please help me remove trojan.vundo and malware.trace

ihatemalwaretrace · December 6, 2008

1. MBAM Log

Malwarebytes' Anti-Malware 1.31

Database version: 1464

Windows 5.1.2600 Service Pack 3

12/5/2008 7:37:18 PM

mbam-log-2008-12-05 (19-37-18).txt

Scan type: Quick Scan

Objects scanned: 52660

Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. Panda

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-12-05 20:48:20

PROTECTIONS: 1

MALWARE: 8

SUSPECTS: 11

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Sophos Antivirus 7.6.0 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@doubleclick[1].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@atdmt[3].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@ad.yieldmanager[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@serving-sys[1].txt

00429208 Adware/FBrowsingAdvisor Adware No 0 Yes No C:\Program Files\mozilla.org\Mozilla\regxpcom.exe

01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Jeremy\Cookies\jeremy@adserver.easyad[1].txt

04247549 Trj/Zlob.KH Virus/Trojan No 1 Yes No C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\O9QVWDE7\nww32[1].exe

04277170 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Patch.exe.GE2EGQCSXUITG5TYARUIYIXD6R2C4W4SFFOJAMI.dctmp.000

04277170 Generic Trojan Virus/Trojan No 0 Yes No C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\Patch.exe.GE2EGQCSXUITG5TYARUIYIXD6R2C4W4SFFOJAMI.dctmp.antifrag.000

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location P

;===============================================================================

================================================================================

=

===================

Yes C:\WINDOWS\System32\jacmms.dll P

Yes C:\WINDOWS\system32\jacmms.dll P

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\eco98IV.exe.000

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\eco98IV.exe.1.000

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RM63TDG.exe.000

Yes C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED\RM63TDG.exe.1.000

Yes C:\Documents and Settings\Jeremy\Local Settings\Temp\vrmB09.tmp[NN_Bar77_876984.dll] P

Yes C:\Documents and Settings\Jeremy\My Documents\mirc631.exe[

ihatemalwaretrace · December 6, 2008

ive used spybot, adaware and mbam and have not had any luck ridding these darn viruses.

if that helps at all.

ihatemalwaretrace · December 8, 2008

anybody have an idea?

ihatemalwaretrace · December 9, 2008

i dont mean to sound pushy, but can a moderator please take a look at this?

this is the only computer i've access to and it's slow and i cant reformat it..

ihatemalwaretrace · December 16, 2008

any assistance would be greatly appreciated

ihatemalwaretrace · December 20, 2008

bump

Maurice Naggar · December 21, 2008

Hello,

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

3. Important! => Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.

>

Using Internet Explorer browser only, go to ESET Online Scanner website:

Accept the Terms of Use and press Start button;
Approve the install of the required ActiveX Control, then follow on-screen instructions;
Enable (check) the Remove found threats option, and run the scan.
After the scan completes, the Details tab in the Results window will display what was found and removed.
- A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
Look at contents of this file using Notepad or Wordpad.
The Frequently Asked Questions for ESET Online Scanner can be viewed here
http://www.eset.com/onlinescan/cac4.php?page=faq
- From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
  Otherwise the scan will take twice as long to do:
  everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
- It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
  (And the prompt re-enabling when finished.)
- If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
[*]Save both reports to your desktop.

Please include the following logs in your next reply:

the Eset scan log

DDS.txt

Attach.txt

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll may need to do more than 1 reply.

Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

ihatemalwaretrace · December 23, 2008

ESET Log.txt

# version=4

# OnlineScanner.ocx=1.0.0.635

# OnlineScannerDLLA.dll=1, 0, 0, 79

# OnlineScannerDLLW.dll=1, 0, 0, 78

# OnlineScannerUninstaller.exe=1, 0, 0, 49

# vers_standard_module=3712 (20081222)

# vers_arch_module=1.064 (20080214)

# vers_adv_heur_module=1.064 (20070717)

# EOSSerial=ab2dc541ee72f042bd0838405cb0eb01

# end=finished

# remove_checked=true

# unwanted_checked=false

# utc_time=2008-12-23 06:34:02

# local_time=2008-12-23 01:34:02 (-0500, Eastern Standard Time)

# country="United States"

# osver=5.1.2600 NT Service Pack 3

# scanned=372048

# found=0

# scan_time=6768

While running this, my Sophos Anti-Virus popped up ( I dont know how to disable this thing... it was necessary in order to log in wirelessly to my university's campus.)

Anyway, it popped up and said:

"File C:\Documents and Settings\...\Temp\NOD62C7.tmp belongs to virus/spyware Mal/Behav-181."

"File C:\Documents and Settings\...\Temp\NOD30A7.tmp belongs to virus/spyware Mal/Behav-181."

"File C:\Documents and Settings\...\Temp\NOD31F7.tmp belongs to virus/spyware Mal/Behav-181."

"File C:\Documents and Settings\...\Temp\NOD64CF.tmp belongs to virus/spyware Mal/Behav-181."

ihatemalwaretrace · December 23, 2008

DDS.txt

DDS (Version 1.1.0) - NTFSx86

Run by Jeremy at 1:45:49.23 on Tue 12/23/2008

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_05

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.362 [GMT -5:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\mozilla.org\Mozilla\mozilla.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Jeremy\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = https://muss.cis.mcmaster.ca/

uInternet Settings,ProxyOverride = *.local

BHO: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll

uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background

uRun: [Rainlendar2] c:\program files\rainlendar2\Rainlendar2.exe

uRun: [scheduler_monitor] c:\program files\reaconverter 5.5 pro\init_scheduler.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [startCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgentLauncher.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll

IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL jacmms.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jeremy\applic~1\mozilla\firefox\profiles\og03m7l0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.homeword.com/DailyDevotional/DevotionalDetail.aspx

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-5 28544]

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2007-9-24 104704]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2007-9-24 35584]

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]

R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\sophos\sophos anti-virus\SAVAdminService.exe" [2008-10-23 69632]

R2 SAVService;Sophos Anti-Virus;"c:\program files\sophos\sophos anti-virus\SavService.exe" [2008-9-30 98304]

R2 Sophos Agent;Sophos Agent;"c:\program files\sophos\remote management system\ManagementAgentNT.exe" -service -name Agent [2008-10-23 266240]

R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;"c:\program files\sophos\autoupdate\ALsvc.exe" [2008-9-30 172032]

R2 Sophos Message Router;Sophos Message Router;"c:\program files\sophos\remote management system\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [2008-10-23 794624]

S0 ati0vcxx;ati0vcxx;c:\windows\system32\drivers\ati0vcxx.sys []

S0 ati6jpxx;ati6jpxx;c:\windows\system32\drivers\ati6jpxx.sys []

S1 dxgthkk;dxgthkk;c:\windows\system32\drivers\dxgthkk.sys []

S3 rcp_service;ReaConverter scheduler service;c:\program files\reaconverter 5.5 pro\rcp_scheduler.exe [2007-11-30 558592]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2008-9-30 14976]

=============== Created Last 30 ================

2008-12-05 20:53 <DIR> --d----- c:\program files\Trend Micro

2008-12-05 18:37 28,544 a------- c:\windows\system32\drivers\pavboot.sys

2008-12-05 18:36 <DIR> --d----- c:\program files\Panda Security

2008-12-05 18:35 <DIR> --d----- c:\program files\EsetOnlineScanner

2008-12-05 15:00 <DIR> --d----- c:\docume~1\jeremy\applic~1\Malwarebytes

2008-12-05 14:59 15,504 a------- c:\windows\system32\drivers\mbam.sys

2008-12-05 14:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-05 14:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2008-12-05 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2008-12-05 14:51 <DIR> --dsh--- C:\found.000

2008-12-05 13:45 <DIR> --d----- c:\program files\Lavasoft

2008-12-05 13:45 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2008-12-05 12:18 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)

2008-12-05 12:18 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)

2008-12-05 12:18 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-05 12:18 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-12-05 12:13 <DIR> --dsh--- c:\windows\SmVyZW15IFRhbmc

2008-12-05 12:12 47,598 a------- c:\windows\system32\iawuqolblmdzne.exe

2008-11-27 01:16 244 a---h--- C:\sqmnoopt11.sqm

2008-11-27 01:16 232 a---h--- C:\sqmdata11.sqm

2008-11-27 01:11 232 a---h--- C:\sqmdata10.sqm

2008-11-27 01:11 244 a---h--- C:\sqmnoopt10.sqm

2008-11-26 14:46 <DIR> --d----- c:\program files\Full Tilt Poker

2008-11-25 12:43 244 a---h--- C:\sqmnoopt09.sqm

2008-11-25 12:43 232 a---h--- C:\sqmdata09.sqm

==================== Find3M ====================

2008-12-05 12:27 14,336 a------- c:\windows\system32\svchost.exe

2008-10-14 20:28 25,448 a------- c:\docume~1\jeremy\applic~1\GDIPFONTCACHEV1.DAT

2008-10-14 19:52 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat

2008-09-30 05:29 130,104 a------- c:\windows\system32\sdccoinstaller.dll

2008-09-30 05:28 23,552 a------- c:\windows\system32\sophosboottasks.exe

============= FINISH: 1:46:19.26 ===============

-- ATTACH.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 8/10/2007 2:52:34 AM

System Uptime: 12/22/2008 11:02:46 PM (2 hours ago)

Motherboard: Dell Inc. | | 0UW744

Processor: AMD Athlon 64 X2 Dual-Core Processor TK-53 | Socket M2/S1G1 | 1695/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 1.785 GiB free.

E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Maurice Naggar · December 23, 2008

Spybot S & D is a good program. But it's Tea Timer feature can block us from doing some changes. Insure it is NOT enabled or active.

Start Spybot-S&D in Advanced Mode.

If it is not already set to do this Go to the Mode menu select "Advanced Mode"

On the left hand side, Click on Tools

Then click on the Resident Icon in the List

Uncheck "Resident TeaTimer" and OK any prompts.

Restart your computer.

=

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.

If you see any other Java versions there,

such as

J2SE Runtime Environment 5.0 Update 6

Java

ihatemalwaretrace · December 24, 2008

C:\Combofix.txt

ComboFix 08-12-23.01 - Jeremy 2008-12-24 1:06:26.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.488 [GMT -5:00]

Running from: c:\documents and settings\Jeremy\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Jeremy\Local Settings\Temporary Internet Files\fbk.sts

c:\windows\IE4 Error Log.txt

c:\windows\system32\autoexec.bat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_FCI

((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))

.

2008-12-24 00:59 . 2008-12-24 00:59 <DIR> d-------- c:\program files\Java

2008-12-24 00:59 . 2008-12-24 00:59 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-24 00:59 . 2008-12-24 00:59 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-05 20:53 . 2008-12-05 20:53 <DIR> d-------- c:\program files\Trend Micro

2008-12-05 18:37 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-05 18:36 . 2008-12-05 18:36 <DIR> d-------- c:\program files\Panda Security

2008-12-05 18:35 . 2008-12-22 23:40 <DIR> d-------- c:\program files\EsetOnlineScanner

2008-12-05 17:39 . 2008-12-05 17:39 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2008-12-05 17:19 . 2008-12-05 17:19 <DIR> d-------- c:\documents and settings\Administrator

2008-12-05 15:00 . 2008-12-05 15:00 <DIR> d-------- c:\documents and settings\Jeremy\Application Data\Malwarebytes

2008-12-05 14:59 . 2008-12-05 15:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-12-05 14:59 . 2008-12-05 14:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-05 14:59 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-05 14:59 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-05 14:51 . 2008-12-05 14:51 <DIR> d--hs---- C:\found.000

2008-12-05 13:45 . 2008-12-05 13:45 <DIR> d-------- c:\program files\Lavasoft

2008-12-05 13:45 . 2008-12-05 13:45 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-05 13:45 . 2008-12-05 13:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-05 12:18 . 2008-12-05 12:18 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2008-12-05 12:13 . 2008-12-05 14:52 <DIR> d--hs---- c:\windows\SmVyZW15IFRhbmc

2008-11-27 01:16 . 2008-11-27 01:16 244 --ah----- C:\sqmnoopt11.sqm

2008-11-27 01:16 . 2008-11-27 01:16 232 --ah----- C:\sqmdata11.sqm

2008-11-27 01:11 . 2008-11-27 01:11 244 --ah----- C:\sqmnoopt10.sqm

2008-11-27 01:11 . 2008-11-27 01:11 232 --ah----- C:\sqmdata10.sqm

2008-11-26 14:46 . 2008-11-26 15:05 <DIR> d-------- c:\program files\Full Tilt Poker

2008-11-25 12:43 . 2008-11-25 12:43 244 --ah----- C:\sqmnoopt09.sqm

2008-11-25 12:43 . 2008-11-25 12:43 232 --ah----- C:\sqmdata09.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-16 16:03 --------- d-----w c:\documents and settings\Jeremy\Application Data\uTorrent

2008-12-05 17:59 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-05 16:48 --------- d-----w c:\documents and settings\Jeremy\Application Data\mIRC

2008-12-05 16:35 --------- d-----w c:\program files\mIRC

2008-11-26 20:11 --------- d-----w c:\program files\Steam

2008-11-26 20:05 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-20 02:52 --------- d-----w c:\documents and settings\Jeremy\Application Data\RCP 5

2008-11-20 02:37 --------- d-----w c:\program files\ReaConverter 5.5 Pro

2008-10-15 01:28 25,448 ----a-w c:\documents and settings\Jeremy\Application Data\GDIPFONTCACHEV1.DAT

2008-10-30 17:54 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-10-30 17:54 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-10-30 17:54 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-10-30 17:54 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-10-30 17:54 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"Rainlendar2"="c:\program files\Rainlendar2\Rainlendar2.exe" [2007-07-24 1298432]

"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-02-20 1191936]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]

"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-23 113664]

AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2007-09-24 245760]

Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe [2007-12-07 28672]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.ffds"= ffdshow.ax

"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0vcxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati6jpxx.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Clean Access Agent.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Clean Access Agent.lnk

backup=c:\windows\pss\Clean Access Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-05-11 02:06 40048 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

--a------ 2005-06-08 13:44 196608 c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

--a------ 2005-06-08 14:24 458752 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

--a------ 2005-06-08 14:14 217088 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]

--a------ 2005-07-19 16:32 221184 c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--------- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

--a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung Common SM]

--------- 2005-07-03 02:20 372736 c:\windows\Samsung\ComSMMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Documents and Settings\\Jeremy\\Start Menu\\Programs\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Steam\\SteamApps\\ihatestupid@hotmail.com\\counter-strike\\hl.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\SopCast\\sopvod.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Starcraft\\StarCraft.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-05 28544]

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2007-09-24 104704]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2007-09-24 35584]

R2 SAVAdminService;Sophos Anti-Virus status reporter;"c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [2008-10-23 69632]

R2 SAVService;Sophos Anti-Virus;"c:\program files\Sophos\Sophos Anti-Virus\SavService.exe" [2008-09-30 98304]

S0 ati0vcxx;ati0vcxx;c:\windows\system32\Drivers\ati0vcxx.sys []

S0 ati6jpxx;ati6jpxx;c:\windows\system32\Drivers\ati6jpxx.sys []

S1 dxgthkk;dxgthkk;c:\windows\system32\drivers\dxgthkk.sys []

S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [2007-11-30 558592]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2008-09-30 14976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}]

\Shell\Auto\command - sxs2.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}]

\Shell\Auto\command - D:\sxs2.exe

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs2.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-23 c:\windows\Tasks\McMaster Scan.job

- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2008-09-30 05:24]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe

.

------- Supplementary Scan -------

.

uStart Page = https://muss.cis.mcmaster.ca/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Jeremy\Application Data\Mozilla\Firefox\Profiles\og03m7l0.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.homeword.com/DailyDevotional/DevotionalDetail.aspx

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-24 01:21:07

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Sophos Message Router]

"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\WLTRYSVC.EXE

c:\windows\system32\BCMWLTRY.EXE

c:\program files\Lavasoft\Ad-Aware\aawservice.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\program files\Sophos\AutoUpdate\ALsvc.exe

c:\program files\Sophos\Remote Management System\RouterNT.exe

c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe

.

**************************************************************************

.

Completion time: 2008-12-24 1:25:01 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-24 06:24:58

Pre-Run: 1,959,370,752 bytes free

Post-Run: 1,828,921,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

220 --- E O F --- 2008-09-02 05:48:37

Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:26:46 AM, on 12/24/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Rainlendar2\Rainlendar2.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Sophos\AutoUpdate\ALMon.exe

C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

C:\Program Files\Sophos\Remote Management System\RouterNT.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\mozilla.org\Mozilla\mozilla.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://muss.cis.mcmaster.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [startCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe

O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe

O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgentLauncher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://www.pandasecurity.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe

O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe

O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe

O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe

O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Remote Management System\RouterNT.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 7321 bytes

Maurice Naggar · December 24, 2008

Place your USB flash drives in-place so that some of these programs will be able to find them.

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:reg[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}]
:filesD:\sxs2.exeC:\sxs2.exec:\windows\system32\sxs2.exec:\windows\sxs2.exe
:commands[EmptyTemp]

Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=

Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip

Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

=

I'm going to have you get and run two utilities.

The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:

http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx

Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.

Expand the My Computer branch, then the AutoPlay branch, and then select Drives.

Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.

http://www.techsupportforum.com/sectools/s...Disinfector.exe

There is no GUI interface or log file produced.

=

Start HijackThis. Do a Scan and Save.

Reply with a copy of the OTMoveIt3 log from above, and the new HJT log.

and tell me, How is your system now ?

ihatemalwaretrace · December 24, 2008

OTMoveIt Log

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212077cf-c338-11dd-88aa-001c2383a25a}\\ deleted successfully.

Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d354e8d0-8604-11dd-8898-001c2383a25a}\\ deleted successfully.

========== FILES ==========

File/Folder D:\sxs2.exe not found.

File/Folder C:\sxs2.exe not found.

File/Folder c:\windows\system32\sxs2.exe not found.

File/Folder c:\windows\sxs2.exe not found.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\Jeremy\LOCALS~1\Temp\~DF7222.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2c0.dat scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

FireFox cache emptied.

Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12242008_151842

Files moved on Reboot...

C:\DOCUME~1\Jeremy\LOCALS~1\Temp\~DF7222.tmp moved successfully.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

File C:\WINDOWS\temp\Perflib_Perfdata_2c0.dat not found!

File C:\WINDOWS\temp\Perflib_Perfdata_3e8.dat not found!

---

HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:30:52 PM, on 12/24/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\MSN Messenger\msnmsgr.exe