Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with the freddy46.exe Trojan


  • This topic is locked This topic is locked
14 replies to this topic

#1 sshort

sshort

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 17 June 2009 - 07:46 PM

I was looking in my processes and noticed one that said freddy46.exe. In doing some further investigation, I found that it is a Trojan. I can access my internet with limit. I can only visit sites I have been to before. When I search something on google or yahoo, I get that it is windowstopcontent.com. I have no idea what to do. Does anybody know how I can get rid of these things. I used hijackthis and deleted the box that said freedy46 but I am not sure if I still have something or not. I also don't know if I have anything else. My log file is below. Thanks.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 20:34:33.42 on Wed 06/17/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.50 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k driver
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
svchost
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.capital.edu/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Companion BHO: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: BHO: {88fd6eaa-5654-4af4-a06c-dcddfbd79f90} - c:\windows\system32\iehelper.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Yahoo! Companion: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\ycomp5_5_7_0.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL c:\progra~1\softwa~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [system tool] c:\windows\sysguard.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [SunKist] c:\program files\digital media reader\shwicon2k.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NI.UWFX5LP_0001_0826] "c:\documents and settings\owner\local settings\temporary internet files\content.ie5\q1lu3a9w\WinFixer2005ScannerInstall[1].exe"
mRun: [BearShare] "c:\program files\bearshare\BearShare.exe" /pause
mRun: [InternetShield] c:\progra~1\intern~2\INTERN~1.EXE -CheckStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld09.exe
mRunOnce: [fmt] c:\docume~1\owner\locals~1\temp\pmt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/securelogin-devel.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
Filter: text/html - {d8c0d4dd-b9a1-4ad9-9199-cc57fab00393} -
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\jfhtsxh1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 driverdrv;driverdrv;c:\program files\driver\driver.sys [2009-6-17 9472]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R2 driver;driver;c:\windows\system32\svchost.exe -k driver [2005-3-23 14336]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-6 24652]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090613.003\naveng.sys [2009-6-13 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090613.003\navex15.sys [2009-6-13 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-30 38496]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

=============== Created Last 30 ================

2009-06-17 14:45 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-06-17 14:34 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-06-17 14:22 2 ----h--- c:\windows\zaponce52621.dat
2009-06-17 14:22 <DIR> --d----- c:\program files\driver
2009-06-17 14:22 1 ----h--- c:\windows\bf23567.dat
2009-06-17 14:22 40,448 ----h--- c:\windows\freddy46.exe
2009-06-17 14:22 2 ----h--- c:\windows\zaponce52597.dat
2009-06-17 14:22 2 ----h--- c:\windows\zaponce52689.dat
2009-06-17 14:08 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-06-17 12:07 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-17 12:07 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-17 12:06 <DIR> --d----- c:\windows\ie8updates
2009-06-17 12:05 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-17 12:00 <DIR> -cd-h--- c:\windows\ie8
2009-06-15 19:58 2 ----h--- c:\windows\zaponce53173.dat
2009-06-15 19:58 2 ----h--- c:\windows\zaponce53290.dat
2009-06-15 19:58 2 ----h--- c:\windows\zaponce53222.dat
2009-06-15 19:58 2 ----h--- c:\windows\zaponce53198.dat
2009-06-15 19:52 10,752 a------- c:\windows\system32\iehelper.dll
2009-06-15 19:41 25,600 ----h--- c:\windows\ld09.exe
2009-06-15 18:53 <DIR> --d----- c:\docume~1\owner\applic~1\Uniblue

==================== Find3M ====================

2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-20 14:50 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2009-03-20 14:50 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2008-01-02 20:50 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-04-24 18:39 0 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-08-23 16:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 20:35:59.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 18 June 2009 - 07:38 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sshort

sshort
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 June 2009 - 09:04 AM

Thanks for your help. I ran Malwarebytes and found 71 items during the quick scan. I restarted my computer as it told me to do so. I ran hijack this and here are the log files posted below. I will also attach them.

Here is Malwarebytes' Anti-Malware

Malwarebytes' Anti-Malware 1.38
Database version: 2304
Windows 5.1.2600 Service Pack 3

6/18/2009 9:44:22 AM
mbam-log-2009-06-18 (09-44-22).txt

Scan type: Quick Scan
Objects scanned: 113023
Time elapsed: 32 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 46

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\driver\driver.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{88fd6eaa-5654-4af4-a06c-dcddfbd79f90} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{88fd6eaa-5654-4af4-a06c-dcddfbd79f90} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\driver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{88fd6eaa-5654-4af4-a06c-dcddfbd79f90} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5b035261-40f9-11d1-aaec-00805fc1270e} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\driverdrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\driverdrv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\driverdrv (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8085:tcp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\Owner\Application Data\Privacy center (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\dbases (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\keys (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\temp (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Application Data\PCenter (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\dbases (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\keys (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\temp (Rogue.PCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\program files\driver\driver.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\ld09.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\install[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\~TMC21.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\dbases\cg.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\dbases\mw.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\dbases\rd.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\dbases\sc.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\dbases\sm.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\dbases\sp.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\keys\cg.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\keys\rd.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\keys\sc.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\keys\sp.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\temp\settings.ini (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\privacy center\temp\spfilter (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\dbases\cg.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\dbases\mw.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\dbases\rd.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\dbases\sc.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\dbases\sm.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\dbases\sp.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\keys\cg.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\keys\rd.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\keys\sc.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\keys\sp.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\temp\settings.ini (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\PCenter\temp\spfilter (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\WINDOWS\freddy46.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\stron_1245110340.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\stron_1245116635.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\stron_1245128768.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\Temp\stron_1245136801.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce52597.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce52621.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce53173.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce53198.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce53222.dat (Worm.Koobface) -> Quarantined and deleted successfully.
c:\WINDOWS\zaponce53290.dat (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netcfgx.dll:Zone.Identifier (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files\driver\driver.sys (Trojan.Downloader) -> Quarantined and deleted successfully.


Here is the new HiJack this log after my scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:09 AM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\SOFTWA~1\soproc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.capital.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivir-service.microsoft.com
O1 - Hosts: 94.232.248.66 antivirussys2009.com
O1 - Hosts: 94.232.248.66 www.antivirussys2009.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0826] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Q1LU3A9W\WinFixer2005ScannerInstall[1].exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [InternetShield] C:\PROGRA~1\INTERN~2\INTERN~1.EXE -CheckStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [fmt] c:\docume~1\owner\locals~1\temp\pmt.exe
O4 - HKCU\..\Run: [SOProc_SoRefRegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {d8c0d4dd-b9a1-4ad9-9199-cc57fab00393} - C:\WINDOWS\system32\mst122.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11424 bytes

Hope this is what you need.

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 18 June 2009 - 09:44 AM

Hi,

We're still not finished here...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 sshort

sshort
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 June 2009 - 10:45 AM

ok, I did that and below is the log file from comboFix. please let me know what the next step in this process is. Thank you.

ComboFix 09-06-17.04 - Owner 06/18/2009 11:03.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\SoftwareOnline
c:\program files\SurfAccuracy
c:\program files\SoftwareOnline\soproc.exe
c:\program files\SurfAccuracy\SAcc.cfg
c:\windows\Downloaded Program Files\mediaticketsinstaller.ocx
c:\windows\IE4 Error Log.txt
c:\windows\wiaserviv.log
D:\Autorun.inf
D:\Desktop.ini

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRIVER
-------\Legacy_DRIVERDRV


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 15:16 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-18 15:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-18 14:49 . 2009-06-18 14:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-18 13:05 . 2009-06-18 13:07 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:45 . 2009-06-17 18:45 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-06-17 18:34 . 2009-06-17 18:34 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-06-17 18:22 . 2009-06-18 13:47 -------- d-----w- c:\program files\driver
2009-06-17 18:08 . 2009-06-17 18:08 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-06-17 16:07 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-17 16:07 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-17 16:06 . 2009-06-17 16:06 -------- d-----w- c:\windows\ie8updates
2009-06-17 16:05 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-17 16:00 . 2009-06-17 16:03 -------- dc-h--w- c:\windows\ie8
2009-06-15 22:53 . 2009-06-15 22:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 15:31 . 2008-01-03 00:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-06-18 15:28 . 2009-03-09 22:23 -------- d-----w- c:\program files\DNA
2009-06-18 15:28 . 2009-03-09 22:23 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-06-18 15:21 . 2006-08-11 19:16 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-18 13:52 . 2008-01-03 00:50 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-06-18 13:44 . 2008-11-26 07:12 -------- d-----w- c:\program files\Common
2009-06-18 13:07 . 2008-11-30 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 22:00 . 2007-11-22 20:12 -------- d-----w- c:\program files\Norton Security Scan
2009-06-17 15:27 . 2008-11-30 20:55 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-11-30 20:55 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 13:50 . 2007-03-28 19:11 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-05-31 20:34 . 2008-12-03 20:55 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-05-20 20:49 . 2005-08-23 15:56 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-05-13 05:15 . 2005-03-23 16:53 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2005-03-23 16:52 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-03-23 16:53 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-03-23 16:52 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 14:55 . 2009-04-11 14:55 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-28 15:58 . 2005-11-09 00:00 62008 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 19:23 . 2009-04-11 15:01 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-26 19:23 . 2007-11-23 17:26 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-20 18:50 . 2007-07-01 03:09 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-03-20 18:50 . 2007-07-01 03:17 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-10 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-09 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 499712]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-27 139264]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-04-26 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-5-21 1742384]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-6-28 2056266]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-2-11 573440]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-30 118784]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-7-18 118784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1123879848\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/6/2007 10:13 AM 24652]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18 PM 169192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
driver REG_MULTI_SZ driver

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2005-07-17 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2009-06-17 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 09:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BearShare - c:\program files\BearShare\BearShare.exe
HKLM-Run-InternetShield - c:\progra~1\INTERN~2\INTERN~1.EXE
HKLM-RunOnce-fmt - c:\docume~1\owner\locals~1\temp\pmt.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.capital.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 11:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
fmt = c:\docume~1\owner\locals~1\temp\pmt.exe?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????8

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1184)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\SetPoint\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-06-18 11:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 15:36

Pre-Run: 28,430,757,888 bytes free
Post-Run: 30,354,042,880 bytes free

188 --- E O F --- 2009-06-17 16:08

Attached Files



#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 18 June 2009 - 11:15 AM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
c:\program files\driver
c:\program files\Common
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"fmt"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"driver"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 sshort

sshort
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 June 2009 - 11:44 AM

Here it is. I tried removing the viewpoint toolbar but I could not get it. Sorry if I needed to do that but didn't. I tried the way you said but it would not install. Here is the new log from comboFix:

ComboFix 09-06-17.04 - Owner 06/18/2009 12:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.90 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll
c:\documents and settings\Owner\Local Settings\Temp\catchme.dll
c:\program files\Common
c:\program files\driver

.
((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 15:16 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-18 15:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-18 14:49 . 2009-06-18 14:49 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-18 13:05 . 2009-06-18 13:07 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:45 . 2009-06-17 18:45 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache
2009-06-17 18:34 . 2009-06-17 18:34 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-06-17 18:08 . 2009-06-17 18:08 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-06-17 16:07 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-17 16:07 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-17 16:06 . 2009-06-17 16:06 -------- d-----w- c:\windows\ie8updates
2009-06-17 16:05 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-17 16:00 . 2009-06-17 16:03 -------- dc-h--w- c:\windows\ie8
2009-06-15 22:53 . 2009-06-15 22:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 16:31 . 2009-03-09 22:23 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-06-18 16:27 . 2006-08-11 19:16 -------- d-----w- c:\program files\Symantec AntiVirus
2009-06-18 16:21 . 2005-05-21 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-18 16:21 . 2005-05-21 19:51 -------- d-----w- c:\program files\Viewpoint
2009-06-18 15:31 . 2008-01-03 00:47 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-06-18 15:28 . 2009-03-09 22:23 -------- d-----w- c:\program files\DNA
2009-06-18 13:52 . 2008-01-03 00:50 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-06-18 13:07 . 2008-11-30 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 22:00 . 2007-11-22 20:12 -------- d-----w- c:\program files\Norton Security Scan
2009-06-17 15:27 . 2008-11-30 20:55 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 15:27 . 2008-11-30 20:55 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-17 13:50 . 2007-03-28 19:11 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-05-31 20:34 . 2008-12-03 20:55 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-05-20 20:49 . 2005-08-23 15:56 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-05-13 05:15 . 2005-03-23 16:53 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2005-03-23 16:52 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-03-23 16:53 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-03-23 16:52 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 14:55 . 2009-04-11 14:55 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-28 15:58 . 2005-11-09 00:00 62008 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-26 19:23 . 2009-04-11 15:01 1900544 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-03-26 19:23 . 2007-11-23 17:26 36864 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-03-20 18:50 . 2007-07-01 03:09 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-03-20 18:50 . 2007-07-01 03:17 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-10 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-09 321344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 499712]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"SunKist"="c:\program files\Digital Media Reader\shwicon2k.exe" [2004-05-27 139264]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2003-07-10 114688]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-03-12 124128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-04-26 29696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-5-21 1742384]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-6-28 2056266]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-2-11 573440]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-6-30 118784]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-7-18 118784]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1123879848\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18 PM 169192]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2005-07-17 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2009-06-17 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 09:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.capital.edu/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 12:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-06-18 12:39
ComboFix-quarantined-files.txt 2009-06-18 16:39
ComboFix2.txt 2009-06-18 15:36

Pre-Run: 30,374,998,016 bytes free
Post-Run: 30,360,608,768 bytes free

146 --- E O F --- 2009-06-17 16:08

Attached Files



#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 18 June 2009 - 12:30 PM

Hi,

You did fine here. The Viewpoint toolbar was already deleted anyway.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 sshort

sshort
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 June 2009 - 01:44 PM

I am finding the directions a little confusing. I go to the start menu but then do not know where to go next. Do I need to search for the program? What is the copy and paste next to the command? Basically I think I am a little lost. I get the part of enterning the name as ComboFix / u. After this how do I system restore? Sorry to ask these questions, I am just confused.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 18 June 2009 - 01:50 PM

Hi,

In your start menu, on the right side, you should see run:

Posted Image

There, type ComboFix /u and hit enter / OK

Posted Image

It will reset your system restore points automatically etc..
So all you have to do is enter combofix /u in start > run command :thumbup2:

Edited by miekiemoes, 18 June 2009 - 01:50 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 sshort

sshort
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 June 2009 - 02:06 PM

Everything seems normal. I am not getting any weird messages on the internet when I search in google. Thanks a lot for helping me fix my problem. I really appreciate it. Is there anything else I need to do, or am I complete?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 18 June 2009 - 02:13 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 sshort

sshort
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 18 June 2009 - 02:25 PM

Alright, Thank You again

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 18 June 2009 - 02:25 PM

You're most welcome :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:04 PM

Posted 07 July 2009 - 07:22 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users