Help please!

Question

taylorjt4 0 Junior Poster in Training

16 Years Ago

Hi everyone!
My roomate used this computer to look at porn and now my desktop background is stuck and the screen has one of those warnings on it. Plus I get pop ups on my IE. Ive run sbybot, adaware, avg and it still shows up. Here is my HJT log to help get started. Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:36 AM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\hijackthis\analyzethis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ICQClient] "C:\Documents and Settings\Owner\Application Data\ICQ\rundll.exe" /icq
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8161 bytes

windows-virus

3 Contributors
15 Replies
158 Views
3 Days Discussion Span
Latest Post 16 Years Ago Latest Post by crunchie

All 15 Replies

Chaky 191 Posting Virtuoso

16 Years Ago

Hi. What you can do i use hijackthis and check in the running processes:

C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe

and

O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"

and click on "fix checked".

crunchie 990 Most Valuable Poster

16 Years Ago

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

crunchie 990 Most Valuable Poster

16 Years Ago

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

crunchie 990 Most Valuable Poster

16 Years Ago

Now I need to know why you ran combofix 9 times. I see nowhere in my instructions that request that.
I have no idea what might have been removed on the first run now.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

taylorjt4 0 Junior Poster in Training · Answer 1 · 2008-03-09T21:16:03+00:00

Ok, here is my text from the SmitFraudFix:
SmitFraudFix v2.300

Scan done at 11:11:46.17, Sun 03/09/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.15.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8141A549-9586-4FDC-943F-DC29F552364A}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CCS\Services\Tcpip\..\{FE9067B6-157C-45CD-B1A4-E89F73B970A4}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8141A549-9586-4FDC-943F-DC29F552364A}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\..\{FE9067B6-157C-45CD-B1A4-E89F73B970A4}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8141A549-9586-4FDC-943F-DC29F552364A}: DhcpNameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\..\{FE9067B6-157C-45CD-B1A4-E89F73B970A4}: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.15.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=208.67.220.220,208.67.222.222

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

taylorjt4 0 Junior Poster in Training · Answer 2 · 2008-03-09T21:23:25+00:00

Hi. What you can do i use hijackthis and check in the running processes:
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
and
O4 - HKLM\..\Run: [1029BB4B-16A9-4E77-AA3D-96930BD68EEC] "C:\WINDOWS\sysockeu.exe"
O4 - HKLM\..\Run: [852EBF20-A95D-4F1F-B9C2-B2CD24350F3E] "C:\WINDOWS\sysodkcs.exe"
O4 - HKLM\..\Run: [756349DC-6D9E-4F2A-9B24-269661F073C3] "C:\WINDOWS\sysoghcx.exe"
O4 - HKLM\..\Run: [2177F056-0AA6-4D6C-A944-13F71F341C29] "C:\WINDOWS\sysokuaw.exe"

and click on "fix checked".

Ok, I did this too and so far so good. Ill post again later and give an update.

taylorjt4 0 Junior Poster in Training · Answer 3 · 2008-03-10T06:12:50+00:00

Here is my combofix filelog and my hjt log.

ComboFix 08-03-09.1 - Owner 2008-03-09 20:04:42.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.280 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 11:11 . 2008-03-09 11:11 1,948 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-09 01:00 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\SYSTEM32\ztvunrar36.dll
2008-03-09 01:00 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\SYSTEM32\UNRAR3.dll
2008-03-09 01:00 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\SYSTEM32\ztvunace26.dll
2008-03-09 01:00 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\SYSTEM32\unacev2.dll
2008-03-09 01:00 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\SYSTEM32\ztvcabinet.dll
2008-03-08 18:26 . 2008-03-09 02:20 2,359,350 --a------ C:\WINDOWS\mywallpaper.bmp
2008-03-08 16:22 . 2008-03-08 16:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 16:22 . 2008-03-08 16:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-08 10:01 . 2008-03-08 10:01 <DIR> d-------- C:\VundoFix Backups
2008-03-08 04:22 . 2008-03-08 04:22 35,840 --------- C:\WINDOWS\sysockeu.exe
2008-03-08 04:22 . 2008-03-08 04:22 32,256 --a------ C:\WINDOWS\sysodkcs.exe
2008-03-08 04:22 . 2008-03-08 04:22 28,672 --a------ C:\WINDOWS\sysokuaw.exe
2008-03-08 04:22 . 2008-03-08 04:22 25,088 --a------ C:\WINDOWS\sysoghcx.exe
2008-03-08 04:22 . 2008-03-08 04:22 20,992 --a------ C:\WINDOWS\sysounrk.exe
2008-03-08 04:22 . 2008-03-08 04:22 3,072 --a------ C:\WINDOWS\ftebh.exe
2008-03-08 04:22 . 2008-03-08 04:22 1,855 --a------ C:\WINDOWS\config.ini
2008-03-08 04:22 . 2008-03-08 04:22 1,409 --a------ C:\WINDOWS\fbdzj.exe
2008-03-08 04:22 . 2008-03-08 04:22 1,272 --a------ C:\WINDOWS\fzmxg.dll
2008-03-08 00:41 . 2008-03-08 00:41 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ICQ
2008-03-08 00:38 . 2008-03-08 00:38 <DIR> d-------- C:\Program Files\SB
2008-02-22 23:57 . 2008-02-22 23:57 <DIR> d-------- C:\Documents and Settings\Owner\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 05:14 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-08 21:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-02-25 16:06 --------- d-----w C:\Program Files\MUSICMATCH
2008-02-18 00:57 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-02-09 00:33 --------- d-----w C:\Program Files\Photo Viewer
2008-02-09 00:32 --------- d-----w C:\Program Files\MySpace
2008-01-15 01:26 --------- d-----w C:\Program Files\7-Zip
2007-02-02 15:48 28,672 -c--a-w C:\Documents and Settings\Owner\atwbxdet.dll
2006-06-10 10:57 1,775,221 -c--a-w C:\Program Files\NXSetup_multi.exe
2005-04-29 08:42 1,794 -c--a-w C:\Documents and Settings\Owner\Application Data\D - HL-DT-ST - RW-DVD GCC-4481B - C103.dat
2005-04-29 08:42 1,608 -c--a-w C:\Documents and Settings\Owner\Application Data\E - ELBY - DVD-ROM - 1.0.dat
2005-01-01 19:53 1,302,070 -c--a-w C:\Program Files\GrabIt151b.exe
2004-12-22 18:43 376,656 -c--a-w C:\Program Files\musicmatch_installer.exe
2004-12-20 04:25 4,039,438 -c--a-w C:\Program Files\dvdpro.zip
2004-12-15 02:10 590 -c--a-w C:\Program Files\FlipWords.ini
2004-12-14 05:45 4,354,751 -c--a-w C:\Program Files\FlipWordsSetup.exe
2004-12-05 18:06 487,544 -c--a-w C:\Program Files\msgr6suite.exe
2004-02-19 07:26 1,131,802 -c--a-w C:\Program Files\CUSTOMART.zip
.

((((((((((((((((((((((((((((( snapshot@2008-03-08_10.30.54.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2007-09-28 02:03:23 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-09 00:38:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2007-10-11 00:11:56 7,356,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-08 21:38:04 7,520,256 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-10-11 00:11:56 245,760 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-08 21:38:04 249,856 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-11-04 06:02:13 58,712 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
+ 2008-03-09 15:06:56 58,712 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
- 2007-11-04 06:02:13 392,604 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
+ 2008-03-09 15:06:56 392,604 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
- 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
- 2000-08-31 13:00:00 136,704 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
- 2000-08-31 13:00:00 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~3\YAHOOM~1.exe" [2007-08-30 18:43 4670704]
"ICQClient"="C:\Documents and Settings\Owner\Application Data\ICQ\rundll.exe" [2007-12-06 07:01 86016]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2004-01-28 16:48 180224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:56 53760 C:\WINDOWS\SYSTEM32\narrator.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^AOL Companion.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\AOL Companion.lnk
backup=C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2005-08-05 16:08 67160 C:\Program Files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-10-04 11:20 50528 C:\Program Files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 07:17 50776 C:\Program Files\America Online 9.0d\AOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a--c--- 2004-10-18 17:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLCC]
--a--c--- 2004-11-07 09:54 326232 C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra--c--- 2004-10-20 10:40 34904 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-01-15 17:14 147456 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2006-10-16 21:40 1197648 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A920]
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2003-08-06 02:04 114741 C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2004-11-03 17:03 125528 C:\Program Files\Common Files\AOL\1102310935\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 09:59 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 10:03 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-06-28 09:14 270648 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCFCATS]
--a------ 2005-07-20 13:47 73728 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a--c--- 2003-12-08 15:38 245760 c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a--c--- 2004-01-28 16:48 180224 C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mm_server]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_server.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a--c--- 2005-04-27 13:04 6856704 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 09:41 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-01-09 14:16 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scan Spyware]
C:\Program Files\ScanSpyware v3.6\Scanner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shareaza]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
C:\Program Files\TrojanHunter 4.2\THGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2007-01-09 14:16 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 13:19 15872 C:\Program Files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 18:43 4670704 C:\PROGRA~1\Yahoo!\MESSEN~3\YAHOOM~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\You've Got Pictures Screensaver]
C:\Program Files\Common Files\AOL\Screensaver\ygpsstra.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 PAC207;Basic Webcam;C:\WINDOWS\system32\DRIVERS\pfc027.sys [2005-05-27 15:57]
S3 xlink;XLink Driver (xlink.sys);C:\WINDOWS\system32\Drivers\xlink.sys [2001-01-02 18:53]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\36287c26-6fe0-4d80-89df-1cb736ca253a]
C:\WINDOWS\system32\doxqaxo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\36287c26-6fe0-4d80-89df-1cb736ca253a]
C:\WINDOWS\system32\doxqaxo.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-09 15:23:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-10 00:09:00 C:\WINDOWS\Tasks\McAfee.com Update Check (JNE-Owner).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.ex
- C:\PROGRA~1\mcafee.com\agent
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 20:08:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 20:09:42
ComboFix-quarantined-files.txt 2008-03-10 00:09:21
ComboFix2.txt 2008-03-08 20:03:09
ComboFix3.txt 2008-03-08 15:31:18
ComboFix4.txt 2007-12-23 06:47:04
.
2008-02-13 05:23:29 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:10:55 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~3\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\analyzethis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?.src=fp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~3\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ICQClient] "C:\Documents and Settings\Owner\Application Data\ICQ\rundll.exe" /icq
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{3CA52EF0-D32C-47CF-96E8-1B62FAD1A931}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8093 bytes

THanks
John

taylorjt4 0 Junior Poster in Training · Answer 4 · 2008-03-10T18:17:54+00:00

I do apologize that I left that out at the initial post that I did run combofix also. However I only ran it once then, but I have used it before when I had other issues where I used your help.

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 5 · 2008-03-11T01:59:05+00:00

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysokuaw.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysounrk.exe
C:\WINDOWS\ftebh.exe
C:\WINDOWS\fbdzj.exe
C:\WINDOWS\fzmxg.dll
C:\WINDOWS\system32\doxqaxo.exe

taylorjt4 0 Junior Poster in Training · Answer 6 · 2008-03-11T04:37:59+00:00

Here is what jotti found:

sysockeu.exe- tr/renos.35840 , trojan.fakealert-104, win32.trojan.downloader.fakealert.aq

sysodkcs.exe- spr/hoax.burner.h, trojan.fakealert-103, malware.32.renos.di, win21.trojandownloader.fakealert.aq

sysokuaw.exe- tr/renos.28672.106, trojan.fakealert-101, malware.w32.renos.di

sysoghcx.exe- spr/hoax.burner.g.jokeburner.g, trojan.fakealert.101

sysounrk.exe- adware.agent-1289, adware.w32.admoke.jl, win32/trojanclicker/delfnbb

ftebh.exe- nothing found

fbdzj.exe-nothing found

fzmxg.dll- nothing found

doxqaxo.exe- not found

Thanks
John

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 7 · 2008-03-11T14:32:04+00:00

1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

File::
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysokuaw.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysounrk.exeNote: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

taylorjt4 0 Junior Poster in Training · Answer 8 · 2008-03-12T01:13:52+00:00

Okay, here is my 2 log files:

ComboFix 08-03-10.1 - Owner 2008-03-11 14:59:26.10 - NTFSx86

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\WINDOWS\sysounrk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\sysockeu.exe
C:\WINDOWS\sysodkcs.exe
C:\WINDOWS\sysoghcx.exe
C:\WINDOWS\sysokuaw.exe
C:\WINDOWS\sysounrk.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-09 11:11 . 2008-03-09 11:11 1,948 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-03-09 01:00 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\SYSTEM32\ztvunrar36.dll
2008-03-09 01:00 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\SYSTEM32\UNRAR3.dll
2008-03-09 01:00 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\SYSTEM32\ztvunace26.dll
2008-03-09 01:00 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\SYSTEM32\unacev2.dll
2008-03-09 01:00 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\SYSTEM32\ztvcabinet.dll
2008-03-08 18:26 . 2008-03-09 02:20 2,359,350 --a------ C:\WINDOWS\mywallpaper.bmp
2008-03-08 16:22 . 2008-03-08 16:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 16:22 . 2008-03-08 16:46 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-03-08 10:01 . 2008-03-08 10:01 <DIR> d-------- C:\VundoFix Backups
2008-03-08 04:22 . 2008-03-08 04:22 3,072 --a------ C:\WINDOWS\ftebh.exe
2008-03-08 04:22 . 2008-03-08 04:22 1,855 --a------ C:\WINDOWS\config.ini
2008-03-08 04:22 . 2008-03-08 04:22 1,409 --a------ C:\WINDOWS\fbdzj.exe
2008-03-08 04:22 . 2008-03-08 04:22 1,272 --a------ C:\WINDOWS\fzmxg.dll
2008-03-08 00:41 . 2008-03-11 00:04 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ICQ
2008-03-08 00:38 . 2008-03-08 00:38 <DIR> d-------- C:\Program Files\SB
2008-02-22 23:57 . 2008-02-22 23:57 <DIR> d-------- C:\Documents and Settings\Owner\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 05:14 --------- d---a-w C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2008-03-08 21:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-02-25 16:06 --------- d-----w C:\Program Files\MUSICMATCH
2008-02-18 00:57 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-02-09 00:33 --------- d-----w C:\Program Files\Photo Viewer
2008-02-09 00:32 --------- d-----w C:\Program Files\MySpace
2008-01-15 01:26 --------- d-----w C:\Program Files\7-Zip
2007-02-02 15:48 28,672 -c--a-w C:\Documents and Settings\Owner\atwbxdet.dll
2006-06-10 10:57 1,775,221 -c--a-w C:\Program Files\NXSetup_multi.exe
2005-04-29 08:42 1,794 -c--a-w C:\Documents and Settings\Owner\Application Data\D - HL-DT-ST - RW-DVD GCC-4481B - C103.dat
2005-04-29 08:42 1,608 -c--a-w C:\Documents and Settings\Owner\Application Data\E - ELBY - DVD-ROM - 1.0.dat
2005-01-01 19:53 1,302,070 -c--a-w C:\Program Files\GrabIt151b.exe
2004-12-22 18:43 376,656 -c--a-w C:\Program Files\musicmatch_installer.exe
2004-12-20 04:25 4,039,438 -c--a-w C:\Program Files\dvdpro.zip
2004-12-15 02:10 590 -c--a-w C:\Program Files\FlipWords.ini
2004-12-14 05:45 4,354,751 -c--a-w C:\Program Files\FlipWordsSetup.exe
2004-12-05 18:06 487,544 -c--a-w C:\Program Files\msgr6suite.exe
2004-02-19 07:26 1,131,802 -c--a-w C:\Program Files\CUSTOMART.zip
.

((((((((((((((((((((((((((((( snapshot@2008-03-08_10.30.54.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 13:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 12:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2007-09-28 02:03:23 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-09 00:38:20 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2007-10-11 00:11:56 7,356,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-03-08 21:38:04 7,520,256 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-10-11 00:11:56 245,760 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-08 21:38:04 249,856 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2000-08-31 13:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 12:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2007-11-04 06:02:13 58,712 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
+ 2008-03-09 15:06:56 58,712 ----a-w C:\WINDOWS\SYSTEM32\perfc009.dat
- 2007-11-04 06:02:13 392,604 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
+ 2008-03-09 15:06:56 392,604 ----a-w C:\WINDOWS\SYSTEM32\perfh009.dat
- 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2000-08-31 12:00:00 161,792 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
- 2000-08-31 13:00:00 136,704 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
+ 2000-08-31 12:00:00 136,704 ----a-w C:\WINDOWS\SYSTEM32\swsc.exe
- 2000-08-31 13:00:00 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
+ 2000-08-31 12:00:00 212,480 ----a-w C:\WINDOWS\SYSTEM32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~3\YAHOOM~1.exe" [2007-08-30 18:43 4670704]
"ICQClient"="C:\Documents and Settings\Owner\Application Data\ICQ\rundll.exe" [2007-12-06 07:01 86528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]