I am definitely having some problems with Adware. I couldn't get a screenshot of it, but this is what happens. Ever 15-30minutes I get a pop-up screen that says "Security Alert - Your System may be infected" and it links me to this website:
http://www.antispyware-review.biz/?w...mid=R3n1c2Bg8A
When I dragged and dropped the "CFScript" file onto ComboFix.exe I got a dialog box that said "Installation Failed" then ComboFix continued to run. Here are the logs:
ComboFix 08-05-01.3 - Daniel 2008-05-07 16:44:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.485 [GMT -4:00]
Running from: C:\Documents and Settings\Daniel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Daniel\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\nwvohgxs.exe
C:\WINDOWS\system32\ovapkbgt.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\erotejex
C:\Documents and Settings\All Users\Application Data\erotejex\mhslgfix.exe
C:\WINDOWS\system32\nwvohgxs.exe
.
((((((((((((((((((((((((( Files Created from 2008-04-07 to 2008-05-07 )))))))))))))))))))))))))))))))
.
2008-05-06 20:31 . 2008-05-06 20:31 122,880 --a------ C:\WINDOWS\system32\fibaxqti.exe
2008-05-01 22:08 . 2008-05-01 22:08 <DIR> d-------- C:\ie-spyad_zo
2008-05-01 21:36 . 2008-05-01 21:36 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-01 21:36 . 2008-05-01 21:36 <DIR> d-------- C:\Program Files\Panda Security
2008-05-01 21:22 . 2008-05-01 21:22 <DIR> d-------- C:\VundoFix Backups
2008-05-01 21:11 . 2008-05-01 21:12 <DIR> d-------- C:\Program Files\SpyZooka
2008-05-01 21:11 . 2008-05-01 21:11 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-27 20:16 . 2008-04-27 20:27 3,564 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-27 16:36 . 2008-04-27 16:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 16:36 . 2008-04-27 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-27 14:46 . 2008-04-27 14:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 13:47 . 2008-04-27 13:45 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-27 13:47 . 2008-04-27 13:47 2,540 --a------ C:\WINDOWS\unins000.dat
2008-04-27 02:58 . 2008-04-29 22:38 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 02:58 . 2008-04-27 02:58 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 01:52 . 2008-04-27 01:52 <DIR> d-------- C:\Program Files\D-Link
2008-04-14 20:41 . 2008-04-14 20:41 <DIR> d-------- C:\WINDOWS\system32\LogFiles
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-27 20:37 --------- d-----w C:\Program Files\Lavasoft
2008-04-27 20:37 --------- d-----w C:\Documents and Settings\Daniel\Application Data\Lavasoft
2008-04-27 20:11 --------- d-----w C:\Documents and Settings\Daniel\Application Data\Azureus
2008-04-27 18:46 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-27 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 17:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-27 17:42 --------- d-----w C:\Program Files\Azureus
2008-04-27 17:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-15 01:57 --------- d-----w C:\Program Files\AIM6
2008-03-15 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-15 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-04-28 21:08 692224]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-01-19 16:49 4670968]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-25 21:33 68856]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SpyZooka"="C:\Program Files\SpyZooka\SpyZookaLdr.exe" [2007-04-06 21:12 39656]
"mevehczz"="C:\WINDOWS\system32\fibaxqti.exe" [2008-05-06 20:31 122880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 08:05 16239616 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"EPSON Stylus C86 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.exe" [2003-11-25 07:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 19:57 282624]
"IntelliType"="C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 00:41 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 02:12 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 02:13 774168]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-07-22 07:47:22 151552]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 16:05:56 65588]
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link DWA-552 Xtreme N Desktop Adapter\wirelesscm.exe [2008-04-27 01:52:26 13357056]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{D468BCE5-D18E-49A4-8EA7-34BD583659D5}"= C:\PROGRA~1\SpyZooka\spyguard.dll [2005-05-07 23:25 173568]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\NewTech Infosystems\\NTI DriveBackup! 3\\LiveUpdt.exe"=
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-07-20 07:00]
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\system32\Drivers\ousbehci.sys [2003-07-01 12:58]
S2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys []
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2003-07-01 12:58]
S3 PciCon;PciCon;D:\PciCon.sys []
S3 sky_bus;SKTT USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sky_bus.sys [2005-07-22 07:01]
S3 sky_mdfl;SKTT IMT-2000 Handset Filter;C:\WINDOWS\system32\DRIVERS\sky_mdfl.sys [2005-07-22 07:03]
S3 sky_mdm;SKTT IMT-2000 Handset Drivers;C:\WINDOWS\system32\DRIVERS\sky_mdm.sys [2005-07-22 07:03]
S3 sky_serd;SKTT IMT-2000 Handset Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\sky_serd.sys [2005-07-22 07:05]
S3 W8100PCI;D-Link AirPlus G Wireless Driver;C:\WINDOWS\system32\DRIVERS\MRV8K51.sys []
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 16:43:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-05-07 16:49:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-07 16:51:00
ComboFix-quarantined-files.txt 2008-05-07 20:50:53
ComboFix2.txt 2008-05-06 23:13:59
Pre-Run: 157,884,067,840 bytes free
Post-Run: 157,868,134,400 bytes free
135 --- E O F --- 2008-04-10 07:01:36