527.dll Win32/Adware.Ascentive application (unable to clean - deleted) 00000000000000000000000000000000

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2081\A0276977.dll Win32/Adware.Ascentive application (unable to clean - deleted) 00000000000000000000000000000000

C:\WINDOWS\pss\PowerReg Scheduler.exeStartup Win32/PowerReg application (unable to clean - deleted) 00000000000000000000000000000000

[negster22]

Delete this startup item using Windows Explorer:

c:\documents and settings\Mick\Start Menu\Programs\Startup\PowerReg Scheduler.exe

Delete this folder:

c:\windows\pss\PowerReg Scheduler

That finishes the cleanup!

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:

Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\combofix.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• It will flush your system restore points and create a new restore point.
  
• It will rehide your system files and folders
  
• Reset your system clock
  

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes. Also, keep ATF Cleaner to clean out nonessential accumulated files and disk clutter.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[VikeBoy]

Thanks. Did all of the above, except for deleting 'PowerReg Scheduler.exe.' No such file in that directory or anywhere else on my hard drive. If you ever find yourself in Sourthcentral PA, I definitely owe you a beer! Thanks again!

[negster22]

You're welcome!

If c:\documents and settings\Mick\Start Menu\Programs\Startup\PowerReg Scheduler.exe is not there, then so much the better.

If you ever find yourself in Sourthcentral PA, I definitely owe you a beer! Thanks again!

I don't know about a beer but I'll take a white Russian. Take care!