Iexplore.exe is Running in the Background, Music and Ads Are Playing Over My Speakers

**oochie1** · #1 20th Mar 2009, 18:16

Hi,
I need some guidence to see if I have an "All Clear" on this problem:

iexplore.exe runs in the background, I see it in Task Manager, even when I don't have Internet Explorer 7 running and disconnected from the internet.
Also, music and ads are playing over my speakers at random. I see no processes running in Task Manager other than the suspicious iexplore.exe.

I followed the Malware Removal Guide - Please Read Before Posting.

The steps got rid of the symptoms but I am looking for an "All Clear" or further guidence. Please help...

Here are the results:

SuperAntiSpyware log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/20/2009 at 02:22 PM
Application Version : 4.25.1014
Core Rules Database Version : 3807
Trace Rules Database Version: 1762
Scan type : Complete Scan
Total Scan Time : 00:40:16
Memory items scanned : 400
Memory threats detected : 0
Registry items scanned : 5596
Registry threats detected : 0
File items scanned : 76956
File threats detected : 6
Adware.Tracking Cookie
C:\Documents and Settings\corol\Cookies\corol@mediaplex[1].txt
C:\Documents and Settings\corol\Cookies\corol@serving-sys[2].txt
C:\Documents and Settings\corol\Cookies\corol@bs.serving-sys[1].txt
C:\Documents and Settings\corol\Cookies\corol@ad.yieldmanager[2].txt
C:\Documents and Settings\corol\Cookies\corol@tribalfusion[1].txt
C:\Documents and Settings\corol\Cookies\corol@atdmt[2].txt

Malwarebytes' Anti-Malware (MBAM) log:
Malwarebytes' Anti-Malware 1.34
Database version: 1878
Windows 5.1.2600 Service Pack 3
3/20/2009 2:52:31 PM
mbam-log-2009-03-20 (14-52-31).txt
Scan type: Quick Scan
Objects scanned: 71671
Time elapsed: 2 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\SYSTEM32\lowsec (Spyware.StolenData) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\SYSTEM32\lowsec\local.ds (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\lowsec\user.ds (Spyware.StolenData) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\UACmqpulnxe.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\UACqbpjxvek.dat (Trojan.Agent) -> Quarantined and deleted successfully.

HijackThis (HJT) log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:33 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\juice.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.calicographics.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\SYSTEM32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1236909326187
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 5199 bytes

I appreciate your help!!!!
Thank you

oochie1

**evilfantasy** · #2 20th Mar 2009, 21:21

Welcome to CJ.

It looks OK but seeing another log will help to ensure everything is gone or not.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
- R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

**oochie1** · #3 21st Mar 2009, 06:35

Thank you for your reply.

Here is the ComboFix log:
ComboFix 09-03-19.02 - corol 2009-03-21 6:17:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2602 [GMT -8:00]
Running from: c:\documents and settings\corol\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\INSTALL.LOG
c:\windows\system32\comrepl.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_UACD.SYS
-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.
2009-03-20 19:49 . 2009-03-20 19:59 <DIR> d-------- c:\program files\QuickTime
2009-03-20 17:47 . 2009-03-21 05:34 <DIR> d-------- c:\program files\Unlocker
2009-03-20 17:16 . 2009-03-21 05:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-20 17:16 . 2009-03-21 06:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-20 16:50 . 2009-03-09 11:06 15,688 --a------ c:\windows\SYSTEM32\lsdelete.exe
2009-03-20 15:53 . 2009-03-09 11:06 64,160 --a------ c:\windows\SYSTEM32\DRIVERS\Lbd.sys
2009-03-20 15:52 . 2009-03-20 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-20 15:52 . 2009-03-20 15:52 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-20 15:26 . 2009-03-21 05:32 <DIR> d-------- c:\program files\Trend Micro
2009-03-20 15:07 . 2009-03-20 15:07 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-03-20 14:47 . 2009-03-21 05:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 14:47 . 2009-03-20 14:47 <DIR> d-------- c:\documents and settings\corol\Application Data\Malwarebytes
2009-03-20 14:47 . 2009-03-20 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-20 14:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-20 14:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-20 13:37 . 2009-03-21 05:30 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-20 13:37 . 2009-03-20 13:37 <DIR> d-------- c:\documents and settings\corol\Application Data\SUPERAntiSpyware.com
2009-03-20 13:37 . 2009-03-20 13:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-20 13:36 . 2009-03-20 13:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-20 13:26 . 2009-03-21 05:29 <DIR> d-------- c:\program files\CCleaner
2009-03-20 11:39 . 2009-03-21 05:29 <DIR> d-------- c:\program files\Alwil Software
2009-03-20 10:59 . 2009-03-21 05:28 <DIR> d-------- c:\program files\VS Revo Group
2009-03-19 07:58 . 2004-06-05 08:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-03-19 07:58 . 2004-06-05 08:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-03-19 07:58 . 2004-06-05 08:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-03-19 07:58 . 2009-03-19 07:58 <DIR> d-------- c:\documents and settings\Administrator
2009-03-18 11:12 . 2006-12-29 00:31 19,569 --a------ c:\windows\000002_.tmp
2009-03-16 15:53 . 2006-12-29 00:31 19,569 --a------ c:\windows\000001_.tmp
2009-03-14 08:46 . 2009-03-20 11:17 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 08:46 . 2009-03-20 11:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-26 10:35 . 2009-02-26 10:35 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-26 10:35 . 2009-02-26 10:35 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-26 10:35 . 2009-02-26 10:35 <DIR> d-------- c:\windows\l2schemas
2009-02-26 09:59 . 2009-02-26 09:59 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-26 09:39 . 2008-04-11 11:04 691,712 --------- c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-21 13:33 --------- d-----w c:\program files\Lavasoft
2009-03-21 13:31 --------- d-----w c:\program files\Java
2009-03-21 03:09 --------- d-----w c:\program files\iTunes
2009-03-18 20:14 --------- d-----w c:\documents and settings\corol\Application Data\MSN6
2009-03-16 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-16 18:20 --------- d-----w c:\program files\Symantec
2009-03-16 17:43 --------- d-----w c:\documents and settings\corol\Application Data\Intuit
2009-03-16 17:43 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-03-16 17:42 --------- d-----w c:\program files\Intuit
2009-03-16 17:42 --------- d-----w c:\program files\Common Files\Intuit
2009-03-16 17:08 --------- d-----w c:\program files\Common Files\Real
2009-03-16 17:05 --------- d-----w c:\program files\Common Files\Adobe
2009-03-16 16:37 --------- d-----w c:\program files\Hewlett-Packard
2009-03-16 16:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-24 22:43 --------- d-----w c:\documents and settings\corol\Application Data\AdobeAUM
2009-02-17 00:00 --------- d-----w c:\program files\NOS
2009-02-17 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-16 21:52 --------- d-----w c:\documents and settings\corol\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B 320485DF8CE.1
2009-02-16 21:18 --------- d-----w c:\documents and settings\corol\Application Data\AdobeUM
2008-11-14 17:25 194,512 ----a-w c:\documents and settings\corol\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 155648]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-20 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2005-12-30 114688]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\SYSTEM32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 07:27 28672 c:\windows\SYSTEM32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 09:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Amrpst51"=3 (0x3)
"Ab04tv3prlad"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\ntvdm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2009-03-20 64160]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2009-03-20 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswF sBlk.sys [2009-03-20 20560]
R2 HOSTNT;Hostnt;c:\windows\SYSTEM32\DRIVERS\hostnt.s ys [2004-12-04 4032]
R2 MHDRV;Mhdrv;c:\windows\SYSTEM32\DRIVERS\mhdrv.sys [2004-12-04 21696]
R2 RCMHDOG;RCMHDOG;c:\windows\SYSTEM32\DRIVERS\rcmhdo g.sys [2004-12-04 55528]
R3 UsbC;SafeNet MicroDog USB Device Driver;c:\windows\SYSTEM32\DRIVERS\rcusbwdm.sys [2004-12-23 50816]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMo n.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSy sMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 pctplsg;pctplsg;\??\c:\windows\SYSTEM32\DRIVERS\pc tplsg.sys --> c:\windows\SYSTEM32\DRIVERS\pctplsg.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\ TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 Ab04tv3prlad;Ab04tv3prlad; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C97751B1-BF63-4867-87FB-49B72502DBCD}]
c:\program files\Microsoft Office\Office10\OfficeXPFirstRun.vbs
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Sonic RecordNow! - (no file)
MSConfigStartUp-AdobeVersionCue - c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
MSConfigStartUp-ISTray - c:\program files\Spyware Doctor\pctsTray.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.calicographics.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 06:20:26
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-443509043-1908569376-3055490635-1007\Software\Corel\WritingTools\9.1\User Word Lists\ø*S]
"Selected UWL"=hex:02,00
[HKEY_USERS\S-1-5-21-443509043-1908569376-3055490635-1007\Software\Corel\WritingTools\9.1\User Word Lists\ø*S\Word List 0]
"Name"="c:\\Documents and Settings\\corol\\My Documents\\Corel User Files\\WT9_1øœ.UWL"
"Enabled"=hex:01,00,00,00
[HKEY_USERS\S-1-5-21-443509043-1908569376-3055490635-1007\Software\Microsoft\SystemCertificates\Address Book*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\Tablet.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-03-21 6:23:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 14:23:12
Pre-Run: 134,483,603,456 bytes free
Post-Run: 134,410,670,080 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
205 --- E O F --- 2009-03-18 20:59:53

Your help and guidence is greatly apprciated.

oochie1

**evilfantasy** · #4 21st Mar 2009, 09:38

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

File::
c:\windows\000002_.tmp
c:\windows\000001_.tmp

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

**oochie1** · #5 21st Mar 2009, 12:15

Hi,
Thank you for your help.

I completed the Combofix step. The log is below.

But when I attempt to run the Kaspersky online scanner, the Accept button remains under-intensified. It checks my system and the message appears: "You need to install Java version 1.5 or later to run Kaspersky Online Scanner 7.0."

I had installed and verified the latest verion of Java (Version 6 Update 12) when I followed the Malware Removal Guide - Please Read Before Posting.

Here is the Combofix.txt log:
ComboFix 09-03-19.02 - corol 2009-03-21 11:42:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2618 [GMT -8:00]
Running from: c:\documents and settings\corol\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\corol\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090320-0] *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\000001_.tmp
c:\windows\000002_.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\000001_.tmp
c:\windows\000002_.tmp
.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.
2009-03-20 19:49 . 2009-03-20 19:59 <DIR> d-------- c:\program files\QuickTime
2009-03-20 17:47 . 2009-03-21 05:34 <DIR> d-------- c:\program files\Unlocker
2009-03-20 17:16 . 2009-03-21 05:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-20 17:16 . 2009-03-21 06:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-20 16:50 . 2009-03-09 11:06 15,688 --a------ c:\windows\SYSTEM32\lsdelete.exe
2009-03-20 15:53 . 2009-03-09 11:06 64,160 --a------ c:\windows\SYSTEM32\DRIVERS\Lbd.sys
2009-03-20 15:52 . 2009-03-20 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-20 15:52 . 2009-03-20 15:52 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-20 15:26 . 2009-03-21 05:32 <DIR> d-------- c:\program files\Trend Micro
2009-03-20 15:07 . 2009-03-20 15:07 73,728 --a------ c:\windows\SYSTEM32\javacpl.cpl
2009-03-20 14:47 . 2009-03-21 05:31 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-20 14:47 . 2009-03-20 14:47 <DIR> d-------- c:\documents and settings\corol\Application Data\Malwarebytes
2009-03-20 14:47 . 2009-03-20 14:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-20 14:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-20 14:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-20 13:37 . 2009-03-21 05:30 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-20 13:37 . 2009-03-20 13:37 <DIR> d-------- c:\documents and settings\corol\Application Data\SUPERAntiSpyware.com
2009-03-20 13:37 . 2009-03-20 13:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-20 13:36 . 2009-03-20 13:36 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-20 13:26 . 2009-03-21 05:29 <DIR> d-------- c:\program files\CCleaner
2009-03-20 11:39 . 2009-03-21 05:29 <DIR> d-------- c:\program files\Alwil Software
2009-03-20 10:59 . 2009-03-21 05:28 <DIR> d-------- c:\program files\VS Revo Group
2009-03-19 07:58 . 2004-06-05 08:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-03-19 07:58 . 2004-06-05 08:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sonic
2009-03-19 07:58 . 2004-06-05 08:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Jasc Software Inc
2009-03-19 07:58 . 2009-03-19 07:58 <DIR> d-------- c:\documents and settings\Administrator
2009-03-14 08:46 . 2009-03-20 11:17 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-14 08:46 . 2009-03-20 11:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-26 10:35 . 2009-02-26 10:35 <DIR> d-------- c:\windows\SYSTEM32\scripting
2009-02-26 10:35 . 2009-02-26 10:35 <DIR> d-------- c:\windows\SYSTEM32\en
2009-02-26 10:35 . 2009-02-26 10:35 <DIR> d-------- c:\windows\l2schemas
2009-02-26 09:59 . 2009-02-26 09:59 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-26 09:39 . 2008-04-11 11:04 691,712 --------- c:\windows\SYSTEM32\DLLCACHE\inetcomm.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-21 13:33 --------- d-----w c:\program files\Lavasoft
2009-03-21 13:31 --------- d-----w c:\program files\Java
2009-03-21 03:09 --------- d-----w c:\program files\iTunes
2009-03-18 20:14 --------- d-----w c:\documents and settings\corol\Application Data\MSN6
2009-03-16 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-16 18:20 --------- d-----w c:\program files\Symantec
2009-03-16 17:43 --------- d-----w c:\documents and settings\corol\Application Data\Intuit
2009-03-16 17:43 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-03-16 17:42 --------- d-----w c:\program files\Intuit
2009-03-16 17:42 --------- d-----w c:\program files\Common Files\Intuit
2009-03-16 17:08 --------- d-----w c:\program files\Common Files\Real
2009-03-16 17:05 --------- d-----w c:\program files\Common Files\Adobe
2009-03-16 16:37 --------- d-----w c:\program files\Hewlett-Packard
2009-03-16 16:25 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-24 22:43 --------- d-----w c:\documents and settings\corol\Application Data\AdobeAUM
2009-02-17 00:00 --------- d-----w c:\program files\NOS
2009-02-17 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-16 21:52 --------- d-----w c:\documents and settings\corol\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B 320485DF8CE.1
2009-02-16 21:18 --------- d-----w c:\documents and settings\corol\Application Data\AdobeUM
2008-11-14 17:25 194,512 ----a-w c:\documents and settings\corol\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( SnapShot@2009-03-21_ 6.22.20.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-21 14:19:11 12,951 ----a-w c:\windows\SYSTEM32\tablet.dat
+ 2009-03-21 19:44:06 12,951 ----a-w c:\windows\SYSTEM32\tablet.dat
- 2009-03-21 14:19:10 16,384 -c----w c:\windows\Temp\Cookies\index.dat
+ 2009-03-21 19:44:05 16,384 -c----w c:\windows\Temp\Cookies\index.dat
- 2009-03-21 14:19:10 16,384 -c----w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-21 19:44:05 16,384 -c----w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-21 19:44:00 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5e4.dat
- 2009-03-21 14:19:10 32,768 -c----w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-21 19:44:05 32,768 -c----w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-05 114741]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-12 155648]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-20 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - c:\windows\SYSTEM32\WTablet\TabUserW.exe [2005-12-30 114688]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\SYSTEM32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2003-08-13 07:27 28672 c:\windows\SYSTEM32\DSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 09:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Amrpst51"=3 (0x3)
"Ab04tv3prlad"=3 (0x3)
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\ntvdm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [2009-03-20 64160]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [2009-03-20 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswF sBlk.sys [2009-03-20 20560]
R2 HOSTNT;Hostnt;c:\windows\SYSTEM32\DRIVERS\hostnt.s ys [2004-12-04 4032]
R2 MHDRV;Mhdrv;c:\windows\SYSTEM32\DRIVERS\mhdrv.sys [2004-12-04 21696]
R2 RCMHDOG;RCMHDOG;c:\windows\SYSTEM32\DRIVERS\rcmhdo g.sys [2004-12-04 55528]
R3 UsbC;SafeNet MicroDog USB Device Driver;c:\windows\SYSTEM32\DRIVERS\rcusbwdm.sys [2004-12-23 50816]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMo n.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSy sMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S3 pctplsg;pctplsg;\??\c:\windows\SYSTEM32\DRIVERS\pc tplsg.sys --> c:\windows\SYSTEM32\DRIVERS\pctplsg.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\ TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 Ab04tv3prlad;Ab04tv3prlad; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C97751B1-BF63-4867-87FB-49B72502DBCD}]
c:\program files\Microsoft Office\Office10\OfficeXPFirstRun.vbs
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.calicographics.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 11:45:23
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-443509043-1908569376-3055490635-1007\Software\Corel\WritingTools\9.1\User Word Lists\ø*S]
"Selected UWL"=hex:02,00
[HKEY_USERS\S-1-5-21-443509043-1908569376-3055490635-1007\Software\Corel\WritingTools\9.1\User Word Lists\ø*S\Word List 0]
"Name"="c:\\Documents and Settings\\corol\\My Documents\\Corel User Files\\WT9_1øœ.UWL"
"Enabled"=hex:01,00,00,00
[HKEY_USERS\S-1-5-21-443509043-1908569376-3055490635-1007\Software\Microsoft\SystemCertificates\Address Book*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(680)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\Tablet.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-03-21 11:48:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-21 19:47:58
ComboFix2.txt 2009-03-21 14:23:16
Pre-Run: 134,392,090,624 bytes free
Post-Run: 134,389,641,216 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
202 --- E O F --- 2009-03-18 20:59:53

Thanks again for your continued help!!!

oochie1

**evilfantasy** · #6 21st Mar 2009, 12:27

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

----------

Now try to run Kaspersky again.

**oochie1** · #7 21st Mar 2009, 12:44

Hi,

Thank you.

ATF Cleaner ran OK.

I got the same results as my previous post with Kaspersky Online Scanner...

Please advise.

oochie

**evilfantasy** · #8 21st Mar 2009, 12:53

OK try another please.

Scan with Panda ActiveScan 2.0

This scanner requires Internet Explorer

Once you are on the Panda site click the Scan your PC now button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Select the appropriate Yes or No to receiving marketing information
Click the Free Online Scan button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report in your next reply.

**oochie1** · #9 21st Mar 2009, 14:05

Hi,

Thank you for your guidence.

I did not have ActiveScan do anything with what it found, just the scan.

Here is the ActiveScan 2.0 results:
;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-03-21 13:59:49
PROTECTIONS: 1
MALWARE: 6
SUSPECTS: 1
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
avast! antivirus 4.8.1335 [VPS 090320-0] 4.8.1335 No Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\corol\Cookies\corol@tribalfusion[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\corol\Cookies\corol@ad.yieldmanager[3].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\corol\Cookies\corol@ad.yieldmanager[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\corol\Cookies\corol@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\corol\Cookies\corol@bs.serving-sys[1].txt
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0001311.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0001410.EXE
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP11\A0001385.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\A0001286.sys
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location !
;================================================= ================================================== ================================================== ==============================
No C:\Documents and Settings\corol\Desktop\ComboFix.exe !
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description !
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

Thank you again.

oochie1

**evilfantasy** · #10 21st Mar 2009, 14:08

OK that actually looks good and we can easily take care of those entries. Let me know if you have any questions and how the computer is running now.

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:

Delete:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Go to Microsoft Windows Update and get all critical updates.

----------

Make sure all of your security programs are up to date and run scans with them regularly.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.