AOL email sending out spam from address book

Clark95 · July 8, 2010

Hello- I got an email last night that said mailer-demeon but it said I sent it. I checked my sent emails and there it was. It had a hotlink in the email and that was all. It was also sent to me. This is the first time this has happened. I have a HP laptop running XP. I have the paid version of Malwarebytes as well as Avast Home 5 installed. I have run scans with both and neither have detected anything. I also ran Spybot as well and it was clean. But I obviously have something because the email was sent using my address book and I did not sent it. Please help! Thanks in advance.

Clark95 · July 9, 2010

Here is a copy of my logfile...

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 8:14:42 PM, on 7/8/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\logonui.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Tall Emu\Online Armor\OAui.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Van Halen\Start Menu\Programs\Startup\ehtray.exe

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/

O2 - BHO: KeyScramblerBHO Class - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect

O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Pthosttr] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\OAui.exe"

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')

O4 - Startup: ehtray.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra 'Tools' menuitem: &KeyScrambler Options - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204604116367

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1224913255875

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll

O20 - AppInit_DLLs: APSHook.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O20 - Winlogon Notify: DeviceNP - DeviceNP.dll (file missing)

O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: HP ProtectTools Device Locking / Auditing (FLCDLOCK) - Hewlett-Packard Ltd - C:\WINDOWS\system32\flcdlock.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oacat.exe

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--

End of file - 12130 bytes

Clark95 · July 9, 2010

Here is a copy of the mbam log.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4294

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

7/9/2010 12:55:12 AM

mbam-log-2010-07-09 (00-55-12).txt

Scan type: Quick scan

Objects scanned: 144023

Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Clark95 · July 9, 2010

Looking back at the time the email was sent my laptop was started but not fully logged on. I had started it but it only got as far as the log on screen because I did not enter my password at that point. I got doing something else so it was about an hour or two before I logged on. My Avast anti-virus is set up to scan both outgoing and incoming email. But the laptop had not fully started when this email went out. The link in the email was for a pharmacutucal company and it appears to be a virus. Just trying to provide as much info as possible. Thanks again in advance for any help you can give me.

Clark95 · July 9, 2010

Just noticed a strange bookmark in my favorites for a URLOpener Productivity Tool. It says you can "Open a whole list of URLs at the same time!" with this tool.

Clark95 · July 9, 2010

This was AOL webmail accessed through IE7. I had the password saved in the browser which I realize now was not a good idea. I have since changed the password. Please advise as to what I need to do at this point. Thanks!

AdvancedSetup · July 13, 2010

It's quite possible that its just bogus, spam email and not really sent by you. They make it look like it was sent by you but if you read all the headers you may see that it was not really you.

Regardless, please run the following and we'll see if we can find anything lurking on your system.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Download ComboFix from below:
Combofix download
* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
You can get help on disabling your protection programs here
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.
---------------------------------------------------------------------------------------------

Clark95 · July 14, 2010

Hello and thank you for responding. I downloaded combo fix to desktop. I tried to run it but it said Windows could not access the specified device path or file. And that I may not have appropriate permissions to access the item. I am administrator. What do I do now? Thanks in advance.

AdvancedSetup · July 14, 2010

Do you have another account you can logon with to try to download it again and run it, or try creating another account with Admin rights.

There are some other tools we could run to check that error but if you were getting it due to the infection then it would not have let you run the other programs you've run either so I don't think it's one of the old infections I'm thinking of.

Try removing the file, disable AV or other security software and try again.

Clark95 · July 15, 2010

Ok I re-started the computer and found that even though I stopped the Online-Armour firewall it flagged the combo fix. So I when in and allowed it to run. Next I turned off Avast 5 on the toolbar but Combo-Fix says an Avast scanner is still running in the background. I did not continue because of the warnings of possible damage to my machine. Will I just have to uninstall Avast 5 to run this scan? Thanks!

AdvancedSetup · July 15, 2010

Well again, It may not even be Malware on your system and it could simply be that someone forged information that made it look like you'd sent it and is quite common.

If you cannot stop Avast then maybe visit their support forum and see if you can find out how to properly disable Avast while your run Combofix.

http://www.avast.com/community-and-support

Clark95 · July 16, 2010

When someone forge's information can they make emails appear in your sent folder? Also the email was sent out using half the people in my address book. But if you think the threat is bogus I won't run the Combo-Fix. Thanks for your help AS.

AdvancedSetup · July 16, 2010

No they can't forge it being in your Sent items folder. If the message is there in your sent items then someone sent it from that account.

I'm not saying your system is clean but it is also not a typical scenario for Malware to do such an act. Perhaps a friend or relative that might know or have seen you type in your password is playing a joke on you? Maybe you were on another computer and you were checking your mail and that other computer was running a keylogger on purpose and got your password?

We can run some other tests and scanners and see what we can find, all I'm saying is that it's quite possible that this came about from another method maybe. For now please disable your current AV and run this and let me know what if anything it finds and we'll go from there.

********************************************

It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Clark95 · July 17, 2010

Here is results of the Kaspersky Scan. Says I have 3 Trojan.Win32.Monderb.amux.

Report.html

Clark95 · July 17, 2010

Avast 5 did not flag those files as trojans. Could these be FP's? Also can't I just go in delete these files as they are in Documents and settings. I can navigate to the one in Program file. Its an .exe. Please advise thanks AS!

Clark95 · July 18, 2010

I navigated to all 3 locations and deleted . Was able to delete the .exe and the other 2 Winrar folders. I will run the Kaspersky scan again soon.

AdvancedSetup · July 18, 2010

Yes deleting them is good. They are infected keygen type programs and can easily get you infected.

I would download a new fresh copy of ComboFix and then temporarily fully remove Avast if you can't get it stopped. Then run Combfix as requested and post back the log. Don't go surfing other sites while Avast is not onboard as you can again get infected. If need temporarily install Aviara AV free while we do this testing as it can easily be disabled.

Clark95 · July 18, 2010

Ok I ran a fresh copy of Combo-Fix. My machine re-started and On-Line Armour came back on and halted the process. I allowed the 2 Combo Fix files it flagged and ran it again. The report of that scan is below:

ComboFix 10-07-16.02 - Van Halen 07/18/2010 13:23:53.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2354 [GMT -4:00]

Running from: c:\documents and settings\Van Halen\Desktop\ComboFix.exe

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Previous Run -------

.

c:\windows\6435MI93.ocx

c:\windows\is-D0260.exe

c:\windows\is-QCK87.exe

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))

.

2010-07-04 08:04 . 2010-07-04 08:04 -------- d-----w- c:\documents and settings\Van Halen\Application Data\OutWit

2010-06-29 06:54 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-09 00:50 . 2008-03-06 03:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-09 00:05 . 2010-07-09 00:05 388096 ----a-r- c:\documents and settings\Van Halen\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-07-08 23:17 . 2008-03-06 03:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-07-08 23:17 . 2008-03-06 03:10 -------- d-----w- c:\program files\SpywareBlaster

2010-07-07 16:25 . 2009-02-03 03:36 22600 ----a-w- c:\windows\system32\drivers\OAmon.sys

2010-07-07 16:25 . 2009-02-03 03:36 28232 ----a-w- c:\windows\system32\drivers\OAnet.sys

2010-07-07 16:25 . 2009-02-03 03:36 236104 ----a-w- c:\windows\system32\drivers\OADriver.sys

2010-06-28 20:57 . 2010-01-27 23:43 165032 ----a-w- c:\windows\system32\aswBoot.exe

2010-06-28 20:37 . 2010-01-27 23:43 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-06-28 20:37 . 2010-01-27 23:43 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-06-28 20:33 . 2010-01-27 23:43 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-06-28 20:32 . 2010-01-27 23:43 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-06-28 20:32 . 2010-01-27 23:43 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-06-28 20:32 . 2010-01-27 23:43 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-06-28 20:32 . 2010-01-27 23:43 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-06-28 03:03 . 2009-01-17 00:35 -------- d-----w- c:\program files\CCleaner

2010-06-17 16:38 . 2010-06-19 16:18 89600 ----a-w- c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll

2010-06-17 16:38 . 2010-06-19 16:18 89088 ----a-w- c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.6.dll

2010-06-17 16:38 . 2010-06-19 16:18 89088 ----a-w- c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.5.dll

2010-06-14 14:30 . 2004-08-04 08:00 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-12 17:15 . 2010-06-12 17:15 -------- d-----w- c:\program files\WOT

2010-06-05 00:25 . 2010-05-27 03:05 -------- d-----w- c:\program files\QuickTime

2010-06-05 00:25 . 2008-03-15 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-06-03 23:34 . 2010-06-03 23:27 -------- d-----w- c:\program files\R-STUDIO

2010-05-28 23:05 . 2008-03-15 13:37 -------- d-----w- c:\documents and settings\Van Halen\Application Data\Apple Computer

2010-05-27 03:06 . 2010-05-27 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-05-15 21:34 . 2010-05-15 21:34 711168 ----a-w- c:\windows\is-P4K38.exe

2010-05-04 17:20 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 08:00 17408 ------w- c:\windows\system32\corpol.dll

2010-05-02 05:56 . 2004-08-04 08:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-29 16:19 . 2009-01-11 07:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 16:19 . 2009-01-11 07:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-20 05:51 . 2004-08-04 08:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2008-03-03 23:55 . 2008-03-03 23:55 56 --sha-w- c:\windows\SMINST\hpboot.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-28 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-25 8429568]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-25 81920]

"nwiz"="nwiz.exe" [2007-05-25 1626112]

"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]

"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-10 806912]

"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"Pthosttr"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-05-02 163840]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]

"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\OAui.exe" [2010-07-07 6854984]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]

c:\documents and settings\Van Halen\Start Menu\Programs\Startup\

ehtray.exe [2005-8-6 64512]

SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-11-9 113664]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2010-07-07 924488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-12-07 07:03 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]

2007-04-30 15:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]

2007-02-07 01:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 09:50 155648 ----a-r- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\mqsvc.exe"=

"c:\\WINDOWS\\SMINST\\Scheduler.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\system32\drivers\ezgmntr.sys [3/21/2009 10:26 PM 170080]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/15/2009 9:18 AM 64288]

R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [4/26/2007 10:23 PM 100095]

R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 4:31 PM 44720]

R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 7:54 PM 13696]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [1/27/2010 7:43 PM 165456]

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2/2/2009 11:36 PM 236104]

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2/2/2009 11:36 PM 22600]

R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2/2/2009 11:36 PM 28232]

R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [4/26/2007 10:23 PM 5808]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 74480]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/27/2010 7:43 PM 17744]

R2 ezgfsfilt;EZ GIG II FS Filter;c:\windows\system32\drivers\ezgfsfilt.sys [3/21/2009 10:26 PM 26912]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [1/23/2007 4:13 PM 36608]

R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [1/19/2009 1:34 PM 115312]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/11/2009 3:57 AM 20952]

R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [7/16/2007 12:32 PM 47616]

S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 4:13 PM 30008]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

Cognizance REG_MULTI_SZ ASBroker ASChannel

getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 1).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18]

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 2).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18]

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 3).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18]

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Daily 4).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18]

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 20:18]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139469626-2787614631-2259152266-1005Core.job

- c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-28 16:53]

2010-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3139469626-2787614631-2259152266-1005UA.job

- c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-28 16:53]

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/

IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

FF - ProfilePath - c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/

FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.5.dll

FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit-3.6.dll

FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\WINNT_x86-msvc\components\outwit.dll

FF - component: c:\documents and settings\Van Halen\Application Data\Mozilla\Firefox\Profiles\dthm4alz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll

FF - plugin: c:\documents and settings\Van Halen\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

AddRemove-EZ Gig II - c:\program files\Apricorn\EZ Gig II\ezbld.exe

AddRemove-LiveUpdate1.7 - c:\program files\Symantec\LiveUpdate\LSETUP.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-18 13:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]

"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\SbHpNp.DLL

c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(692)

c:\windows\SbHpNp.dll

.

Completion time: 2010-07-18 13:38:07

ComboFix-quarantined-files.txt 2010-07-18 17:37

Pre-Run: 15,332,753,408 bytes free

Post-Run: 15,291,461,632 bytes free

- - End Of File - - A73E1B53ED1745F0174D13F20332C07B

Clark95 · July 19, 2010

What are these files in quarantine?

2010-07-18 17:36:18 . 2010-07-18 17:36:18 800 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-LiveUpdate1.7.reg.dat

2010-07-18 17:36:17 . 2010-07-18 17:36:17 1,392 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-EZ Gig II.reg.dat

2010-07-18 17:35:44 . 2010-07-18 17:35:44 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat

2010-07-18 17:10:48 . 2010-07-18 17:29:08 6,895 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-07-18 16:51:46 . 2010-07-18 17:23:11 153 ----a-w- C:\Qoobox\Quarantine\catchme.log

2009-03-27 03:31:24 . 2009-03-27 03:31:24 685,056 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\is-D0260.exe.vir

2009-02-12 02:50:00 . 2009-02-12 02:50:00 685,056 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\is-QCK87.exe.vir

2007-07-16 17:18:15 . 2007-07-16 17:18:27 1,394 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\xpsp1hfm.log.vir

1617-08-22 23:52:59 . 1617-08-22 23:52:59 3,120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\6435MI93.ocx.vir

The ones Combo Fix said it removed today (below) appear to have been already in quarantine according to the above log.

c:\windows\6435MI93.ocx

c:\windows\is-D0260.exe

c:\windows\is-QCK87.exe

c:\windows\xpsp1hfm.log

ComboFix_quarantined_files.txt

AdvancedSetup · July 19, 2010

It makes backups of Registry or file entries just in case.

Please upload the following file to http://www.virustotal.com and have them scan it please and let me know what it says. c:\windows\is-P4K38.exe

Then let's run one more AV scan to double-check we're not missing anything.

Please download to your Desktop: Dr.Web CureIt

After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
Once the short scan has finished, Click on the Complete scan radio button.
Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
On the File types tab ensure you select All files
Click on the Actions tab and set the following:
- Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
- Infected packages Archive = Move, E-mails = Report, Containers = Move
- Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
- Do not change the Rename extension - default is: #??
- Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
- Leave prompt on Action checked
[*]On the Log file tab leave the Log to file checked.
[*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
[*]Log mode = Append
[*]Encoding = ANSI
[*]Details Leave Names of file packers and Statistics checked.
[*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
[*]On the General tab leave the Scan Priority on High
[*]Click the Apply button at the bottom, and then the OK button.
[*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
[*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
[*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
[*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
[*]Click 'Yes to all' if it asks if you want to cure/move the files.
[*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
[*]Save the report to your Desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
[*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

Clark95 · July 19, 2010

Here's the Virustotal results. Downloading Dr. Web Cure-it now.

VirusTotal.txt

Clark95 · July 20, 2010

Dr. Web Cureit found infections in Norton (SAV10) and a file in system restore that was a remnant of the file I removed earlier. Results below. It would not let me attach the file.

SAV10_SE.exe/data002\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\SAV10_SE.exe/data002;Tool.Prockill;;

data002;C:\Documents and Settings\Van Halen\My Documents;Archive contains infected objects;;

SAV10_SE.exe/data003\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\SAV10_SE.exe/data003;Tool.Prockill;;

data003;C:\Documents and Settings\Van Halen\My Documents;Archive contains infected objects;;

SAV10_SE.exe;C:\Documents and Settings\Van Halen\My Documents;Container contains infected objects;Moved.;

SAV10_SE.exe/data002\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\downloads\SAV10_SE.exe/data002;Tool.Prockill;;

data002;C:\Documents and Settings\Van Halen\My Documents\downloads;Archive contains infected objects;;

SAV10_SE.exe/data003\pskill.exe;C:\Documents and Settings\Van Halen\My Documents\downloads\SAV10_SE.exe/data003;Tool.Prockill;;

data003;C:\Documents and Settings\Van Halen\My Documents\downloads;Archive contains infected objects;;

SAV10_SE.exe;C:\Documents and Settings\Van Halen\My Documents\downloads;Container contains infected objects;Moved.;

A0061832.exe;C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP478;Trojan.Virtumod.2111;Incurable.Moved.;

Latest HJT file:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 2:27:45 AM, on 7/20/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\PDF Complete\pdfsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Van Halen\Start Menu\Programs\Startup\ehtray.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Tall Emu\Online Armor\OAhlp.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Internet Explorer\iexplore.exe