Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please Diagnose


  • This topic is locked This topic is locked
9 replies to this topic

#1 bustamove

bustamove

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 12 February 2009 - 04:20 PM

This is my brothers PC (HP pavilion, don't know the model) and this one is a pretty severe infection. His background has been replaced with a flashing warning sign stating that dangerous spyware has been detected. We have ran ad-aware, spybot as well as malaware bytes. No improvement whatsoever as far as the eye can tell. Pop-ups are becoming more frequent and more concerning. The hijackThis log is below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:08 PM, on 2/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas11.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: {fa376aa0-8636-517a-4ce4-e4d504d27c65} - {56c72d40-5d4e-4ec4-a715-63680aa673af} - C:\WINDOWS\system32\jgtexk.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\khfEXpnm.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Program Files\CyberDefender\AntiSpyware\cdas11.exe" /minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.java.com
O15 - Trusted Zone: *.windowsupsate.com
O16 - DPF: RaptisoftGameLoader - http://real.gamehouse.com/games/raptisoft/...tgameloader.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly Here and Now\Images\stg_drm.ocx
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} (CPlayFirstmsiControl Object) - http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121380491828
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly Here and Now\Images\armhelper.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} (CPlayFirstWeddingDasControl Object) - http://zone.msn.com/bingame/wedd/default/W...sh.1.0.0.50.cab
O20 - AppInit_DLLs: karna.dat jgtexk.dll
O20 - Winlogon Notify: khfEXpnm - C:\WINDOWS\SYSTEM32\khfEXpnm.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 10512 bytes

Any help is greatly appreciated.

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:15 PM

Posted 12 February 2009 - 08:15 PM

Hello bustamove,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 12 February 2009 - 10:44 PM

ok gotcha .... and no worries about the time it took .. =)

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:15 PM

Posted 14 February 2009 - 12:12 PM

Hello bustamove,

1.
Please disable all antispyware and antivirus programs until we have finished with the cleaning of your machine. Some of these programs may interfere with some of the other tools we will be using.

2.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

3.
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
4.
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log
Superantispyware log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 14 February 2009 - 06:48 PM

Ok got the logs that you asked for. Quick note though, I was unable to disable cyberdefender so I had to uninstall it from the pc.

Here is the combofix log:

ComboFix 09-02-12.03 - Chris 2009-02-14 18:20:16.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.201 [GMT -5:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Chris\LOCALS~1\Temp\mousehook.dll
c:\documents and settings\Chris\Application Data\install.dat
c:\windows\system32\__c00EE434.dat
c:\windows\system32\ahtn.htm
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekatpsxgqfp.sys
c:\windows\system32\init32.exe
c:\windows\system32\ntdll64.exe
c:\windows\system32\senekaltlwadyl.dll
c:\windows\system32\senekarfurjxit.dat
c:\windows\system32\senekasrldbair.dll
c:\windows\system32\senekavyiujpiq.dat
c:\windows\system32\senekawborobvm.dll
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winlogon2.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2009-01-14 to 2009-02-14 )))))))))))))))))))))))))))))))
.

2009-02-14 12:53 . 2009-02-14 12:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-14 12:45 . 2009-02-14 12:45 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-14 12:45 . 2009-02-14 12:45 <DIR> d-------- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2009-02-14 12:44 . 2009-02-14 12:44 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-12 16:11 . 2009-02-12 16:11 <DIR> d-------- c:\program files\Trend Micro
2009-02-12 14:29 . 2009-02-12 13:22 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-02-12 13:22 . 2009-02-12 13:22 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-12 13:19 . 2009-02-12 13:19 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-12 13:18 . 2009-02-12 13:18 <DIR> d-------- c:\program files\Lavasoft
2009-02-12 13:18 . 2009-02-12 13:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-12 12:33 . 2009-02-12 12:33 46,080 --------- c:\windows\system32\clickfile.exe
2009-02-06 13:33 . 2009-02-14 18:25 2,204 --a------ c:\windows\jtwamohg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 23:19 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-08 22:15 --------- d-----w c:\program files\MSN Games
2009-01-20 03:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-29 16:22 --------- d-----w c:\documents and settings\DJ\Application Data\InstallShield Installation Information
2008-12-29 16:18 --------- d-----w c:\program files\Maestro Learning
2008-12-29 16:17 --------- d-----w c:\documents and settings\DJ\Application Data\InstallShield
2008-12-22 00:47 --------- d-----w c:\program files\iTunes
2008-12-22 00:47 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-22 00:44 --------- d-----w c:\program files\iPod
2008-12-22 00:36 --------- d-----w c:\program files\QuickTime
2008-10-26 17:08 16,969 ----a-w c:\documents and settings\Chris\Application Data\epuleq.bin
2008-10-26 17:08 14,198 ----a-w c:\documents and settings\All Users\Application Data\ahilalem.bat
2008-10-26 17:08 11,299 ----a-w c:\documents and settings\All Users\Application Data\maqivis.pif
2008-10-26 14:09 16,142 ----a-w c:\documents and settings\All Users\Application Data\pysirydyso.bat
2008-10-26 14:09 15,405 ----a-w c:\documents and settings\All Users\Application Data\awyhasozo.dat
2008-10-26 14:09 13,532 ----a-w c:\program files\Common Files\limuxinog._sy
2008-10-25 20:51 19,874 ----a-w c:\program files\Common Files\agot.com
2008-10-25 20:51 18,834 ----a-w c:\documents and settings\All Users\Application Data\uzozy.pif
2008-10-25 20:51 15,265 ----a-w c:\documents and settings\All Users\Application Data\iwuqocazo.dll
2008-10-25 20:51 14,805 ----a-w c:\program files\Common Files\eceg.dll
2008-10-25 20:51 12,329 ----a-w c:\program files\Common Files\inehy.dll
2008-10-25 19:51 19,049 ----a-w c:\documents and settings\All Users\Application Data\xevakif.bat
2008-10-25 19:51 16,960 ----a-w c:\documents and settings\All Users\Application Data\olojubytyf.vbs
2008-10-25 19:51 12,310 ----a-w c:\documents and settings\All Users\Application Data\xomotuwox.sys
2008-10-25 19:51 11,298 ----a-w c:\documents and settings\DJ\Application Data\hyfosifaq.reg
2008-10-25 19:51 10,841 ----a-w c:\program files\Common Files\ufeciz.bat
2008-10-25 19:51 10,411 ----a-w c:\program files\Common Files\ezerebilub.lib
2008-10-23 14:21 13,769 ----a-w c:\documents and settings\All Users\Application Data\waqyti.pif
2008-10-23 14:21 11,653 ----a-w c:\program files\Common Files\obozusa.bin
2008-10-23 14:21 11,077 ----a-w c:\documents and settings\All Users\Application Data\nudoxi.vbs
2008-10-21 16:34 19,579 ----a-w c:\documents and settings\All Users\Application Data\bebavylit.pif
2008-10-21 16:34 13,773 ----a-w c:\documents and settings\All Users\Application Data\abibekelo.bat
2008-12-21 01:40 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-21 01:40 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-21 01:40 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-21 01:40 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-21 01:40 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-09 05:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100920081010\index.dat
2008-10-27 04:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102720081028\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-03-11 180269]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-12 509784]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat ohjzmt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^SpamSubtract.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\SpamSubtract.lnk
backup=c:\windows\pss\SpamSubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 20:50 1603152 c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 20:01 644696 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-12-22 18:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
--a------ 2003-08-21 06:15 483328 c:\windows\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
--a------ 2003-08-21 06:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
--a------ 2004-01-16 05:04 57344 c:\program files\Lexmark 4200 Series\lxbmbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2004-04-13 23:43 233472 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\regcmdcons]
--a------ 1999-11-07 10:11 27136 c:\hp\bin\cloaker.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-03-11 11:20 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
--a------ 2008-11-10 12:23 157312 c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-12 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 jtwamohg;jtwamohg;c:\windows\system32\drivers\bjqwcdnd.sys []
S2 mrtRate;mrtRate; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4510e931-133a-11dd-846f-0011093b14b2}]
\Shell\AutoRun\command - K:\
\Shell\open\Command - rundll32.exe .\\mskcrtd.dll,InstallM
.
Contents of the 'Scheduled Tasks' folder

2009-02-12 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-12 13:22]

2009-01-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2004-12-14 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-02-12 23:39]

2009-02-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Notify-__c00EE434 - c:\windows\system32\__c00EE434.dat
MSConfigStartUp-McAfeeUpdaterUI - c:\program files\Network Associates\Common Framework\UpdaterUI.exe
MSConfigStartUp-Network Associates Error Reporting Service - c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe
MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe
MSConfigStartUp-WT GameChannel - c:\program files\WildTangent\Apps\GameChannel.exe
MSConfigStartUp-XP Antispyware 2009 - c:\program files\XP_Antispyware\XP_AntiSpyware.exe
MSConfigStartUp-VTTimer - VTTimer.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: java.com
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\www
Trusted Zone: microsoft.com\www.update
Trusted Zone: msn.com\www
Trusted Zone: windowsupsate.com
DPF: RaptisoftGameLoader - hxxp://real.gamehouse.com/games/raptisoft/raptisoftgameloader.cab
DPF: {64D01C7F-810D-446E-A07E-365764235644} - hxxp://kraisoft.com/files/realone/atomaders.cab
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\ufprlo4r.default\
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-14 18:33:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\bjqwcdnd.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
.
**************************************************************************
.
Completion time: 2009-02-14 18:36:42 - machine was rebooted [Chris]
ComboFix-quarantined-files.txt 2009-02-14 23:36:38

Pre-Run: 164,377,513,984 bytes free
Post-Run: 164,271,648,768 bytes free

305 --- E O F --- 2009-01-30 00:21:57



Here is the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:47 PM, on 2/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.java.com
O15 - Trusted Zone: *.windowsupsate.com
O16 - DPF: RaptisoftGameLoader - http://real.gamehouse.com/games/raptisoft/...tgameloader.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly Here and Now\Images\stg_drm.ocx
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} (CPlayFirstmsiControl Object) - http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121380491828
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly Here and Now\Images\armhelper.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} (CPlayFirstWeddingDasControl Object) - http://zone.msn.com/bingame/wedd/default/W...sh.1.0.0.50.cab
O20 - AppInit_DLLs: karna.dat ohjzmt.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Unknown owner - C:\WINDOWS\system32\LEXBCES.EXE (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

--
End of file - 9965 bytes


And lastly here is the superantispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2009 at 05:14 PM

Application Version : 4.25.1012

Core Rules Database Version : 3758
Trace Rules Database Version: 1721

Scan type : Complete Scan
Total Scan Time : 02:30:53

Memory items scanned : 250
Memory threats detected : 3
Registry items scanned : 7062
Registry threats detected : 69
File items scanned : 100228
File threats detected : 63

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\OHJZMT.DLL
C:\WINDOWS\SYSTEM32\OHJZMT.DLL
HKU\S-1-5-21-766924768-3248087196-1228313261-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DCCA463E-9147-4B5E-85DE-84DCBEA9DE77}
C:\WINDOWS\SYSTEM32\JGTEXK.DLL
C:\WINDOWS\SYSTEM32\MDIUXY.DLL
C:\WINDOWS\SYSTEM32\MZLJEW.DLL

Trojan.Unclassified/C00-WL/A
C:\WINDOWS\SYSTEM32\__C0096EC5.DAT
C:\WINDOWS\SYSTEM32\__C0096EC5.DAT
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\__c0096EC5

Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\KHFEXPNM.DLL
C:\WINDOWS\SYSTEM32\KHFEXPNM.DLL
C:\WINDOWS\SYSTEM32\DDCCSLIY.DLL
C:\WINDOWS\SYSTEM32\JKKJCDTT.DLL
C:\WINDOWS\SYSTEM32\OPNOOOHF.DLL
C:\WINDOWS\SYSTEM32\URQNGFYQ.DLL

Trojan.Unknown Origin
[Framework Windows] C:\WINDOWS\SYSTEM32\FRMWRK32.EXE
C:\WINDOWS\SYSTEM32\FRMWRK32.EXE
C:\WINDOWS\SYSTEM32\998.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKU\S-1-5-21-766924768-3248087196-1228313261-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}

Trojan.Vundo-Variant/NextGen-Six
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dcca463e-9147-4b5e-85de-84dcbea9de77}
HKCR\CLSID\{DCCA463E-9147-4B5E-85DE-84DCBEA9DE77}
HKCR\CLSID\{DCCA463E-9147-4B5E-85DE-84DCBEA9DE77}\InprocServer32
HKCR\CLSID\{DCCA463E-9147-4B5E-85DE-84DCBEA9DE77}\InprocServer32#ThreadingModel

Grip Toolbar BHO
HKU\S-1-5-21-766924768-3248087196-1228313261-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{08F46458-D00F-4573-8EB3-A9A9E15503F8}

Rootkit.Agent/Gen-SENEKA
HKLM\System\ControlSet003\Services\seneka
C:\WINDOWS\SYSTEM32\DRIVERS\SENEKAHLHTPUYA.SYS
HKLM\System\ControlSet003\Enum\Root\LEGACY_seneka
HKLM\System\ControlSet004\Services\seneka
HKLM\System\ControlSet004\Enum\Root\LEGACY_seneka
HKLM\System\CurrentControlSet\Services\seneka
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_seneka

Trojan.Vundo-Variant/NextGen
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\khfEXpnm

Trojan.Unclassified/C00-WL
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0096EC5
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0096EC5#Asynchronous
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0096EC5#DllName
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0096EC5#Impersonate
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0096EC5#Startup
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\__C0096EC5#Logon

Rogue.XP AntiSpyware2009-Trace
C:\Documents and Settings\Chris\Desktop\delself.bat

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+compter
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+compter#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+compter#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\bleeping+compter#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Click1
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs

Rogue.Component/Trace
HKLM\Software\Microsoft\546D1F7E
HKLM\Software\Microsoft\546D1F7E#546d1f7e
HKLM\Software\Microsoft\546D1F7E#Version

Adware.Tracking Cookie
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.ads.pointroll.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.collective-media.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.questionmarket.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.socialmedia.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.trafficmp.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
ads.revsci.net [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
stats.gamestop.com [ C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\w84d0z69.default\cookies.txt ]
C:\WINDOWS\system32\config\systemprofile\Cookies\system@wmvmedialease[1].txt

Adware.MyWebSearch-Installer
C:\DOCUMENTS AND SETTINGS\GUEST\MY DOCUMENTS\WEBFETTISETUP2.2.60.11-2.EXE

Rogue.FakeAlert/Wallpaper
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\YTQTGTQH\WARNING[1].GIF
C:\WINDOWS\SYSTEM32\WARNING.GIF

Adware.Prun-A
C:\WINDOWS\SYSTEM32\PRUNNET.EXE

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:15 PM

Posted 15 February 2009 - 04:13 PM

Hello bustamove,

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

2.
Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.
3.
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Things to include in your next post:
MBAM report
Avira report
Whether or not to proceed with the cleaning or your machine?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 15 February 2009 - 11:33 PM

I have informed the owner of the pc and they feel that the best path forward would be to no longer consume your time and to go ahead and reformat the drives and re-install the OS. Thank you for your help

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:01:15 PM

Posted 16 February 2009 - 08:07 PM

Hello bustamove,

Thanks for visiting Bleeping Computer sorry to give you the bad news. Here are a few tips and tricks to help keep your friend's computer clean after he reformats:

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
  • Click "Hosts" in the menu
  • Click "Manage Updates" in the submenu
  • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
  • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
    Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Sorry I was unable to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 bustamove

bustamove
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:02:15 PM

Posted 16 February 2009 - 08:17 PM

thank you very much for all the help

#10 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:01:15 PM

Posted 17 February 2009 - 05:03 AM

As this issue seems to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
For all others, if you have a similar issue please start a new topic.

Thanks for asking in BleepingComputer.com

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users