Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Windows Security Alert Please Help!


  • Please log in to reply
13 replies to this topic

#1 vales1

vales1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 27 September 2008 - 12:39 AM

My PC is infected by a fake windows security message that has everything grayed out except for "enable". I made the mistake of clicking it and it directed me to a spyware, adware website offering to purchase their products. I thought it was just a temporary thing but now the same message keeps popping up! here's a picture of the message.

Posted Image my apologies for the bad pic, I'm quite new at this so I did my best. Anyway, this everytime this message pops up it says that i'm infected with a different trojan everytime: Trojan-spy. win32.greenscreen, trojan-spy.html.bankfraud.dq, or trojan-downloader.win32.agent.dq

I've tried a number of solutions suggested in this forum but nothing seems to work. Thanks in advance for any help, I truly appreciate it.

Here's my HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:46 PM, on 9/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\hmvofypu.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\hmvofypu.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [smartmonadm] C:\WINDOWS\system32\hmvofypu.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.vectorvest.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O21 - SSODL: StrWebProc - {024EA016-C0B4-B8E2-7A34-088C3BCAE764} - C:\Program Files\hwfrxz\StrWebProc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10215 bytes

BC AdBot (Login to Remove)

 


#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 27 September 2008 - 12:29 PM

Hi

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 vales1

vales1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 27 September 2008 - 01:44 PM

Thank you so very much Steam for your fast response! Anyway, I've been busy looking for solutions so I just kept trying all sorts of Anti Malware programs and after my last run, I haven't seen the Fake Security Alert popup. But just to make sure:

Here's my latest HIJACKTHIS log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:20:27 AM, on 9/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\hmvofypu.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3 Beta 4\firefox.exe
C:\WINDOWS\system32\hmvofypu.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [smartmonadm] C:\WINDOWS\system32\hmvofypu.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.vectorvest.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O21 - SSODL: StrWebProc - {024EA016-C0B4-B8E2-7A34-088C3BCAE764} - C:\Program Files\hwfrxz\StrWebProc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10218 bytes


and here's MALWAREBYTES ANTI MALWARE log:

Malwarebytes' Anti-Malware 1.28
Database version: 1211
Windows 5.1.2600 Service Pack 2

9/27/2008 11:23:04 AM
mbam-log-2008-09-27 (11-23-04).txt

Scan type: Quick Scan
Objects scanned: 48508
Time elapsed: 1 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and finally, COMBOFIX log:


ComboFix 08-09-26.06 - 5thTry 2008-09-27 11:25:02.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2972 [GMT -7:00]
Running from: C:\Documents and Settings\5thTry\Desktop\My Stuff\AntiSpyware\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-27 to 2008-09-27 )))))))))))))))))))))))))))))))
.

2008-09-27 08:40 . 2008-09-27 08:40 <DIR> d-------- C:\!FixIEDef
2008-09-27 00:31 . 2008-09-27 00:31 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-09-27 00:31 . 2008-09-27 00:31 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-09-27 00:19 . 2008-09-27 00:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-27 00:18 . 2008-09-27 00:18 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-27 00:11 . 2008-09-27 00:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-26 18:31 . 2008-09-26 18:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-26 18:31 . 2008-09-26 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-26 18:08 . 2008-09-27 00:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 18:08 . 2008-09-26 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 18:08 . 2008-09-26 18:08 <DIR> d-------- C:\Documents and Settings\5thTry\Application Data\Malwarebytes
2008-09-26 18:08 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-26 18:08 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-26 17:46 . 2008-09-26 17:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-26 17:46 . 2008-09-27 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-26 16:36 . 2008-09-26 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-25 22:47 . 2008-09-25 22:47 29 --a------ C:\WINDOWS\system32\retupogd.tmp
2008-09-25 22:46 . 2008-09-25 22:46 <DIR> d-------- C:\Program Files\hwfrxz
2008-09-25 22:46 . 2008-09-26 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fsbaxafk
2008-09-25 22:46 . 2008-09-25 22:46 81,920 --a------ C:\WINDOWS\system32\hmvofypu.exe
2008-09-25 22:46 . 2008-09-25 22:46 77,824 --a------ C:\WINDOWS\system32\wpv123.cpx.bak
2008-09-25 22:46 . 2008-09-25 22:46 73,216 --a------ C:\WINDOWS\system32\wpv502.cpx
2008-09-15 19:38 . 2008-09-19 22:55 1,834 --a------ C:\Documents and Settings\5thTry\Application Data\SAS7_000.DAT
2008-09-15 19:08 . 2008-09-15 19:08 <DIR> d-------- C:\Documents and Settings\5thTry\Application Data\Nuance
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Program Files\Common Files\Nuance
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-15 19:05 . 2008-09-15 19:05 <DIR> d-------- C:\Program Files\Nuance
2008-09-15 19:05 . 2008-09-15 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nuance
2008-09-15 17:44 . 2008-09-15 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-15 17:42 . 2008-09-15 19:08 <DIR> d-------- C:\WINDOWS\speech
2008-09-15 17:34 . 2006-10-20 00:10 501,912 --a------ C:\WINDOWS\system32\PICSDK2.dll
2008-09-15 17:34 . 2006-10-20 00:10 108,704 --a------ C:\WINDOWS\system32\PICEntry.dll
2008-09-15 17:34 . 2004-03-03 06:10 31,053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-09-15 17:34 . 2004-03-03 06:10 27,417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-08-29 15:53 . 2008-08-29 15:53 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-27 18:04 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-09-27 07:42 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-09-27 03:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-26 23:39 --------- d-----w C:\Documents and Settings\5thTry\Application Data\Apple Computer
2008-09-17 00:20 20,648 ----a-w C:\Documents and Settings\5thTry\Application Data\GDIPFONTCACHEV1.DAT
2008-09-16 00:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-12 22:27 --------- d-----w C:\Documents and Settings\5thTry\Application Data\U3
2008-08-19 07:05 0 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-08-19 07:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 07:05 --------- d-----w C:\Program Files\Common Files\Nikon
2008-08-19 05:39 --------- d-----w C:\Documents and Settings\5thTry\Application Data\ArcSoft
2008-08-19 05:38 --------- d-----w C:\Documents and Settings\5thTry\Application Data\Nikon
2008-08-19 05:28 --------- d-----w C:\Program Files\Nikon
2008-08-19 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-08-19 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-08-12 00:30 --------- d-----w C:\Program Files\Java
2008-08-09 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:06 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-26_17.12.42.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-20 07:22:07 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-09-27 00:56:15 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-20 07:22:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-09-27 00:56:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-20 07:22:07 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-27 00:56:15 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-29 18:19:50 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
+ 2008-04-29 18:19:54 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
+ 2008-04-29 18:20:00 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-05-16 18:58:04 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
- 2008-04-11 05:06:14 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-09-27 00:17:20 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-11 05:06:14 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-27 00:17:20 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-09-27 07:11:55 509,492 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2004-12-07 18:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
+ 2008-09-27 16:24:33 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_71c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 15360]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"Google Update"="C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-02-18 1694208]
"smartmonadm"="C:\WINDOWS\system32\hmvofypu.exe" [2008-09-25 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-09 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-09 81920]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"DNS7reminder"="C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2007-03-19 259624]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-09 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2007-02-18 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-10 25214]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-20 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"StrWebProc"= {024EA016-C0B4-B8E2-7A34-088C3BCAE764} - C:\Program Files\hwfrxz\StrWebProc.dll [2008-09-25 114688]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Forged Alliance\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"D:\\Forged Alliance\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 tiamobus;vcdrom Bus;C:\WINDOWS\system32\DRIVERS\tiamobus.sys [2007-01-06 6784]
R0 tiamoport;cxlmo Miniport;C:\WINDOWS\system32\DRIVERS\tiamominiport.sys [2007-01-06 18304]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-01-06 286720]
S2 squvmvjt;squvmvjt;C:\WINDOWS\system32\drivers\squvmvjt.sys [ ]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;C:\WINDOWS\system32\Drivers\athwpn.sys [2004-10-14 43392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3726777e-9cf5-11db-8268-00146c59c10e}]
\Shell\AutoRun\command - I:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de09d28e-2c47-11dd-8360-00146c59c10e}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03bc402-0e99-11dd-831e-00146c59c10e}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03bc403-0e99-11dd-831e-00146c59c10e}]
\Shell\AutoRun\command - L:\SCVHOST.exe
\Shell\Open\command - L:\SCVHOST.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\5thTry\Application Data\Mozilla\Firefox\Profiles\d7wikvch.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://www.yahoo.com/|http://www.optionsxpress.com/index1.aspx?sessionid=0
FF -: plugin - C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-27 11:25:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-27 11:25:50
ComboFix-quarantined-files.txt 2008-09-27 18:25:47
ComboFix2.txt 2008-09-27 17:42:35
ComboFix3.txt 2008-09-27 07:47:10
ComboFix4.txt 2008-09-27 06:31:30
ComboFix5.txt 2008-09-27 18:24:42

Pre-Run: 25,238,966,272 bytes free
Post-Run: 25,233,879,040 bytes free

204 --- E O F --- 2008-09-10 21:52:38

#4 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 27 September 2008 - 03:15 PM

HI

Please go here and upload this file ...

C:\WINDOWS\system32\hmvofypu.exe

http://www.virustotal.com/flash/index_en.html

Click the browse button & browse to the file on your computer

Post back the results ... right click on the page > select all

right click again copy

post the results in your next post here...

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#5 vales1

vales1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 27 September 2008 - 08:12 PM

OMG, the results were alarming. Oh an by the way, just when i thought I was is the clear, it started popping back up again. Anyway Here it goes:


Antivirus Version Last Update Result
AhnLab-V3 2008.9.25.0 2008.09.26 -
AntiVir 7.8.1.34 2008.09.27 -
Authentium 5.1.0.4 2008.09.27 -
Avast 4.8.1195.0 2008.09.27 Win32:PureMorph
AVG 8.0.0.161 2008.09.27 -
BitDefender 7.2 2008.09.28 -
CAT-QuickHeal 9.50 2008.09.27 Win32.Trojan.Obfuscated.gx.3
ClamAV 0.93.1 2008.09.28 -
DrWeb 4.44.0.09170 2008.09.27 -
eSafe 7.0.17.0 2008.09.25 -
eTrust-Vet 31.6.6111 2008.09.27 -
Ewido 4.0 2008.09.27 -
F-Prot 4.4.4.56 2008.09.27 W32/FakeAlert.X.gen!Eldorado
F-Secure 8.0.14332.0 2008.09.28 Trojan.Win32.Obfuscated.gx
Fortinet 3.113.0.0 2008.09.27 W32/PolySmall.BP!tr
GData 19 2008.09.28 Win32:PureMorph
Ikarus T3.1.1.34.0 2008.09.28 -
K7AntiVirus 7.10.476 2008.09.27 -
Kaspersky 7.0.0.125 2008.09.28 Trojan.Win32.Obfuscated.gx
McAfee 5393 2008.09.27 FakeAlert-BD
Microsoft 1.3903 2008.09.28 TrojanDownloader:Win32/FakeAlert.C
NOD32 3477 2008.09.27 a variant of Win32/TrojanDownloader.FakeAlert.IQ
Norman 5.80.02 2008.09.26 -
Panda 9.0.0.4 2008.09.28 -
PCTools 4.4.2.0 2008.09.26 -
Prevx1 V2 2008.09.28 Malicious Software
Rising 20.63.52.00 2008.09.27 -
SecureWeb-Gateway 6.7.6 2008.09.27 -
Sophos 4.34.0 2008.09.28 Mal/EncPk-DG
Sunbelt 3.1.1675.1 2008.09.27 -
Symantec 10 2008.09.28 Packed.Generic.182
TheHacker 6.3.0.9.095 2008.09.27 -
TrendMicro 8.700.0.1004 2008.09.26 TROJ_OBFUSCA.BWA
VBA32 3.12.8.6 2008.09.27 -
ViRobot 2008.9.26.1394 2008.09.26 -
VirusBuster 4.5.11.0 2008.09.26 -
Additional information
File size: 81920 bytes
MD5...: 33dc42c1caf718b0ee0f7384124231e5
SHA1..: 7c952b5eed0cbe9f9afb19d2c982e25d1a800c4c
SHA256: c120f9420a020621199ed22edf3dc138a39c68e6432791cbae1062bc6a5834d0
SHA512: 22feb583210966f08d759198d6c7f39dee4fbb7bf26b0bb90982bb0ebe564937
58dba9b903b42e8b4be818ade5522ad0a9bde4564e0a6741fb20a1cd1f0656f8
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x407e5b
timedatestamp.....: 0x48dc6cdb (Fri Sep 26 05:02:19 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.pvopm 0x1000 0x10ec0 0x11000 6.80 c67b0389849356f3626ca4be66d4b469
.abgknk 0x12000 0x71e 0x1000 2.98 6dc44361e86702520191e40653d6c109
.kmrmgn 0x13000 0x5a00 0x1000 0.53 cb47fa25249fbaf05b6b1fe9212831f4

( 4 imports )
> KERNEL32.dll: GetUserDefaultLangID, WideCharToMultiByte, FreeResource, WriteFile, LoadLibraryW, GlobalAlloc, GetPrivateProfileStringW, GetFileAttributesExW, FindFirstChangeNotificationW, ResetEvent, GetModuleHandleW, FindClose, LoadLibraryA, GetCurrentThreadId, FileTimeToSystemTime, GlobalDeleteAtom, Sleep, FindFirstFileW, LockResource, WaitForMultipleObjects, CloseHandle, GetFileSize, lstrlenW, CreateWaitableTimerW, GetLocalTime, GetProcAddress, CreateEventW, MoveFileW, GetLogicalDrives, QueryDosDeviceW, GetModuleFileNameW, CreateProcessW, FindResourceExW
> USER32.dll: FillRect, VkKeyScanW, wsprintfW, TranslateMessage, GetWindowThreadProcessId, GetCursorPos, IsDlgButtonChecked, GetMessageW, DefWindowProcW, GetWindowDC, GetWindowTextW, GetParent, GetDlgItem, SystemParametersInfoW, DestroyMenu, PostThreadMessageW, ReleaseDC, TrackPopupMenu, RedrawWindow
> GDI32.dll: CreateCompatibleBitmap, DeleteObject, CreateBitmap, GetStockObject, LineTo, CreateCompatibleDC, MoveToEx, GetDeviceCaps, Rectangle, SetDIBits
> ADVAPI32.dll: LookupPrivilegeValueW, RegCreateKeyExW

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp...B869700512D1DAD


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Edited by vales1, 27 September 2008 - 08:14 PM.


#6 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 28 September 2008 - 01:26 PM

HI

You've just told me in a PM ...

I just finished running (again) Ad aware, Malware, Spybot, Fixedit, combofix, etc.
and am now currently runnning a full My Computer scan with Kaspersky online.


Before we remove what I know is malware in the Combofix log, I need to see your latest Combofix log ...

ALSO post the Kaspersky online scan report ...

& any logs from the other scans you have JUST run, if they show malware removed or "failed to remove"

When you run scans I don't ask you to, & they remove malware you don't tell me about, it makes it harder for me to assess & remove the problem, for instance you have run Combofix 5 times up to the last log you posted, & you have also run MBAM several times, as well as many other scanners ... it's good that these scanners take out malware for you, but when I don't see what's been removed, valuable clues are lost :thumbsup:

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#7 vales1

vales1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 September 2008 - 12:19 AM

Hi Steam,

I've disabled my kaspersky home user trial as it might affect the results you wanted to see.

The following are the latest:

MBAM LOG

Malwarebytes' Anti-Malware 1.28
Database version: 1211
Windows 5.1.2600 Service Pack 3

9/28/2008 8:13:54 PM
mbam-log-2008-09-28 (20-13-54).txt

Scan type: Quick Scan
Objects scanned: 52382
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



HIJACKTHIS LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:08:30, on 9/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /M "Stylus CX4200" /EF "HKCU"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.vectorvest.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O21 - SSODL: StrWebProc - {024EA016-C0B4-B8E2-7A34-088C3BCAE764} - C:\Program Files\hwfrxz\StrWebProc.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10910 bytes

#8 vales1

vales1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 September 2008 - 12:38 AM

ComboFix 08-09-27.06 - 5thTry 2008-09-28 22:26:08.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3147 [GMT -7:00]
Running from: C:\Documents and Settings\5thTry\Desktop\My Stuff\AntiSpyware\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-28 09:53 . 2008-09-28 09:53 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-28 09:53 . 2008-09-28 09:53 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-28 09:51 . 2008-09-28 09:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-28 01:31 . 2008-09-28 01:31 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-09-28 01:31 . 2008-09-28 10:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-09-28 01:31 . 2008-09-28 20:53 3,852,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-09-28 01:31 . 2008-09-28 20:53 442,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-09-28 01:31 . 2008-09-28 01:41 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-09-28 01:31 . 2008-09-28 01:31 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-09-28 01:31 . 2008-09-28 20:53 35,372 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-09-28 01:31 . 2008-09-28 20:53 4,688 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-09-28 01:29 . 2008-09-28 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-28 00:17 . 2008-09-28 00:17 4,444 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-27 08:40 . 2008-09-27 23:27 <DIR> d-------- C:\!FixIEDef
2008-09-27 00:31 . 2008-09-27 00:31 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-09-27 00:31 . 2008-09-27 00:31 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-09-27 00:19 . 2008-09-27 00:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-27 00:18 . 2008-09-27 00:18 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-27 00:11 . 2008-09-27 00:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-26 18:31 . 2008-09-28 20:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-26 18:31 . 2008-09-28 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-26 18:08 . 2008-09-27 00:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 18:08 . 2008-09-26 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 18:08 . 2008-09-26 18:08 <DIR> d-------- C:\Documents and Settings\5thTry\Application Data\Malwarebytes
2008-09-26 18:08 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-26 18:08 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-26 17:46 . 2008-09-26 17:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-26 17:46 . 2008-09-27 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-26 16:36 . 2008-09-26 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-25 22:47 . 2008-09-25 22:47 29 --a------ C:\WINDOWS\system32\retupogd.tmp
2008-09-25 22:46 . 2008-09-25 22:46 <DIR> d-------- C:\Program Files\hwfrxz
2008-09-25 22:46 . 2008-09-26 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fsbaxafk
2008-09-25 22:46 . 2008-09-28 02:37 73,216 --a------ C:\WINDOWS\system32\wpv502.cpx
2008-09-15 19:38 . 2008-09-19 22:55 1,834 --a------ C:\Documents and Settings\5thTry\Application Data\SAS7_000.DAT
2008-09-15 19:08 . 2008-09-15 19:08 <DIR> d-------- C:\Documents and Settings\5thTry\Application Data\Nuance
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Program Files\Common Files\Nuance
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-15 19:05 . 2008-09-15 19:05 <DIR> d-------- C:\Program Files\Nuance
2008-09-15 19:05 . 2008-09-15 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nuance
2008-09-15 17:44 . 2008-09-15 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-15 17:42 . 2008-09-15 19:08 <DIR> d-------- C:\WINDOWS\speech
2008-09-15 17:34 . 2006-10-20 00:10 501,912 --a------ C:\WINDOWS\system32\PICSDK2.dll
2008-09-15 17:34 . 2006-10-20 00:10 108,704 --a------ C:\WINDOWS\system32\PICEntry.dll
2008-09-15 17:34 . 2004-03-03 06:10 31,053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-09-15 17:34 . 2004-03-03 06:10 27,417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-08-29 15:53 . 2008-08-29 15:53 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 23:13 21,424 ----a-w C:\Documents and Settings\5thTry\Application Data\GDIPFONTCACHEV1.DAT
2008-09-28 08:56 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-09-28 04:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-27 07:42 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-09-26 23:39 --------- d-----w C:\Documents and Settings\5thTry\Application Data\Apple Computer
2008-09-16 00:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-12 22:27 --------- d-----w C:\Documents and Settings\5thTry\Application Data\U3
2008-08-19 07:05 0 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-08-19 07:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 07:05 --------- d-----w C:\Program Files\Common Files\Nikon
2008-08-19 05:39 --------- d-----w C:\Documents and Settings\5thTry\Application Data\ArcSoft
2008-08-19 05:38 --------- d-----w C:\Documents and Settings\5thTry\Application Data\Nikon
2008-08-19 05:28 --------- d-----w C:\Program Files\Nikon
2008-08-19 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-08-19 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-08-12 00:30 --------- d-----w C:\Program Files\Java
2008-08-09 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-30 03:21 218,376 ----a-w C:\WINDOWS\system32\klogon.dll
2008-07-30 03:20 24,774 ----a-w C:\WINDOWS\system32\drivers\klopp.dat
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"Google Update"="C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-09 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-09 81920]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"DNS7reminder"="C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2007-03-19 259624]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-09 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-10 25214]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-20 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"StrWebProc"= {024EA016-C0B4-B8E2-7A34-088C3BCAE764} - C:\Program Files\hwfrxz\StrWebProc.dll [2008-09-25 114688]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Forged Alliance\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"D:\\Forged Alliance\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 32784]
R0 tiamobus;vcdrom Bus;C:\WINDOWS\system32\DRIVERS\tiamobus.sys [2007-01-06 6784]
R0 tiamoport;cxlmo Miniport;C:\WINDOWS\system32\DRIVERS\tiamominiport.sys [2007-01-06 18304]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-01-06 286720]
S2 squvmvjt;squvmvjt;C:\WINDOWS\system32\drivers\squvmvjt.sys [ ]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;C:\WINDOWS\system32\Drivers\athwpn.sys [2004-10-14 43392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3726777e-9cf5-11db-8268-00146c59c10e}]
\Shell\AutoRun\command - I:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de09d28e-2c47-11dd-8360-00146c59c10e}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03bc402-0e99-11dd-831e-00146c59c10e}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03bc403-0e99-11dd-831e-00146c59c10e}]
\Shell\AutoRun\command - L:\SCVHOST.exe
\Shell\Open\command - L:\SCVHOST.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\5thTry\Application Data\Mozilla\Firefox\Profiles\d7wikvch.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://www.yahoo.com/|http://www.optionsxpress.com/index1.aspx?sessionid=0
FF -: plugin - C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1111.1511\npCIDetect11.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npnul32.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\Mozilla Firefox 3 Beta 4\plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 22:27:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-28 22:28:58
ComboFix-quarantined-files.txt 2008-09-29 05:28:21
ComboFix2.txt 2008-09-29 03:58:48
ComboFix3.txt 2008-09-28 06:29:55
ComboFix4.txt 2008-09-27 18:25:51
ComboFix5.txt 2008-09-29 05:26:03

Pre-Run: 23,604,424,704 bytes free
Post-Run: 23,637,028,864 bytes free

200 --- E O F --- 2008-09-28 16:57:01

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 29 September 2008 - 02:02 PM

HI

There is no sign of any new malware ...

This is what I had tagged for removal :-

C:\WINDOWS\system32\retupogd.tmp
C:\WINDOWS\system32\hmvofypu.exe
C:\WINDOWS\system32\wpv123.cpx.bak
C:\WINDOWS\system32\wpv502.cpx
C:\Program Files\hwfrxz
C:\Documents and Settings\All Users\Application Data\fsbaxafk

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"smartmonadm"="C:\WINDOWS\system32\hmvofypu.exe" [2008-09-25 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"StrWebProc"= {024EA016-C0B4-B8E2-7A34-088C3BCAE764} - C:\Program Files\hwfrxz\StrWebProc.dll [2008-09-25 114688]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03bc403-0e99-11dd-831e-00146c59c10e}]
\Shell\AutoRun\command - L:\SCVHOST.exe
\Shell\Open\command - L:\SCVHOST.exe

These are no longer shown :-

C:\WINDOWS\system32\hmvofypu.exe
C:\WINDOWS\system32\wpv123.cpx.bak

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"smartmonadm"="C:\WINDOWS\system32\hmvofypu.exe" [2008-09-25 81920]

hmvofypu.exe is the file I had you scan at virustotal, did YOU delete it ? & it's run key ? ... it's OK if you did :thumbsup:

I'm going to give you a script to get Combofix to remove everything above, I'll also include the ones which are now missing, it can't do any harm ...

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\retupogd.tmp
C:\WINDOWS\system32\hmvofypu.exe
C:\WINDOWS\system32\wpv123.cpx.bak
C:\WINDOWS\system32\wpv502.cpx

Folder::
C:\Program Files\hwfrxz
C:\Documents and Settings\All Users\Application Data\fsbaxafk

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"smartmonadm"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"StrWebProc"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03bc403-0e99-11dd-831e-00146c59c10e}]


Save this as "CFScript.txt"

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

let me know if any problems still persist ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#10 vales1

vales1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 September 2008 - 05:08 PM

Steam,

I completely uninstalled Kaspersky and did exactly as you said for Combo Fix.
Here's the log. I'm also running Kaspersky online scan and I'll post the results when it's done.





ComboFix 08-09-28.01 - 5thTry 2008-09-29 14:56:51.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3109 [GMT -7:00]
Running from: C:\Documents and Settings\5thTry\Desktop\My Stuff\AntiSpyware\ComboFix.exe
Command switches used :: C:\Documents and Settings\5thTry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\hmvofypu.exe
C:\WINDOWS\system32\retupogd.tmp
C:\WINDOWS\system32\wpv123.cpx.bak
C:\WINDOWS\system32\wpv502.cpx
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\fsbaxafk
C:\Program Files\hwfrxz
C:\Program Files\hwfrxz\StrWebProc.dll
C:\WINDOWS\system32\retupogd.tmp
C:\WINDOWS\system32\wpv502.cpx

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-29 )))))))))))))))))))))))))))))))
.

2008-09-29 14:43 . 2008-09-29 14:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-28 09:53 . 2008-09-28 09:53 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-28 09:53 . 2008-09-28 09:53 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-28 09:51 . 2008-09-28 09:54 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-28 01:31 . 2008-09-28 01:31 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-09-28 01:29 . 2008-09-28 01:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-28 00:17 . 2008-09-28 00:17 4,444 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-27 08:40 . 2008-09-27 23:27 <DIR> d-------- C:\!FixIEDef
2008-09-27 00:31 . 2008-09-27 00:31 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-09-27 00:31 . 2008-09-27 00:31 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-09-27 00:19 . 2008-09-27 00:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-27 00:18 . 2008-09-27 00:18 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-27 00:11 . 2008-09-27 00:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-26 18:31 . 2008-09-28 20:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-26 18:31 . 2008-09-28 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-26 18:08 . 2008-09-27 00:11 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-26 18:08 . 2008-09-26 18:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-26 18:08 . 2008-09-26 18:08 <DIR> d-------- C:\Documents and Settings\5thTry\Application Data\Malwarebytes
2008-09-26 18:08 . 2008-09-10 00:08 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-26 18:08 . 2008-09-10 00:08 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-26 17:46 . 2008-09-26 17:46 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-26 17:46 . 2008-09-27 00:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-26 16:36 . 2008-09-26 16:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-15 19:38 . 2008-09-19 22:55 1,834 --a------ C:\Documents and Settings\5thTry\Application Data\SAS7_000.DAT
2008-09-15 19:08 . 2008-09-15 19:08 <DIR> d-------- C:\Documents and Settings\5thTry\Application Data\Nuance
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Program Files\Common Files\Nuance
2008-09-15 19:06 . 2008-09-15 19:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-09-15 19:05 . 2008-09-15 19:05 <DIR> d-------- C:\Program Files\Nuance
2008-09-15 19:05 . 2008-09-15 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nuance
2008-09-15 17:44 . 2008-09-15 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-09-15 17:42 . 2008-09-15 19:08 <DIR> d-------- C:\WINDOWS\speech
2008-09-15 17:34 . 2006-10-20 00:10 501,912 --a------ C:\WINDOWS\system32\PICSDK2.dll
2008-09-15 17:34 . 2006-10-20 00:10 108,704 --a------ C:\WINDOWS\system32\PICEntry.dll
2008-09-15 17:34 . 2004-03-03 06:10 31,053 --a------ C:\WINDOWS\system32\EPPICPattern131.dat
2008-09-15 17:34 . 2004-03-03 06:10 27,417 --a------ C:\WINDOWS\system32\EPPICPattern121.dat
2008-08-29 15:53 . 2008-08-29 15:53 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-29 21:42 --------- d-----w C:\Program Files\GameHouse Games Collection
2008-09-29 06:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-28 23:13 21,424 ----a-w C:\Documents and Settings\5thTry\Application Data\GDIPFONTCACHEV1.DAT
2008-09-28 08:56 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 4
2008-09-26 23:39 --------- d-----w C:\Documents and Settings\5thTry\Application Data\Apple Computer
2008-09-16 00:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-12 22:27 --------- d-----w C:\Documents and Settings\5thTry\Application Data\U3
2008-08-19 07:05 0 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT
2008-08-19 07:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-19 07:05 --------- d-----w C:\Program Files\Common Files\Nikon
2008-08-19 05:39 --------- d-----w C:\Documents and Settings\5thTry\Application Data\ArcSoft
2008-08-19 05:38 --------- d-----w C:\Documents and Settings\5thTry\Application Data\Nikon
2008-08-19 05:28 --------- d-----w C:\Program Files\Nikon
2008-08-19 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ultima_T15
2008-08-19 05:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\EnterNHelp
2008-08-12 00:30 --------- d-----w C:\Program Files\Java
2008-08-09 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-19 05:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 05:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 05:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 05:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 05:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 05:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 05:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 05:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 05:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 05:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
.

((((((((((((((((((((((((((((( snapshot_2008-09-28_20.58.31.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-30 01:29:38 32,784 ----a-w C:\WINDOWS\LastGood\system32\DRIVERS\klbg.sys
+ 2008-09-28 08:31:00 213,008 ----a-w C:\WINDOWS\LastGood\system32\DRIVERS\klif.sys
+ 2008-05-01 01:06:48 24,592 ----a-w C:\WINDOWS\LastGood\system32\DRIVERS\klim5.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-20 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"Google Update"="C:\Documents and Settings\5thTry\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-09 8527872]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-09 81920]
"EPSON Stylus CX4200 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"ElbyCheckAnyDVD"="C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"DNS7reminder"="C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2007-03-19 259624]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-10-09 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-01-10 25214]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-12-20 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"SerialNumber"="A109A-K13-3ZXD-BAP5-TE"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Forged Alliance\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=
"D:\\Forged Alliance\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 tiamobus;vcdrom Bus;C:\WINDOWS\system32\DRIVERS\tiamobus.sys [2007-01-06 6784]
R0 tiamoport;cxlmo Miniport;C:\WINDOWS\system32\DRIVERS\tiamominiport.sys [2007-01-06 18304]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-01-06 286720]
R4 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [ ]
S2 squvmvjt;squvmvjt;C:\WINDOWS\system32\drivers\squvmvjt.sys [ ]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;C:\WINDOWS\system32\Drivers\athwpn.sys [2004-10-14 43392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3726777e-9cf5-11db-8268-00146c59c10e}]
\Shell\AutoRun\command - I:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de09d28e-2c47-11dd-8360-00146c59c10e}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e03bc402-0e99-11dd-831e-00146c59c10e}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-29 14:57:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\klogon.dll
.
Completion time: 2008-09-29 14:59:13
ComboFix-quarantined-files.txt 2008-09-29 21:58:30
ComboFix2.txt 2008-09-29 05:28:59
ComboFix3.txt 2008-09-29 03:58:48
ComboFix4.txt 2008-09-28 06:29:55
ComboFix5.txt 2008-09-29 21:56:37

Pre-Run: 23,784,321,024 bytes free
Post-Run: 23,790,411,776 bytes free

186 --- E O F --- 2008-09-28 16:57:01

#11 vales1

vales1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 September 2008 - 07:33 PM

Here's the Kaspersky onlince scan



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, September 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 29, 2008 22:08:47
Records in database: 1274872
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
N:\

Scan statistics:
Files scanned: 98135
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:03:31


File name / Threat name / Threats count
C:\Documents and Settings\5thTry\Desktop\My Stuff\AntiSpyware\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\5thTry\Desktop\My Stuff\AntiSpyware\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
F:\Software Collection\Tiger Milk(make your's pc look like macintoch) NEW\TM_V351.exe Infected: not-a-virus:NetTool.Win32.PsKill.a 1

The selected area was scanned.

#12 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 30 September 2008 - 02:01 PM

Hi

Your Combofix log is now clean :thumbsup:

Your KASPERSKY ONLINE SCANNER 7 REPORT is also clean :)

The first 2 entries refer to SmitfraudFix\Reboot.exe ... which is a classed as a RiskTool...

The 3rd refers to TM_V351.exe as infected with NetTool.Win32.PsKill ... also a RiskTool...

RiskTools are programs which are not malicious in themselves, but could be used by malware ...

The first 2 are definately being used legitimately by SmitfraudFix...

The last one does not look suspicious to me (make your's pc look like macintosh) ... can you confirm you downloaded it yourself & and it does what it says ? The file appears to be approx: 47MB so there is a lot in it, I would have it scanned at virustotal if you have any doubts ...

Otherwise all is good :)

are all your problems resolved

steam

Edited by steamwiz, 30 September 2008 - 02:59 PM.
to correct spelling

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#13 vales1

vales1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 30 September 2008 - 11:30 PM

Steam, I cannot thank you enough for helping me.

As for prevention, would you recommend that I purchase a full time Anti spyware / Malware and a firewall? If so, which ones should I get? Thank you so much again!!!

#14 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 01 October 2008 - 03:42 PM

HI

Before you leave the site ...

Please Have a look here at ways to keep your computer safe :-

Simple steps to keep your computer secure! By Grinler > http://www.bleepingcomputer.com/forums/t/1628/simple-steps-to-keep-your-computer-secure/

& here :-

So how did I get infected in the first place? By TonyKlein > http://forums.spybot.info/showthread.php?t=279

I would advise you at least install these 4 programs :-

1. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
2. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
3. IE-Spyad: http://www.spywarewarrior.com/uiuc/resource.htm
4. http://www.mvps.org/winhelp2002/hosts.htm

#3 IE-Spyad will place over 30,000 known bad sites in your "restricted sites" list < stops bad sites downloading malware to your computer (but you can still access the site)

Here's a tutorial I wrote to help you install IE-Spyad :-

http://www.help2go.com/Tutorials/Spyware_I...g_ZonedOut.html

#4 the hosts file, will similarly block known bad sites from loading on to your computer by using the hosts file.

Along with an anti-virus program (AVG is free) and a firewall (Zonealarm is good and free)

These will go a long way toward helping to keep your computer clean and safe.

To comment on your ...

would you recommend that I purchase a full time Anti spyware / Malware and a firewall?


The above links & suggestions are all to free programs, I believe they are quite sufficient to provide all the security necessary for the average home user ... however for those who regularly surf the "dark side" of the net ...that's a different matter :thumbsup:

Please let me know if you have any further questions ?

Happy surfing :)

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users