Iexplore.exe virus again!

davejess00 · #11 12th Oct 2008, 17:36

Before combofix finished there was an error message
"Windows - No Disk"
Exception Processing Method c0000013 Parametrs 75b6bf7c 4 etc..
So I clicked continue and it finished.
Here is the combo fix log

ComboFix 08-10-11.04 - Compaq_Owner 2008-10-13 11:25:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023 [GMT 11:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\install.exe
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://webstore.loadit.com.au
.
((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-12 21:57 . 2008-10-12 21:58 <DIR> d-------- C:\Program Files\Paint.NET
2008-10-12 17:19 . 2008-10-12 17:19 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-10-12 17:18 . 2008-10-12 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-12 17:18 . 2008-10-12 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-12 17:18 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-12 17:18 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-12 17:13 . 2008-10-12 17:13 <DIR> d-------- C:\Program Files\CCleaner
2008-10-12 16:36 . 2008-10-12 16:39 <DIR> d-------- C:\NoLopBackups
2008-10-11 18:01 . 2008-10-11 18:14 <DIR> d-------- C:\Lop SD
2008-10-11 16:05 . 2008-10-11 16:05 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-11 15:51 . 2008-10-11 15:51 <DIR> d-------- C:\Program Files\NOS
2008-10-11 15:51 . 2008-10-11 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-11 12:40 . 2008-10-13 11:29 675,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-11 12:40 . 2008-10-13 00:30 8,204 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-11 12:33 . 2008-10-11 12:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-11 12:31 . 2008-10-11 12:31 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-10-11 12:29 . 2008-10-11 12:29 <DIR> d-------- C:\Program Files\Zone Labs
2008-10-11 12:29 . 2008-10-11 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-11 12:28 . 2008-10-13 11:22 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-10-09 11:53 . 2008-10-09 11:53 <DIR> d-------- C:\Program Files\Soap lies love
2008-09-30 21:24 . 2008-09-30 21:27 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-09-30 21:24 . 2008-09-30 21:32 77,478 --a------ C:\WINDOWS\War3Unin.dat
2008-09-30 21:24 . 2008-09-30 21:27 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-09-30 20:51 . 2008-10-13 00:27 <DIR> d-------- C:\Program Files\Warcraft III
2008-09-30 13:41 . 2008-07-31 21:45 <DIR> d-------- C:\etax2008
2008-09-14 18:04 . 2008-09-14 18:04 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SPORE
2008-09-14 18:02 . 2008-09-14 18:02 <DIR> d-------- C:\ProgramData
2008-09-14 17:36 . 2008-09-14 18:00 2,572 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-09-14 17:29 . 2008-09-14 18:02 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-14 14:56 . 2008-09-14 14:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-13 22:03 . 2008-09-13 22:03 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-13 20:46 . 2008-10-09 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Software rule flag owns
2008-09-13 20:45 . 2008-10-09 11:54 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Soap lies love

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-12 10:57 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2008-10-12 10:53 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-10-12 06:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 07:29 --------- d-----w C:\Program Files\MindArk
2008-10-11 07:00 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-11 05:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-11 04:55 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-10-08 02:29 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\BitTorrent
2008-09-30 10:12 --------- d-----w C:\Program Files\EV Nova
2008-09-30 10:12 --------- d-----w C:\Program Files\DominateGame
2008-09-30 09:51 --------- d-----w C:\Program Files\Java
2008-09-29 05:41 --------- d-----w C:\Program Files\Hp
2008-09-14 07:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 06:43 --------- d-----w C:\Program Files\John Deere American Farmer Deluxe
2008-09-13 09:45 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-09-10 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 02:44 --------- d-----w C:\Program Files\VUGames
2008-09-02 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-31 06:28 --------- d-----w C:\Program Files\Maxis
2008-08-18 08:44 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-08-18 08:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-18 05:11 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-08-18 04:56 --------- d-----w C:\Program Files\Sierra Entertainment
2008-08-18 04:56 --------- d-----w C:\Program Files\D-Tools
2008-08-18 03:12 61,440 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2008-08-18 03:12 45,056 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSet up.exe
2008-08-18 03:12 44,032 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2008-08-18 03:12 40,960 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2008-08-18 03:12 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2008-08-18 03:12 32,768 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2008-08-18 03:12 287,310 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetect ion.dll
2008-08-18 03:12 163,840 ----a-w C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dl l
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2006-03-17 19:31 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"MODE REAL"="C:\DOCUME~1\COMPAQ~1\APPLIC~1\SOAPLI~1\ATOM DASH.exe" [2008-10-09 481792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"TWCU"="C:\Program Files\TP-LINK\TWCU\TWCU.exe" [2006-03-15 348160]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 155648]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-08-18 579584]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-29 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-08-18 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-07-15 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= C:\WINDOWS\system32\i263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIVX"= divxdec.ax
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= C:\WINDOWS\system32\i263_32.drv
"msacm.imc"= C:\WINDOWS\system32\imc32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=

R3 AR5523;TP-LINK TL-WN620G 11G Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys [2006-01-16 360288]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{3639e4c0-7c7f-11dd-8938-0019e073dd24}]
\Shell\AutoRun\command - K:\pa39xth.cmd
\Shell\explore\Command - K:\pa39xth.cmd
\Shell\open\Command - K:\pa39xth.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6ef5e448-57ba-11dd-af34-0019e073dd24}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\S-1-5-21-3666692665-148099885-633438025-500\regsvc32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7c75af78-8ed4-11dd-8926-0019e073dd24}]
\Shell\AutoRun\command - pa39xth.cmd
\Shell\explore\Command - pa39xth.cmd
\Shell\open\Command - pa39xth.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{88a9c154-9401-11dd-8987-0019e073dd24}]
\Shell\AutoRun\command - L:\pa39xth.cmd
\Shell\explore\Command - L:\pa39xth.cmd
\Shell\open\Command - L:\pa39xth.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{903e99d2-7c19-11dd-8936-0019e073dd24}]
\Shell\AutoRun\command - K:\pa39xth.cmd
\Shell\explore\Command - K:\pa39xth.cmd
\Shell\open\Command - K:\pa39xth.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d653fde1-62a5-11dd-8933-0013d3de5f9a}]
\Shell\AutoRun\command - L:\pa39xth.cmd
\Shell\explore\Command - L:\pa39xth.cmd
\Shell\open\Command - L:\pa39xth.cmd

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-13 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\flrhn99w.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-13 11:29:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-10-13 11:32:47
ComboFix-quarantined-files.txt 2008-10-13 00:32:44

Pre-Run: 13,570,347,008 bytes free
Post-Run: 13,556,662,272 bytes free

215 --- E O F --- 2008-09-10 08:08:39

and the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:50 AM, on 13/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.limewire.com/inclient/?st...ows+XP&osv=5.1
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MODE REAL] C:\DOCUME~1\COMPAQ~1\APPLIC~1\SOAPLI~1\ATOM DASH.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01...s/MSNPUpld.cab
O16 - DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} (POLi Pay Online) - https://autxn.paywithpoli.com/ewcust...iPayOnline.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8936 bytes

davejess00 · #12 12th Oct 2008, 17:37

I think that might have fixed it because iexplore is gone!

**evilfantasy** · #13 12th Oct 2008, 18:03

That removed a few more nasties but also revealed quite a few more.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Folder::
C:\NoLopBackups
C:\Lop SD
C:\Program Files\Soap lies love
C:\Documents and Settings\All Users\Application Data\Software rule flag owns
C:\Documents and Settings\Compaq_Owner\Application Data\Soap lies love

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MODE REAL"=

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3639e4c0-7c7f-11dd-8938-0019e073dd24}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ef5e448-57ba-11dd-af34-0019e073dd24}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c75af78-8ed4-11dd-8926-0019e073dd24}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88a9c154-9401-11dd-8987-0019e073dd24}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{903e99d2-7c19-11dd-8936-0019e073dd24}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d653fde1-62a5-11dd-8933-0013d3de5f9a}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Create An Uninstall List

Start HijackThis
Click on the Open the Misc Tools section
Click on the Open Uninstall Manager button.
Click on the Save list button and specify where you would like to save this file and click Save.
- When you press Save button a notepad will open with the contents of that file.
Copy and paste that list in your reply.

----------

Next post please add:
ComboFix log
Uninstall list

davejess00 · #14 12th Oct 2008, 20:37

Here are the logs. Also last night I uninstalled a program that was called CiD. This is what was on the internet explorer pop-ups I was getting.

ComboFix 08-10-11.04 - Compaq_Owner 2008-10-13 14:18:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1077 [GMT 11:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Software rule flag owns
C:\Documents and Settings\All Users\Application Data\Software rule flag owns\Skip proc.exe
C:\Lop SD
C:\Lop SD\App-Prog.lsd
C:\Lop SD\AuDoss.lsd
C:\Lop SD\AutrInf.cmd
C:\Lop SD\AWF.cmd
C:\Lop SD\Back.cmd
C:\Lop SD\Boo.reg
C:\Lop SD\BooFix.cmd
C:\Lop SD\catchme.exe
C:\Lop SD\catchme.log
C:\Lop SD\Changelog Lop SD.txt
C:\Lop SD\Crack.txt
C:\Lop SD\DirectFix.cmd
C:\Lop SD\Discl_en.vbs
C:\Lop SD\Discl_fr.vbs
C:\Lop SD\Discl_ne.vbs
C:\Lop SD\Discl_sp.vbs
C:\Lop SD\Discl_su.vbs
C:\Lop SD\Doss.lsd
C:\Lop SD\DossKill.txt
C:\Lop SD\FichKill.txt
C:\Lop SD\Icon_Lop.ico
C:\Lop SD\Key.txt
C:\Lop SD\KILL.cmd
C:\Lop SD\Langues.cmd
C:\Lop SD\LopR_1.txt
C:\Lop SD\LopR_2.txt
C:\Lop SD\LopScript.cmd
C:\Lop SD\LopSD.cmd
C:\Lop SD\lsTasks.exe
C:\Lop SD\Orph.egd
C:\Lop SD\OsV.exe
C:\Lop SD\paths.bat
C:\Lop SD\PrefKill.txt
C:\Lop SD\Proc.txt
C:\Lop SD\pv.exe
C:\Lop SD\RegLop.reg
C:\Lop SD\RKit.lsd
C:\Lop SD\RoGUeS.lsd
C:\Lop SD\RunTool.txt
C:\Lop SD\S-DossKill.txt
C:\Lop SD\S-FichKill.txt
C:\Lop SD\S_LopV.cmd
C:\Lop SD\S_LopX.cmd
C:\Lop SD\sed.exe
C:\Lop SD\setpath.exe
C:\Lop SD\task.txt
C:\Lop SD\task_.txt
C:\Lop SD\Uninstal.exe
C:\NoLopBackups
C:\NoLopBackups\A396018B9185B27B.job.01.infected

.
((((((((((((((((((((((((( Files Created from 2008-09-13 to 2008-10-13 )))))))))))))))))))))))))))))))
.

2008-10-13 12:53 . 2008-10-13 12:53 <DIR> d--h----- C:\$AVG8.VAULT$
2008-10-13 12:35 . 2008-10-13 12:45 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-10-13 12:35 . 2008-10-13 12:35 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-10-13 12:35 . 2008-10-13 12:35 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-10-13 12:05 . 2008-10-13 12:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-10-13 12:05 . 2008-10-13 12:05 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2008-10-13 12:05 . 2008-10-13 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-13 12:04 . 2008-10-13 12:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-12 21:57 . 2008-10-12 21:58 <DIR> d-------- C:\Program Files\Paint.NET
2008-10-12 17:19 . 2008-10-12 17:19 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Malwarebytes
2008-10-12 17:18 . 2008-10-12 17:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-12 17:18 . 2008-10-12 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-12 17:18 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-12 17:18 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-12 17:13 . 2008-10-12 17:13 <DIR> d-------- C:\Program Files\CCleaner
2008-10-11 16:05 . 2008-10-11 16:05 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-11 15:51 . 2008-10-11 15:51 <DIR> d-------- C:\Program Files\NOS
2008-10-11 15:51 . 2008-10-11 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-11 12:40 . 2008-10-13 14:26 882,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-10-11 12:40 . 2008-10-13 14:22 11,324 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-10-11 12:33 . 2008-10-11 12:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-11 12:31 . 2008-10-11 12:31 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-10-11 12:29 . 2008-10-11 12:29 <DIR> d-------- C:\Program Files\Zone Labs
2008-10-11 12:29 . 2008-10-11 12:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-10-11 12:28 . 2008-10-13 14:26 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-09-30 21:24 . 2008-09-30 21:27 139,264 --a------ C:\WINDOWS\War3Unin.exe
2008-09-30 21:24 . 2008-09-30 21:32 77,478 --a------ C:\WINDOWS\War3Unin.dat
2008-09-30 21:24 . 2008-09-30 21:27 2,829 --a------ C:\WINDOWS\War3Unin.pif
2008-09-30 20:51 . 2008-10-13 14:06 <DIR> d-------- C:\Program Files\Warcraft III
2008-09-30 13:41 . 2008-07-31 21:45 <DIR> d-------- C:\etax2008
2008-09-14 18:04 . 2008-09-14 18:04 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\SPORE
2008-09-14 18:02 . 2008-09-14 18:02 <DIR> d-------- C:\ProgramData
2008-09-14 17:36 . 2008-10-13 12:27 3,488 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-09-14 17:29 . 2008-10-13 12:28 <DIR> d-------- C:\Program Files\Electronic Arts
2008-09-14 14:56 . 2008-09-14 14:56 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-13 22:03 . 2008-09-13 22:03 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-10-13 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg8
2008-10-13 01:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-12 10:53 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2008-10-12 06:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-11 07:29 --------- d-----w C:\Program Files\MindArk
2008-10-11 05:05 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-11 04:55 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AdobeUM
2008-10-08 02:29 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\BitTorrent
2008-09-30 10:12 --------- d-----w C:\Program Files\EV Nova
2008-09-30 10:12 --------- d-----w C:\Program Files\DominateGame
2008-09-30 09:51 --------- d-----w C:\Program Files\Java
2008-09-29 05:41 --------- d-----w C:\Program Files\Hp
2008-09-14 07:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-14 06:43 --------- d-----w C:\Program Files\John Deere American Farmer Deluxe
2008-09-13 09:45 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-09-10 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-10 02:44 --------- d-----w C:\Program Files\VUGames
2008-08-31 06:28 --------- d-----w C:\Program Files\Maxis
2008-08-18 04:56 --------- d-----w C:\Program Files\Sierra Entertainment
2008-08-18 04:56 --------- d-----w C:\Program Files\D-Tools
2006-03-17 19:31 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-13_11.30.37.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-13 01:05:17 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-10-13 01:05:17 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-08-18 08:44:40 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-10-13 01:35:29 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" [2004-08-04 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScI nst.exe" [2004-08-04 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT \TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TIN TSETP.EXE" [2004-08-04 455168]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 233472]
"TWCU"="C:\Program Files\TP-LINK\TWCU\TWCU.exe" [2006-03-15 348160]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 155648]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-29 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-10-13 1234712]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-07-15 118784]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= C:\WINDOWS\system32\i263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"vidc.DIVX"= divxdec.ax
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= C:\WINDOWS\system32\i263_32.drv
"msacm.imc"= C:\WINDOWS\system32\imc32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-10-13 97928]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-10-13 231704]
R3 AR5523;TP-LINK TL-WN620G 11G Wireless Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5523.sys [2006-01-16 360288]
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
.
Contents of the 'Scheduled Tasks' folder

2008-10-13 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe []
.

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-13 14:24:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
************************************************** ************************
.
Completion time: 2008-10-13 14:31:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-13 03:30:59
ComboFix2.txt 2008-10-13 00:32:50

Pre-Run: 13,221,281,792 bytes free
Post-Run: 13,233,377,280 bytes free

230 --- E O F --- 2008-09-10 08:08:39

Uninstall List

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Agere Systems PCI Soft Modem
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AVG Free 8.0
BA Installer
Boredaussie Automatic Installer
CCleaner (remove only)
DAEMON Tools
Download Accelerator Plus (DAP)
Drug Lord 2
Enhanced Multimedia Keyboard Solution
EPSON Printer Software
EPSON Scan
e-tax 2008
FLV Player 1.3.3
getPlus(R) for Adobe
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Update
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Age of Empires II
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.3)
MS Access 97 SP2
MSXML 4.0 SP2 (KB936181)
Nero 6 Ultra Edition
Paint.NET v3.36
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Shockwave
SimCity 3000 Unlimited
SPORE™
SUPERAntiSpyware Free Edition
The Sims Deluxe Edition
Theorica Divx ;-) Codecs (remove only)
TP-LINK Wireless Client Utility Installation Program
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
VideoLAN VLC media player 0.8.4a
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm
ZoneAlarm Spy Blocker

**evilfantasy** · #15 12th Oct 2008, 20:48

Looks good so far.

Some cleanup and then a final scan (hopefully)

-----

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

davejess00 · #16 12th Oct 2008, 23:17

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3516 (20081012)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=57d65fe02797ae49bb2ece3b7dbf3627
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-13 06:08:40
# local_time=2008-10-13 05:08:40 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 3
# scanned=333864
# found=3
# scan_time=6282
C:\Program Files\Mozilla Firefox\plugins\NPZoneSB.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\Warcraft III\Patch and Cracks\BNetGatewayEditor.exe probably a variant of Win32/Spy.Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\ZoneAlarmSB\bar\1.bin\NPZONESB.DLL Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000

**evilfantasy** · #17 13th Oct 2008, 00:10

Disable the System Restore Utility to prevent re-infection from an old one

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

----------

Make sure all of your security programs are up to date and run scans with them regularly.

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I would suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.