Internet service Emailed Warrnings of Abuse - Need major Help!

Pushpin · Jun 17, 2008

My internet provider sent me an email saying i have 1 more chance to remove all Virus/Worm infections. Also i get lots of pop-ups and Virus warrning from the system tray.

- When i went to attach the file my start bar and all icons dissappered :S but i had it copy and pasted, i hope you can help

Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:09 PM, on 6/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\444.470
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\iftuyszv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\Creator\Remind_XP.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\regsrv.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\?racle\?serinit.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\iftuyszv.exe,
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdzkt.exe] C:\WINDOWS\system32\kdzkt.exe
O4 - HKLM\..\Run: [BM03d0c566] Rundll32.exe "C:\WINDOWS\System32\beeocqjc.dll",s
O4 - HKLM\..\Run: [00e3f6fa] rundll32.exe "C:\WINDOWS\System32\miotqodc.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA4959] command /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8265] cmd /c del "C:\Program Files\NetProject\sbmntr.exe_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\RunOnce: [SpybotDeletingB4728] command /c del "C:\WINDOWS\system32\yayxwVNd.dll_old"
O4 - S-1-5-18 Startup: hpothb07.dat (User 'SYSTEM')
O4 - S-1-5-18 Startup: hpothb07.tif (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: hpothb07.dat
O4 - Startup: hpothb07.tif
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O17 - HKLM\System\CS3\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O22 - SharedTaskScheduler: delayingly - {e89fa8e9-5c0b-45f6-a70e-f7b177bcd193} - C:\WINDOWS\System32\rtmipr.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - C:\WINDOWS\444.470.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Plug and Play (RPC) (PlugPlayRPC) - Unknown owner - C:\WINDOWS\portsv.exe

--
End of file - 8956 bytes

Pushpin · Jun 17, 2008

Can anyone possably help

Ried · Jun 17, 2008

Hello Pushpin,

Is this the same computer as you posted in this thread -->http://www.techsupportforum.com/sec...help-going-over-my-hijackthis-log-please.html

Pushpin · Jun 17, 2008

Aye, with some minor changes.

edit: Thank you much for that link to my old thread i guess ill just make those changes

^.^ Thanki

Ried · Jun 17, 2008

Well, hold on a second. You've picked up a lot more nasties since that first thread was posted. I'd like you to do the following:

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Pushpin · Jun 17, 2008

Okay i am running the scan on my infected computer, ill post when it is complete. Thanks again ^.^

Ried · Jun 17, 2008

You're welcome. It should only take about 20 minutes to complete. I should still be around.

Pushpin · Jun 17, 2008

Okay finaly the scan completed, lol i thought it froze or something.

Okay here is the Combo Log:

ComboFix 08-06-16.2 - Owner 2008-06-16 21:35:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.175 [GMT -7:00]
Running from: C:\Documents and Settings\Owner.NICKELSTRASH\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\RACLE~1
C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\RACLE~1\?serinit.exe
C:\onoes.exe
C:\Program Files\cmapp
C:\Program Files\cmapp\Client\hf.txt
C:\Program Files\cmapp\Client\rf.txt
C:\Program Files\cmapp\Client\sf.txt
C:\Program Files\cmapp\Client\Uninstall.exe
C:\Program Files\Common Files\sembly~1
C:\Program Files\maxifiles
C:\Program Files\maxifiles\affid.dat
C:\Program Files\outlook
C:\Program Files\outlook\outlook.exe
C:\Program Files\outlook\p.zip
C:\Program Files\outlook\v.tmp
C:\Program Files\sembly~1
C:\Program Files\SoftwareOnline
C:\Program Files\SoftwareOnline\soproc.exe
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1187486433.old
C:\Program Files\WinBudget\bin\matrix.dll.1189143501.old
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\accesss.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\BM03d0c566.xml
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
C:\WINDOWS\editpad.exe
C:\WINDOWS\elitepop06.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\lfn.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\msupdater.config
C:\WINDOWS\msupdater.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\muotr.so
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\portsv.exe
C:\WINDOWS\ppatch~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\1039a
C:\WINDOWS\system32\158117
C:\WINDOWS\system32\158117\158117.dll
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\asks~1\?asks\
C:\WINDOWS\system32\awtutsQj.dll
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\beeocqjc.dll
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\mswinstall.exe
C:\WINDOWS\system32\Cache\txdesuf.exe
C:\WINDOWS\system32\cdoqtoim.ini
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\CsdDriver.sys
C:\WINDOWS\system32\cssrss.exe
C:\WINDOWS\system32\dhyhmlqp.dll
C:\WINDOWS\system32\dNVwxyay.ini
C:\WINDOWS\system32\dNVwxyay.ini2
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\drivers\drmkaudd.sys
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\eivhexxj.dll
C:\WINDOWS\system32\fnixvtte.dll
C:\WINDOWS\system32\fuxvnwmi.ini
C:\WINDOWS\system32\g9ZRQt.syz
C:\WINDOWS\system32\gmgen.dll
C:\WINDOWS\system32\graysrnb.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\ihPqrqss.ini
C:\WINDOWS\system32\ihPqrqss.ini2
C:\WINDOWS\system32\ijbgmpny.dll
C:\WINDOWS\system32\index.exe
C:\WINDOWS\system32\jvmbppxe.dll
C:\WINDOWS\system32\kdzkt.exe
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgi
C:\WINDOWS\system32\miotqodc.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\nklkodds.dll
C:\WINDOWS\system32\nyvjvvlt.ini
C:\WINDOWS\system32\OAa9fj.syz
C:\WINDOWS\system32\okyqjivf.ini
C:\WINDOWS\system32\owanywqt.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\Q0bGpC.syz
C:\WINDOWS\system32\rLM
C:\WINDOWS\system32\rLM\marbootx.exe
C:\WINDOWS\system32\rpvafwgq.ini
C:\WINDOWS\system32\scpgbjcr.dll
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~1\dexplore.exe
C:\WINDOWS\system32\ssqrqPhi.dll
C:\WINDOWS\system32\stk
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tusnfsrj.dll
C:\WINDOWS\system32\tuvSkKCr.dll
C:\WINDOWS\system32\udksybrb.dll
C:\WINDOWS\system32\unkualri.dll
C:\WINDOWS\system32\upfgllgi.dll
C:\WINDOWS\system32\vhhtfesd.dll
C:\WINDOWS\system32\vkkvxprv.dll
C:\WINDOWS\system32\vktfwefx.dll
C:\WINDOWS\system32\VoB1Tw.syz
C:\WINDOWS\system32\vrpxvkkv.ini
C:\WINDOWS\system32\wfxxsrwk.dll
C:\WINDOWS\system32\winlogin.exe
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wintsvtr.exe
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\YbKloqss.ini
C:\WINDOWS\system32\YbKloqss.ini2
C:\WINDOWS\system32\ybnwsleu.dll
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\whcc-giant.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_DRMKAUDD
-------\Legacy_MSSECURITY1.209.4
-------\Legacy_NETWORK_MONITOR
-------\Service_drmkaudd
-------\Service_MsSecurity1.209.4
-------\Legacy_PlugPlayRPC
-------\Service_PlugPlayRPC

((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 20:43 . 2008-06-16 20:43 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-16 19:35 . 2008-06-16 21:34 24,051 --a------ C:\WINDOWS\msoupdater.config
2008-06-16 19:34 . 2008-06-16 19:34 118,784 --a------ C:\WINDOWS\system32\back.exe.exe
2008-06-16 19:34 . 2008-06-16 19:34 118,784 --a------ C:\WINDOWS\msoupdater.exe
2008-06-16 19:33 . 2008-06-16 19:33 109,056 --a------ C:\hw8gec.exe
2008-06-16 19:33 . 2008-06-16 19:33 21,104 --a------ C:\vyvn5l.exe
2008-06-14 09:38 . 2008-06-14 09:38 322,048 --a------ C:\WINDOWS\system32\ssqolKbY.dll_old
2008-06-13 21:17 . 2008-06-16 21:12 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-06-13 14:46 . 2008-06-16 21:21 <DIR> d-------- C:\WINDOWS\system32\5029
2008-06-13 14:06 . 2008-06-16 21:12 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-13 14:00 . 2008-06-13 14:00 62,464 --a------ C:\WINDOWS\system32\winsrc.dll.tmp
2008-06-13 13:54 . 2008-06-16 22:38 2,022 --a------ C:\WINDOWS\system32\default.htm
2008-06-13 13:42 . 2008-06-13 13:42 167,976 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2008-06-13 13:42 . 2008-06-13 13:42 90,073 --a------ C:\WINDOWS\system32\iftuyszv.exe
2008-06-13 13:41 . 2008-06-13 13:41 <DIR> d-------- C:\WINDOWS\system32\netrax01
2008-06-13 13:41 . 2008-06-13 13:42 <DIR> d-------- C:\temp\itmp4
2008-06-13 13:37 . 2008-06-13 13:37 109,056 --a------ C:\iqwen0.exe
2008-06-13 13:37 . 2008-06-13 13:37 20,928 --a------ C:\xay1vi.exe
2008-06-13 10:37 . 2008-06-13 10:37 <DIR> d-------- C:\Program Files\PSP Custom Firmware 3.80 M33
2008-06-13 09:49 . 2008-06-13 09:49 <DIR> d-------- C:\Program Files\uTorrent
2008-06-13 09:48 . 2008-06-13 13:50 <DIR> d-------- C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\uTorrent
2008-06-07 19:13 . 2008-06-07 19:13 32,768 --a------ C:\WINDOWS\system32\netrax01\netrax011065.exe
2008-05-17 11:08 . 2008-05-17 11:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 09:10 . 2008-06-16 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 09:07 . 2008-05-17 09:07 21,031,280 --a------ C:\aaw2007.exe
2008-05-17 07:14 . 2008-06-16 19:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 02:12 . 2008-05-17 02:12 719,128 --a------ C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\installer_en[1].exe
2008-05-17 00:56 . 2008-05-17 07:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 04:51 9,728 ----a-w C:\WINDOWS\iexplorer.exe
2008-06-17 04:32 --------- d-----w C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\U3
2008-06-17 03:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 03:11 --------- d-----w C:\Program Files\asys
2008-06-17 02:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 02:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 02:12 --------- d-----w C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\interMute
2008-06-14 02:51 --------- d-----w C:\Program Files\Norton AntiVirus
2008-06-13 16:47 272,349 -c--a-w C:\WINDOWS\system32\hta.vbs
2008-06-13 16:47 272,349 ----a-w C:\WINDOWS\system32\Israfel.vbs
2008-06-13 16:47 272,349 ----a-w C:\WINDOWS\system32\GEDZAC.vbs
2008-06-13 16:47 272,349 ----a-w C:\WINDOWS\system32\File.vbs
2008-06-12 16:28 --------- d-----w C:\Program Files\World of Warcraft
2008-05-17 14:57 --------- d-----w C:\Program Files\joystick networks
2008-05-16 18:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2007-01-27 23:22 237,568 -c--a-w C:\Program Files\Uninstall Morpheus Toolbar.dll
2007-01-26 00:10 1,443,213 -c--a-w C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\Install.dat
2005-07-26 16:17 587,067 -c--a-w C:\WINDOWS\system32\config\systemprofile\index.exe
2005-07-26 15:14 59,482 -c--a-w C:\WINDOWS\system32\config\systemprofile\loud.exe
2005-01-22 07:36 79,872 -csha-r C:\WINDOWS\system32\config\systemprofile\Application Data\wtta.exe
2004-10-26 23:17 148 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
1989-12-12 17:10 60,416 -csh--r C:\WINDOWS\bojgsvc.exe
2005-12-02 04:07 185,960 -csh--r C:\WINDOWS\i9ip2q.sys
1989-12-12 17:10 1,065,168 -csh--r C:\WINDOWS\omxkdwi.exe
2003-04-10 10:51 32 -csha-w C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
2006-11-17 17:16 712,724 --sh--w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\ekybv.dll
2006-12-10 04:49 834,006 -csh--w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak1
2006-12-11 06:19 838,766 -csh--w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak2
2006-12-11 17:19 786,378 -csh--w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.ini2
2005-12-02 05:01 232,017 --sha-r C:\WINDOWS\system32\07v.exe
2005-12-02 04:07 299,436 -csha-r C:\WINDOWS\system32\awot0vq.exe
2005-12-02 04:07 278,772 -csha-r C:\WINDOWS\system32\i9ip2q.sys
2006-01-30 14:20 405,504 -csha-r C:\WINDOWS\system32\w?wexec.exe
2005-12-02 04:07 423,534 -csha-r C:\WINDOWS\system32\zej30.dll
2003-04-10 10:51 32 -csha-w C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
2005-11-28 14:24 401,408 -csha-r C:\WINDOWS\system32\?vchost.exe
2005-01-22 07:36 79,872 -csha-r C:\WINDOWS\system32\config\systemprofile\Application Data\wtta.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 61,440 2003-02-12 02:02:48 C:\hp\KBD\bak\KBD.EXE
----a-w 38,924 2007-01-17 03:33:47 C:\hp\KBD\KBD.EXE

-c--a-w 50,688 2003-09-14 04:36:52 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 38,924 2007-01-17 03:33:47 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

-c--a-w 151,597 2003-04-10 10:50:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2007-01-21 10:36:21 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

-c--a-w 155,648 2003-02-13 15:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 38,924 2007-01-17 03:33:47 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

-c--a-w 59,072 2002-11-15 09:29:48 C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe
----a-w 38,924 2007-01-17 03:33:47 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

-c--a-w 184,800 2002-12-04 07:24:50 C:\Program Files\WildTangent\Apps\bak\GameChannel.exe

-c--a-w 331,776 2003-03-18 08:50:36 C:\WINDOWS\CREATOR\bak\Remind_XP.exe
----a-w 38,924 2007-01-17 03:33:47 C:\WINDOWS\CREATOR\Remind_XP.exe

-c--a-w 212,992 2002-09-14 04:42:26 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

-c--a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 38,924 2007-01-17 03:33:47 C:\WINDOWS\system\hpsysdrv.exe

-c--a-w 114,688 2003-03-12 00:11:56 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 38,924 2007-01-17 03:33:47 C:\WINDOWS\system32\hkcmd.exe

-c--a-w 272,349 2007-01-16 03:48:03 C:\WINDOWS\system32\bak\Israfel.vbs
----a-w 272,349 2008-06-13 16:47:31 C:\WINDOWS\system32\Israfel.vbs

-c--a-w 272,349 2006-08-23 06:02:17 C:\WINDOWS\system32\bak\Kernel32.win
----a-w 38,924 2007-01-17 03:33:47 C:\WINDOWS\system32\Kernel32.win

-c--a-w 81,920 2002-08-01 02:28:38 C:\WINDOWS\system32\bak\ps2.exe
----a-w 38,924 2007-01-17 03:33:47 C:\WINDOWS\system32\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37A6047B-245D-4962-8408-17AF20837A64}]
C:\WINDOWS\System32\yayxwVNd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7299280E-0B4D-4A14-89BC-C836EC506585}]
C:\WINDOWS\System32\ssqolKbY.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Notn"="C:\WINDOWS\System32\ASKS~1\attrib.exe" [ ]
"msoupdater"="C:\WINDOWS\msoupdater.exe" [2008-06-16 19:34 118784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-01-16 20:33 38924]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2007-01-16 20:33 38924]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2007-01-16 20:33 38924]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2007-01-16 20:33 38924]
"C:\WINDOWS\system32\kdzkt.exe"="C:\WINDOWS\system32\kdzkt.exe" [ ]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 07:11:14 27136]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Owner.YOUR-SZ6X6SEFXO.000\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Guest.YOUR-SZ6X6SEFXO.000\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Owner.NICKELSTRASH\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2006-12-24 21:15:21 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-18 08:17:04 688128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\System32\\iftuyszv.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.NICKELSTRASH^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner.NICKELSTRASH\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
C:\Program Files\BearFlix\BearFlix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\WINDOWS\TEMP\668.tmp []
S3 Usbser5rapr;Usbser5rapr;C:\WINDOWS\System32\drivers\msfs.sys [2002-08-29 05:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 15:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-17 03:37:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1150774428.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-06-16 07:00:01 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2004-09-05 04:48:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-06-17 04:22:03 C:\WINDOWS\Tasks\WebReg 20060724212249.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20060724212249 /N
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 22:36:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\accesss.exe 10752 bytes
C:\WINDOWS\astctl32.ocx 15104 bytes
C:\WINDOWS\avpcc.dll 8960 bytes
C:\WINDOWS\loader.exe 28416 bytes
C:\WINDOWS\helpcvs.exe 18176 bytes
C:\WINDOWS\svchost32.exe 23040 bytes
C:\WINDOWS\svcinit.exe 25088 bytes
C:\WINDOWS\systeem.exe 23040 bytes
C:\WINDOWS\mtwirl32.dll 25856 bytes
C:\WINDOWS\notepad32.exe 19968 bytes

scan completed successfully
hidden files: 10

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]
"ImagePath"="\??\C:\WINDOWS\TEMP\668.tmp"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\iftuyszv.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2008-06-16 23:10:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 06:10:38

Pre-Run: 1,997,766,656 bytes free
Post-Run: 3,233,320,960 bytes free

445
[/QUOTE]

***

Here is the new Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:55 PM, on 6/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\iftuyszv.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\msoupdater.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {37A6047B-245D-4962-8408-17AF20837A64} - C:\WINDOWS\System32\yayxwVNd.dll (file missing)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {7299280E-0B4D-4A14-89BC-C836EC506585} - C:\WINDOWS\System32\ssqolKbY.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdzkt.exe] C:\WINDOWS\system32\kdzkt.exe
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\System32\ASKS~1\attrib.exe" -vt yazb
O4 - HKCU\..\Run: [msoupdater] C:\WINDOWS\msoupdater.exe
O4 - S-1-5-18 Startup: hpothb07.dat (User 'SYSTEM')
O4 - S-1-5-18 Startup: hpothb07.tif (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: hpothb07.dat
O4 - Startup: hpothb07.tif
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

--
End of file - 8871 bytes

Hijackthis - hijackthisnew.txt
ComboFix - log.txt

Thanks again.

Pushpin · Jun 17, 2008

Bumpishness

Ried · Jun 17, 2008

Kindly do not bump prior to 24 hours. We do volunteer in our spare time, and your system is terribly infected.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with fixes below.

---------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\iftuyszv.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {37A6047B-245D-4962-8408-17AF20837A64} - C:\WINDOWS\System32\yayxwVNd.dll (file missing)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {7299280E-0B4D-4A14-89BC-C836EC506585} - C:\WINDOWS\System32\ssqolKbY.dll (file missing)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdzkt.exe] C:\WINDOWS\system32\kdzkt.exe
O4 - HKCU\..\Run: [Notn] "C:\WINDOWS\System32\ASKS~1\attrib.exe" -vt yazb
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe
O16 - DPF: {535AC98D-C942-4C87-9275-09C9C43EF2C1} (xpreload.xpreloader) - ms-its:mhtml:file://c:\\nores.mht!http://adxbnet.net/code/chm/xpre.chm::/xpreload.ocx

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

http://www.techsupportforum.com/security-center/hijackthis-log-help/260126-internet-service-emailed-warrnings-abuse-need-major-help.html#post1540496

Killall::

Collect::
C:\WINDOWS\msoupdater.config
C:\WINDOWS\msoupdater.exe
C:\hw8gec.exe
C:\vyvn5l.exe
C:\WINDOWS\system32\winsrc.dll.tmp
C:\WINDOWS\system32\default.htm
C:\WINDOWS\system32\iftuyszv.exe
C:\iqwen0.exe
C:\xay1vi.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\system32\hta.vbs
C:\WINDOWS\system32\Israfel.vbs
C:\WINDOWS\system32\config\systemprofile\index.exe
C:\WINDOWS\system32\config\systemprofile\loud.exe
C:\WINDOWS\bojgsvc.exe
C:\WINDOWS\i9ip2q.sys
C:\WINDOWS\omxkdwi.exe
C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
C:\WINDOWS\system32\07v.exe
C:\WINDOWS\system32\awot0vq.exe
C:\WINDOWS\system32\i9ip2q.sys
C:\WINDOWS\system32\zej30.dll
C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
c:\windows\system32\netrax01\netrax011065.exe
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\ekybv.dll
C:\WINDOWS\system32\Kernel32.win

AWF::
C:\hp\KBD\bak\KBD.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe
C:\WINDOWS\CREATOR\bak\Remind_XP.exe
C:\WINDOWS\system\bak\hpsysdrv.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\ps2.exe

File::
c:\windows\system32\back.exe.exe
c:\windows\system32\ssqolkby.dll_old
c:\windows\system32\jamster.ico
c:\windows\system32\zonealarmiconus.ico
c:\windows\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\config\systemprofile\index.exe
C:\WINDOWS\system32\config\systemprofile\loud.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\wtta.exe
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak1
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak2
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.ini2

Folder::
c:\windows\system32\netrax01
c:\temp\itmp4
c:\windows\system32\5029

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msoupdater"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

----------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
New HijackThis log

Pushpin · Jun 17, 2008

Okay here is the new hijack and Combofix

Hijackthis Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:54:48 PM, on 6/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - S-1-5-18 Startup: hpothb07.dat (User 'SYSTEM')
O4 - S-1-5-18 Startup: hpothb07.tif (User 'SYSTEM')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg SchedulerV2.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.dat (User 'Default user')
O4 - .DEFAULT User Startup: hpothb07.tif (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: hpothb07.dat
O4 - Startup: hpothb07.tif
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{13DFF449-D573-4B04-99B5-E3BD5B1C64E7}: NameServer = 192.168.0.1,198.6.1.3
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)

--
End of file - 5987 bytes

*

ComboFix

ComboFix 08-06-16.2 - Owner 2008-06-17 11:36:49.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.234 [GMT -7:00]
Running from: C:\Documents and Settings\Owner.NICKELSTRASH\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.NICKELSTRASH\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak1
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak2
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.ini2
c:\windows\system32\back.exe.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\wtta.exe
C:\WINDOWS\system32\config\systemprofile\index.exe
C:\WINDOWS\system32\config\systemprofile\loud.exe
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\Jamster.ico
c:\windows\system32\jamster.ico
c:\windows\system32\ssqolkby.dll_old
c:\windows\system32\ssqolKbY.dll_old
c:\windows\system32\zonealarmiconus.ico
c:\windows\system32\ZoneAlarmIconUS.ico
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\27662715.exe
C:\37963639.exe
C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\install.dat
C:\Documents and Settings\Owner.NICKELSTRASH\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\hw8gec.exe
C:\iqwen0.exe
c:\temp\itmp4
c:\temp\itmp4\mkbv4i.log
C:\vyvn5l.exe
C:\WINDOWS\{DA550BF1-5AE0-4007-B9B0-C9FF520E8090}.dat
C:\WINDOWS\ac3_0002.exe
C:\WINDOWS\ac3_0018.exe
C:\WINDOWS\accesss.exe
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\ekybv.dll
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak1
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.bak2
C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\vbyke.ini2
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\bojgsvc.exe
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctfmon32.exe
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\directx32.exe
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\editpad.exe
C:\WINDOWS\explore.exe
C:\WINDOWS\explorer32.exe
C:\WINDOWS\funniest.exe
C:\WINDOWS\funny.exe
C:\WINDOWS\gfmnaaa.dll
C:\WINDOWS\helpcvs.exe
C:\WINDOWS\i9ip2q.sys
C:\WINDOWS\iedll.exe
C:\WINDOWS\iexplorer.exe
C:\WINDOWS\inetinf.exe
C:\WINDOWS\internet.exe
C:\WINDOWS\loader.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\msoupdater.config
C:\WINDOWS\msoupdater.exe
C:\WINDOWS\msspi.dll
C:\WINDOWS\mssys.exe
C:\WINDOWS\msupdate.exe
C:\WINDOWS\mswsc10.dll
C:\WINDOWS\mswsc20.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\notepad32.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\omxkdwi.exe
C:\WINDOWS\qttasks.exe
C:\WINDOWS\quicken.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\rundll32.vbe
C:\WINDOWS\searchword.dll
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\svcinit.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\system32\{1BADA6CB-9766-4CB8-9EA3-38879756A4DF}.dat
C:\WINDOWS\system32\07v.exe
c:\windows\system32\5029
c:\windows\system32\5029\~!1593p.spt
C:\WINDOWS\system32\abrada.dat
C:\WINDOWS\system32\abrada.exe
C:\WINDOWS\system32\awot0vq.exe
c:\windows\system32\back.exe.exe
C:\WINDOWS\system32\config\systemprofile\Application Data\wtta.exe
C:\WINDOWS\system32\config\systemprofile\index.exe
C:\WINDOWS\system32\config\systemprofile\loud.exe
C:\WINDOWS\system32\default.htm
c:\windows\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\hta.vbs
C:\WINDOWS\system32\i9ip2q.sys
C:\WINDOWS\system32\iftuyszv.exe
C:\WINDOWS\system32\Israfel.vbs
c:\windows\system32\jamster.ico
C:\WINDOWS\system32\Kernel32.win
c:\windows\system32\netrax01
c:\windows\system32\netrax01\netrax011065.exe
c:\windows\system32\ssqolKbY.dll_old
C:\WINDOWS\system32\winsrc.dll.tmp
C:\WINDOWS\system32\zej30.dll
c:\windows\system32\zonealarmiconus.ico
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\time.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\x.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\xxxvideo.hta
C:\WINDOWS\y.exe
C:\xay1vi.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 20:43 . 2008-06-16 20:43 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-13 10:37 . 2008-06-13 10:37 <DIR> d-------- C:\Program Files\PSP Custom Firmware 3.80 M33
2008-06-13 09:49 . 2008-06-13 09:49 <DIR> d-------- C:\Program Files\uTorrent
2008-06-13 09:48 . 2008-06-13 13:50 <DIR> d-------- C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\uTorrent
2008-05-17 11:08 . 2008-05-17 11:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 09:10 . 2008-06-16 20:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 09:07 . 2008-05-17 09:07 21,031,280 --a------ C:\aaw2007.exe
2008-05-17 07:14 . 2008-06-16 19:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 02:12 . 2008-05-17 02:12 719,128 --a------ C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\installer_en[1].exe
2008-05-17 00:56 . 2008-05-17 07:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 18:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-17 04:32 --------- d-----w C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\U3
2008-06-17 03:42 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 03:11 --------- d-----w C:\Program Files\asys
2008-06-17 02:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 02:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-17 02:12 --------- d-----w C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\interMute
2008-06-14 02:51 --------- d-----w C:\Program Files\Norton AntiVirus
2008-06-12 16:28 --------- d-----w C:\Program Files\World of Warcraft
2008-05-17 14:57 --------- d-----w C:\Program Files\joystick networks
2008-04-29 18:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 18:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 18:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2007-01-27 23:22 237,568 -c--a-w C:\Program Files\Uninstall Morpheus Toolbar.dll
2004-10-26 23:17 148 -c-ha-w C:\Documents and Settings\All Users\hpothb07.dat
2006-01-30 14:20 405,504 -csha-r C:\WINDOWS\system32\w?wexec.exe
2005-11-28 14:24 401,408 -csha-r C:\WINDOWS\system32\?vchost.exe
.

((((((((((((((((((((((((((((( [email protected]_23.02.31.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 05:34:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-17 18:44:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-01-17 03:33:47 38,924 ----a-w C:\WINDOWS\CREATOR\Remind_XP.exe
+ 2003-03-18 08:50:36 331,776 -c--a-w C:\WINDOWS\CREATOR\Remind_XP.exe
- 2007-01-17 03:33:47 38,924 ----a-w C:\WINDOWS\system\hpsysdrv.exe
+ 1998-05-07 23:04:38 52,736 -c--a-w C:\WINDOWS\system\hpsysdrv.exe
- 2008-06-17 05:34:34 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-17 18:44:32 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-17 05:34:34 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-17 18:44:32 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-17 05:34:34 49,152 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-17 18:44:32 49,152 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-01-17 03:33:47 38,924 ----a-w C:\WINDOWS\system32\hkcmd.exe
+ 2003-03-12 00:11:56 114,688 -c--a-w C:\WINDOWS\system32\hkcmd.exe
- 2007-01-17 03:33:47 38,924 ----a-w C:\WINDOWS\system32\ps2.exe
+ 2002-08-01 02:28:38 81,920 -c--a-w C:\WINDOWS\system32\ps2.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 151,597 2003-04-10 10:50:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 185,896 2007-01-21 10:36:21 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

-c--a-w 184,800 2002-12-04 07:24:50 C:\Program Files\WildTangent\Apps\bak\GameChannel.exe

-c--a-w 212,992 2002-09-14 04:42:26 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

-c--a-w 272,349 2007-01-16 03:48:03 C:\WINDOWS\system32\bak\Israfel.vbs

-c--a-w 272,349 2006-08-23 06:02:17 C:\WINDOWS\system32\bak\Kernel32.win

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 08:01 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 19:28 81920]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 101136 C:\WINDOWS\KHALMNPR.Exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 19:02 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]

C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 07:11:14 27136]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Owner.YOUR-SZ6X6SEFXO.000\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Guest.YOUR-SZ6X6SEFXO.000\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Michael\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]
PowerReg Scheduler.exe [2004-12-23 10:49:45 256000]
PowerReg SchedulerV2.exe [2004-05-15 21:11:02 233472]

C:\Documents and Settings\Owner.NICKELSTRASH\Start Menu\Programs\Startup\
hpothb07.dat [2004-10-26 16:16:53 363]
hpothb07.tif [2004-10-26 16:16:53 0]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-07-18 08:17:04 688128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner.NICKELSTRASH^Start Menu^Programs^Startup^spamsubtract.lnk]
path=C:\Documents and Settings\Owner.NICKELSTRASH\Start Menu\Programs\Startup\spamsubtract.lnk
backup=C:\WINDOWS\pss\spamsubtract.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
C:\Program Files\BearFlix\BearFlix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
C:\Program Files\WildTangent\Apps\GameChannel.exe

S3 Usbser5rapr;Usbser5rapr;C:\WINDOWS\System32\drivers\msfs.sys [2002-08-29 05:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 15:12:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-17 03:37:00 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1150774428.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-06-16 07:00:01 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2004-09-05 04:48:56 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-06-17 04:22:03 C:\WINDOWS\Tasks\WebReg 20060724212249.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqwrg.exe[/TaskName 20060724212249 /N
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 11:45:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\SECRETMAKER\secretmaker.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-06-17 12:16:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 19:16:03
ComboFix2.txt 2008-06-17 06:10:44

Pre-Run: 11,490,271,232 bytes free
Post-Run: 11,470,237,696 bytes free

287

Ried · Jun 18, 2008

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

A browser will open.

Simply follow the instructions to copy/paste/send the requested file.

Were you able to submit that file? Is there a [4]Submit_<date and time>.zip folder on your desktop?

Pushpin · Jun 18, 2008

As i was saving the file that thing came up but then closed, should i rerun combofix? Yes its on my Desktop.

Ried · Jun 18, 2008

No need to re-run ComboFix yet. Please visit this site and follow the instructions for uploading the Submit_.zip that's still on your desktop. It would be greatly appreciated. :smile:

Pushpin · Jun 18, 2008

Aight tight, sending folder now - Should my system be good to use now?

Ried · Jun 18, 2008

I'm having difficulty finding your package. What is the exact name of the folder you submitted

Pushpin · Jun 19, 2008

Name: [4][email protected]

Resent it

Ried · Jun 19, 2008

File received now, thanks. :smile:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:

File::
C:\WINDOWS\system32\w?wexec.exe
C:\WINDOWS\system32\?vchost.exe

Folder::
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\WildTangent\Apps\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak

FileLook::
C:\Documents and Settings\Owner.NICKELSTRASH\Application Data\installer_en[1].exe

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
New HijackThis log
Update on system behavior

Pushpin · Jun 19, 2008

Okay i am running that scan.

I dont know if this will help any but my Dad sent out an email yesterday (i asked him not to) and our internet provider sent the same email saying we were reported.

They said we have a "storm worm"
idk if that will help - ill update with the documents once the scan is complete!

Ried · Jun 20, 2008

When did he send the e-mail? Before, or after you ran the CFScript?

Internet service Emailed Warrnings of Abuse - Need major Help!

Registered

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

Attachments

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus