[Greenhorn]

I've been infected with some kind of Spyware/Adware, i've followed several of the threads posted here which had a similiar thing but to no avail.

Adware: Changed my desktop to a message saying "Spyware threat has been detected, click here to run a full scan", also it keeps on popping up with a bubble in the corner telling me the same stuff.

I've tried downloading and running a bunch of programs:

SmitFraudFix
Combofix
ATF-Cleaner
CCleaner
SpyBotSearch&Destroy

But none of them seem to have fixed anything...

please help!

I've attached a bunch of the most recent logs.

Green

[evilfantasy]

Welcome to CJ Greenhorn


Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
• Type notepad.exe in the Run Box.

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Folder::
C:\WINDOWS\FLEOK

File::
C:\WINDOWS\didduid.ini
C:\WINDOWS\system32\wmsdkns.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

• O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
• O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
• O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
• O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
• O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
• O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
• O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
• O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
• O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
• O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
• O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
• O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
• O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
• O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
• O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
• O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG<- Unless you need it to run at startup, which is typically not required.

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

Important: Restart the computer before continuing.

----------

Important: Uninstall the version of Hijackthis you have. it is the old Beta version and we need to have the new version as well as renaming it to sniper.

First go HERE and do these steps in order.

Step Three - Malwarebytes' Anti-Malware (MBAM)
Step Four - Updating Java
Step Six - HijackThis

Now run a new Hijackthis scan and post the log along with the others.

----------

Next post please add
Combofix log
MBAM log
NEW Hijackthis log

[Greenhorn]

Hey, thanks for the warm welcome and swift reply, also kudos to you for the advice!

I followed all your instructions like you said, after adding the script to comofix the virus seemed to dissapear, but i followed the rest of the steps anyway to makesure.

I did i Hijackthis! scan, but the files you asked me to delete were no longer there, so i'm guessing the combofix must of got rid of them.

I ran a Malware bytes as well, and it found some files which i had it delete.

Seems like it's all good now, no more Background Ad or bubble popups, i've attached the logs as requested. Had to compress 2 of them because they were over the filesize limit, compressed with Winrar then renamed as .zip, hope that's ok.

Thanks again Evilfantasy.

ComboFix 08-04-08.7 - Ashton 2008-04-09 18:21:02.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.682 [GMT 1:00]
Running from: C:\Documents and Settings\Ashton\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ashton\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\didduid.ini
C:\WINDOWS\system32\wmsdkns.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\180search assistant
C:\Program Files\180search assistant\180sa.exe
C:\Program Files\180search assistant\sau.exe
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\default.htm
C:\WINDOWS\didduid.ini
C:\WINDOWS\FLEOK
C:\WINDOWS\FLEOK\180ax.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\TEMP\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 08:52 . 2008-04-09 08:52 <DIR> d-------- C:\Program Files\Sun
2008-04-09 08:36 . 2008-04-09 08:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 08:35 . 2008-04-09 08:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-09 08:35 . 2008-04-09 08:35 <DIR> d-------- C:\Documents and Settings\Ashton\Application Data\Malwarebytes
2008-04-09 08:35 . 2008-04-09 08:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-09 08:31 . 2008-04-09 08:31 <DIR> d-------- C:\Program Files\Common Files\Authentium
2008-04-09 08:31 . 2008-04-09 18:11 53,192 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2008-04-09 08:31 . 2007-04-19 11:36 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2008-04-09 08:30 . 2008-04-09 08:30 <DIR> d-------- C:\Program Files\Raxco
2008-04-09 08:30 . 2008-04-09 18:07 <DIR> d-------- C:\Program Files\Common Files\Scanner
2008-04-09 08:30 . 2008-04-09 08:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2008-04-09 08:28 . 2008-04-09 08:28 <DIR> d-------- C:\Documents and Settings\Ashton\Application Data\InstallShield
2008-04-09 08:25 . 2008-04-09 08:30 <DIR> d-------- C:\Program Files\Virgin Broadband
2008-04-09 01:42 . 2008-04-09 01:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-09 01:14 . 2008-04-09 01:14 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-09 01:13 . 2008-04-09 01:15 <DIR> d-------- C:\Program Files\CCleaner
2008-04-09 00:43 . 2008-04-09 01:52 3,314 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-09 00:42 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-09 00:42 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-09 00:42 . 2008-03-29 00:19 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-09 00:42 . 2008-04-08 22:44 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-09 00:42 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-09 00:42 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-09 00:42 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-09 00:01 . 2008-04-09 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-08 23:57 . 2008-04-08 23:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-08 23:57 . 2008-04-09 00:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 23:50 . 2008-04-08 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ALM
2008-04-08 23:47 . 2008-04-08 23:47 <DIR> d-------- C:\Program Files\Bonjour
2008-04-08 23:29 . 2008-04-08 23:29 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-08 22:42 . 2008-04-08 22:42 <DIR> d-------- C:\Program Files\PowerISO
2008-04-07 01:56 . 2008-04-07 01:56 1,110 --a------ C:\WINDOWS\mozver.dat
2008-04-01 22:42 . 2008-04-01 22:42 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-04-01 22:38 . 2008-04-01 22:38 <DIR> d-------- C:\Program Files\Stardock Games
2008-03-28 18:39 . 2008-03-28 18:39 <DIR> d-------- C:\Documents and Settings\Ashton\Application Data\dvdcss
2008-03-14 07:04 . 2008-03-14 07:04 46,652 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2008-03-13 23:07 . 2008-03-13 23:07 <DIR> d-------- C:\Program Files\Common Files\NSV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-04-09 07:54 --------- d-----w C:\Program Files\Java
2008-04-09 07:30 --------- d-----w C:\Program Files\CA
2008-04-09 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2008-04-09 07:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-09 01:58 --------- d-----w C:\Documents and Settings\Ashton\Application Data\Virgin Broadband
2008-04-08 22:47 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-26 20:59 --------- d-----w C:\Documents and Settings\Ashton\Application Data\ATI
2008-02-26 20:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-02-26 20:50 --------- d-----w C:\Program Files\ATI Technologies
2008-02-26 01:30 --------- d-----w C:\Program Files\Games-Masters.com
2008-02-25 09:39 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-02-25 09:19 --------- d-----w C:\Program Files\GameTribe
2008-02-24 03:18 --------- d-----w C:\Program Files\Temp.p
2008-02-23 22:31 --------- d-----w C:\Program Files\Common Files\DirectX
2008-02-23 22:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-23 21:42 --------- d-----w C:\Program Files\OGPlanet
2008-02-22 19:06 --------- d-----w C:\Documents and Settings\Ashton\Application Data\AdobeUM
2008-02-21 19:33 --------- d-----w C:\Program Files\Three Rings Design
2008-02-20 22:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2008-02-15 19:17 --------- d-----w C:\Program Files\Winamp
2008-02-15 18:00 --------- d-----w C:\Program Files\Hidden City Games
2008-02-15 16:55 --------- d-----w C:\Program Files\SealOnlineUSA
2008-02-13 21:44 --------- d-----w C:\Program Files\Funcom
2007-12-23 19:41 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2004-02-02 10:31 236,510 -c--a-w C:\Documents and Settings\Ashton\DIAG.EXE
2004-01-30 18:21 62,480 -c--a-w C:\Documents and Settings\Ashton\FETODI.COM
2004-01-09 14:28 51,356 -c--a-w C:\Documents and Settings\Ashton\FETND3.sys
2004-01-09 14:27 53,136 -c--a-w C:\Documents and Settings\Ashton\FETND4.sys
2004-01-09 14:24 40,960 -c--a-w C:\Documents and Settings\Ashton\FETND5A.sys
2004-01-09 14:23 42,496 -c--a-w C:\Documents and Settings\Ashton\FETND5B.sys
2003-11-27 15:01 57,344 -c--a-w C:\Documents and Settings\Ashton\winsetup.exe
2002-10-09 16:29 147,456 -c--a-w C:\Documents and Settings\Ashton\NTUTIL.DLL
2002-02-20 11:04 15,552 -c--a-w C:\Documents and Settings\Ashton\WINNDI.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-04-09_ 1.41.00.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-08 22:11:46 29,696 ----a-w C:\WINDOWS\apphelp32.dll
+ 2008-04-09 17:08:03 9,472 ----a-w C:\WINDOWS\apphelp32.dll
- 2008-04-08 22:11:46 14,592 ----a-w C:\WINDOWS\asferror32.dll
+ 2008-04-09 17:08:03 8,448 ----a-w C:\WINDOWS\asferror32.dll
- 2008-04-08 22:11:46 29,952 ----a-w C:\WINDOWS\asycfilt32.dll
+ 2008-04-09 17:08:03 12,800 ----a-w C:\WINDOWS\asycfilt32.dll
- 2008-04-08 22:11:46 20,480 ----a-w C:\WINDOWS\athprxy32.dll
+ 2008-04-09 17:08:03 18,432 ----a-w C:\WINDOWS\athprxy32.dll
- 2008-04-08 22:11:46 17,408 ----a-w C:\WINDOWS\ati2dvaa32.dll
+ 2008-04-09 17:08:03 16,896 ----a-w C:\WINDOWS\ati2dvaa32.dll
- 2008-04-08 22:11:46 10,752 ----a-w C:\WINDOWS\ati2dvag32.dll
+ 2008-04-09 17:08:03 20,480 ----a-w C:\WINDOWS\ati2dvag32.dll
- 2008-04-08 22:11:46 22,016 ----a-w C:\WINDOWS\audiosrv32.dll
+ 2008-04-09 17:08:03 10,496 ----a-w C:\WINDOWS\audiosrv32.dll
- 2008-04-08 22:11:47 22,272 ----a-w C:\WINDOWS\autodisc32.dll
+ 2008-04-09 17:08:03 30,464 ----a-w C:\WINDOWS\autodisc32.dll
- 2008-04-08 22:11:47 12,288 ----a-w C:\WINDOWS\avifile32.dll
+ 2008-04-09 17:08:04 25,856 ----a-w C:\WINDOWS\avifile32.dll
- 2008-04-08 22:11:47 27,392 ----a-w C:\WINDOWS\avisynthex32.dll
+ 2008-04-09 17:08:04 23,296 ----a-w C:\WINDOWS\avisynthex32.dll
- 2008-04-08 22:11:47 23,808 ----a-w C:\WINDOWS\aviwrap32.dll
+ 2008-04-09 17:08:04 11,776 ----a-w C:\WINDOWS\aviwrap32.dll
- 2008-04-08 22:11:47 17,920 ----a-w C:\WINDOWS\browserad.dll
+ 2008-04-09 17:08:04 18,944 ----a-w C:\WINDOWS\browserad.dll
- 2008-04-08 22:11:45 31,488 ----a-w C:\WINDOWS\changeurl_30.dll
+ 2008-04-09 17:08:03 29,696 ----a-w C:\WINDOWS\changeurl_30.dll
- 2007-10-10 15:36:22 10,134 ----a-r C:\WINDOWS\Installer\{05BCCF27-DC23-4ED9-87A2-F8D5B244B4C4}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:00 10,134 ----a-r C:\WINDOWS\Installer\{05BCCF27-DC23-4ED9-87A2-F8D5B244B4C4}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:18 26,582 ----a-r C:\WINDOWS\Installer\{212F5777-1190-4DEF-8E4D-6B2F313B45E7}\PerfectDisk.exe
+ 2008-04-09 07:30:56 26,582 ----a-r C:\WINDOWS\Installer\{212F5777-1190-4DEF-8E4D-6B2F313B45E7}\PerfectDisk.exe
- 2007-10-10 15:36:46 10,134 ----a-r C:\WINDOWS\Installer\{324D4909-7A7B-45CD-B199-E975DC108249}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:31 10,134 ----a-r C:\WINDOWS\Installer\{324D4909-7A7B-45CD-B199-E975DC108249}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:53 10,134 ----a-r C:\WINDOWS\Installer\{3A836186-46F8-4388-9830-820E35C02992}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:45 10,134 ----a-r C:\WINDOWS\Installer\{3A836186-46F8-4388-9830-820E35C02992}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:53 25,214 ----a-r C:\WINDOWS\Installer\{3A836186-46F8-4388-9830-820E35C02992}\Sm_En_DiagD_7C6BED816D7E4AD1AEAF5A1A DB6C8676.exe
+ 2008-04-09 07:31:45 25,214 ----a-r C:\WINDOWS\Installer\{3A836186-46F8-4388-9830-820E35C02992}\Sm_En_DiagD_7C6BED816D7E4AD1AEAF5A1A DB6C8676.exe
- 2007-10-10 15:36:52 10,134 ----a-r C:\WINDOWS\Installer\{3AFF4279-A590-4010-8C8A-3B096A220CFC}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:43 10,134 ----a-r C:\WINDOWS\Installer\{3AFF4279-A590-4010-8C8A-3B096A220CFC}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:59 10,134 ----a-r C:\WINDOWS\Installer\{3C441434-737C-4D54-8EAB-B409BE54E734}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:50 10,134 ----a-r C:\WINDOWS\Installer\{3C441434-737C-4D54-8EAB-B409BE54E734}\ARPPRODUCTICON.exe
- 2007-10-10 15:37:00 10,134 ----a-r C:\WINDOWS\Installer\{53C32728-D434-4143-9C9D-D73D68D00893}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:52 10,134 ----a-r C:\WINDOWS\Installer\{53C32728-D434-4143-9C9D-D73D68D00893}\ARPPRODUCTICON.exe
- 2007-10-10 15:37:02 10,134 ----a-r C:\WINDOWS\Installer\{5E7EBB6D-F44B-4D8B-9C52-F0F9173FD166}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:55 10,134 ----a-r C:\WINDOWS\Installer\{5E7EBB6D-F44B-4D8B-9C52-F0F9173FD166}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:48 10,134 ----a-r C:\WINDOWS\Installer\{6EA0ABC4-172B-48D4-AF26-93322D7FDE72}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:36 10,134 ----a-r C:\WINDOWS\Installer\{6EA0ABC4-172B-48D4-AF26-93322D7FDE72}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:50 10,134 ----a-r C:\WINDOWS\Installer\{A542D695-16D3-4F89-A6F1-091F009B8ABA}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:42 10,134 ----a-r C:\WINDOWS\Installer\{A542D695-16D3-4F89-A6F1-091F009B8ABA}\ARPPRODUCTICON.exe
- 2007-10-10 15:35:46 10,134 ----a-r C:\WINDOWS\Installer\{AFE0D559-DAC2-4DF0-B432-4CBA15769AA9}\ARPPRODUCTICON.exe
+ 2008-04-09 07:30:07 10,134 ----a-r C:\WINDOWS\Installer\{AFE0D559-DAC2-4DF0-B432-4CBA15769AA9}\ARPPRODUCTICON.exe
- 2007-10-10 15:35:46 25,214 ----a-r C:\WINDOWS\Installer\{AFE0D559-DAC2-4DF0-B432-4CBA15769AA9}\Desktop_En_Rps_A64EE928C7A645A784CE5 9FBDBDD9D1B.exe
+ 2008-04-09 07:30:07 25,214 ----a-r C:\WINDOWS\Installer\{AFE0D559-DAC2-4DF0-B432-4CBA15769AA9}\Desktop_En_Rps_A64EE928C7A645A784CE5 9FBDBDD9D1B.exe
- 2007-10-10 15:35:46 25,214 ----a-r C:\WINDOWS\Installer\{AFE0D559-DAC2-4DF0-B432-4CBA15769AA9}\Sm_En_Rps_A64EE928C7A645A784CE59FBDB DD9D1B.exe
+ 2008-04-09 07:30:07 25,214 ----a-r C:\WINDOWS\Installer\{AFE0D559-DAC2-4DF0-B432-4CBA15769AA9}\Sm_En_Rps_A64EE928C7A645A784CE59FBDB DD9D1B.exe
- 2007-10-10 15:36:49 10,134 ----a-r C:\WINDOWS\Installer\{B5C0FD16-3A5D-40D5-8B59-4B43279BB5D0}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:41 10,134 ----a-r C:\WINDOWS\Installer\{B5C0FD16-3A5D-40D5-8B59-4B43279BB5D0}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:57 10,134 ----a-r C:\WINDOWS\Installer\{C831972C-3834-4D9D-A095-8350B324AC3C}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:47 10,134 ----a-r C:\WINDOWS\Installer\{C831972C-3834-4D9D-A095-8350B324AC3C}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:07 10,134 ----a-r C:\WINDOWS\Installer\{D8AEA1D1-78FE-4CE1-9405-D7E55E797C4D}\ARPPRODUCTICON.exe
+ 2008-04-09 07:30:29 10,134 ----a-r C:\WINDOWS\Installer\{D8AEA1D1-78FE-4CE1-9405-D7E55E797C4D}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:11 10,134 ----a-r C:\WINDOWS\Installer\{DD1C392B-226D-42C9-B8E6-2A9BEF7583B4}\ARPPRODUCTICON.exe
+ 2008-04-09 07:30:50 10,134 ----a-r C:\WINDOWS\Installer\{DD1C392B-226D-42C9-B8E6-2A9BEF7583B4}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:32 10,134 ----a-r C:\WINDOWS\Installer\{ECBDDBD7-43CC-417C-B87A-943AFED8EB57}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:10 10,134 ----a-r C:\WINDOWS\Installer\{ECBDDBD7-43CC-417C-B87A-943AFED8EB57}\ARPPRODUCTICON.exe
- 2007-10-10 15:36:09 10,134 ----a-r C:\WINDOWS\Installer\{EE1D5780-AF29-4DC4-A107-3FD5F79AC63A}\ARPPRODUCTICON.exe
+ 2008-04-09 07:30:32 10,134 ----a-r C:\WINDOWS\Installer\{EE1D5780-AF29-4DC4-A107-3FD5F79AC63A}\ARPPRODUCTICON.exe
- 2007-10-10 15:37:01 10,134 ----a-r C:\WINDOWS\Installer\{FD2EC356-DB5E-40AE-907A-9A1D38F9396D}\ARPPRODUCTICON.exe
+ 2008-04-09 07:31:53 10,134 ----a-r C:\WINDOWS\Installer\{FD2EC356-DB5E-40AE-907A-9A1D38F9396D}\ARPPRODUCTICON.exe
- 1998-10-29 16:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
+ 1998-10-29 15:45:06 306,688 ----a-w C:\WINDOWS\IsUninst.exe
- 2008-04-08 22:11:49 14,080 ----a-w C:\WINDOWS\msa64chk.dll
+ 2008-04-09 17:08:06 11,776 ----a-w C:\WINDOWS\msa64chk.dll
- 2008-04-08 22:11:49 26,368 ----a-w C:\WINDOWS\msapasrc.dll
+ 2008-04-09 17:08:06 26,624 ----a-w C:\WINDOWS\msapasrc.dll
- 2008-04-08 22:11:48 25,344 ----a-w C:\WINDOWS\ntnut.exe
+ 2008-04-09 17:08:05 8,960 ----a-w C:\WINDOWS\ntnut.exe
- 2008-04-08 22:11:47 18,432 ----a-w C:\WINDOWS\shdocpe.dll
+ 2008-04-09 17:08:05 32,000 ----a-w C:\WINDOWS\shdocpe.dll
- 2008-04-08 22:11:48 21,504 ----a-w C:\WINDOWS\shdocpl.dll
+ 2008-04-09 17:08:05 27,904 ----a-w C:\WINDOWS\shdocpl.dll
- 2007-09-24 22:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 00:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-24 22:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 00:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-24 23:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 01:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2008-04-08 22:11:50 9,984 ----a-w C:\WINDOWS\system32\MSNSA32.dll
+ 2008-04-09 17:08:07 14,336 ----a-w C:\WINDOWS\system32\MSNSA32.dll
- 2008-04-08 22:11:48 31,488 ----a-w C:\WINDOWS\system32\ntnut32.exe
+ 2008-04-09 17:08:05 28,928 ----a-w C:\WINDOWS\system32\ntnut32.exe
- 2008-04-08 22:11:48 21,760 ----a-w C:\WINDOWS\system32\shdocpe.dll
+ 2008-04-09 17:08:05 26,880 ----a-w C:\WINDOWS\system32\shdocpe.dll
- 2008-04-08 22:11:48 19,712 ----a-w C:\WINDOWS\system32\SIPSPI32.dll
+ 2008-04-09 17:08:06 30,720 ----a-w C:\WINDOWS\system32\SIPSPI32.dll
- 2008-04-08 22:11:47 12,800 ----a-w C:\WINDOWS\winsb.dll
+ 2008-04-09 17:08:04 18,432 ----a-w C:\WINDOWS\winsb.dll
- 2007-10-10 15:35:42 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf34 5378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-04-09 07:30:03 1,233,920 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf34 5378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
- 2007-10-10 15:35:42 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf3 45378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2008-04-09 07:30:03 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf3 45378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 14:09 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 23:45 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 08:56 11776 C:\WINDOWS\system32\regsvr32.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35 335872]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 23:54 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-15 00:50 233472]
"workflow"="D:\installs\workflow.exe" [ ]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 14:10 310000]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 14:10 13552]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe" [2007-09-05 14:09 61168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 09:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"= x264vfw.dll
"msacm.ac3acm"= AC3ACM.acm
"msacm.scg726"= scg726.acm
"msacm.alf2cd"= alf2cd.acm
"vidc.dvsd"= mcdvd_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2007-08-29 16:09 171464 C:\Program Files\DAEMON Tools\daemon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"15808:TCP"= 15808:TCP:BitComet 15808 TCP
"15808:UDP"= 15808:UDP:BitComet 15808 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 iadusb;GlobespanVirata USB IAD LAN Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2004-07-02 09:20]
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 08:56]
S3 XDva037;XDva037;C:\WINDOWS\system32\XDva037.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-03 19:15:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 18:26:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
************************************************** ************************
.
Completion time: 2008-04-09 18:31:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 17:31:47
ComboFix2.txt 2008-04-09 00:59:01
ComboFix3.txt 2008-04-09 00:41:25
Pre-Run: 12,340,674,560 bytes free
Post-Run: 12,324,302,848 bytes free
.
2008-03-22 04:20:29 --- E O F ---

[evilfantasy]

Looks good. Now run ATF Cleaner again to get rid of the malicious files in the temp folders.

I put the Combofix log into the post. I'm sure you can see this: WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! This is common and you can install the recovery console if you choose by following the directions HERE


Time to do some cleanup and secure the work you have done.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

The above procedure will:

• Delete:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
• Click OK
• Click the More Options Tab.
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.

• Click Start Now
• Check the box next to Enable thorough system inspection.
• Click Start
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Let me know if anything else comes up.

[evilfantasy]

Almost forgot, you need to install some antivirus ASAP.

I recommend Avast. It's free and works very well. See HERE for more details on the new version.