Oops! I will obey from now on! Thank you for your patience. Here are the logs:
ComboFix 09-07-08.07 - Tom 07/09/2009 7:34.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3006.2482 [GMT -7:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix1.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
FILE ::
"c:\windows\bf23567.dat"
"c:\windows\jmmark2.dat"
"c:\windows\system32\kotafeka.dll.tmp"
"c:\windows\system32\tevaziva.dll.tmp"
"c:\windows\system32\zizatewa.dll.tmp"
"c:\windows\Tasks\MalwareRemovalBot Scheduled Scan.job"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Tom\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Tom\Application Data\MalwareRemovalBot
c:\documents and settings\Tom\Application Data\MalwareRemovalBot\Log\2009 Jul 08 - 05_11_00 PM_125.log
c:\documents and settings\Tom\Application Data\MalwareRemovalBot\Settings\IgnoreList.stg
c:\documents and settings\Tom\Local Settings\temp\IadHide5.dll
c:\program files\MalwareRemovalBot
c:\program files\MalwareRemovalBot\DataBase.ref
c:\program files\MalwareRemovalBot\MalwareRemovalBot.exe
c:\program files\MalwareRemovalBot\MalwareRemovalBot.url
c:\program files\MalwareRemovalBot\vistaCPtasks.xml
c:\windows\bf23567.dat
c:\windows\jmmark2.dat
c:\windows\system32\kotafeka.dll.tmp
c:\windows\system32\tevaziva.dll.tmp
c:\windows\system32\zizatewa.dll.tmp
.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.
2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 00:33 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 15:02 . 2009-07-04 15:02 -------- d-----w- c:\program files\wildtangent
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\documents and settings\Tom\PrivacIE
2009-07-03 16:40 . 2009-07-03 16:40 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-03 16:39 . 2009-07-03 16:39 -------- d-sh--w- c:\documents and settings\Tom\IETldCache
2009-07-03 16:37 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-03 16:36 . 2009-07-03 16:36 -------- d-----w- c:\windows\ie8updates
2009-07-03 16:36 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 16:36 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 16:35 . 2009-07-03 16:36 -------- dc-h--w- c:\windows\ie8
2009-07-03 02:39 . 2009-07-05 02:39 -------- d-----w- c:\program files\drv
2009-06-20 01:27 . 2009-06-20 15:40 -------- d-----w- c:\program files\Free Photo Viewer
2009-06-20 01:25 . 2009-06-20 01:25 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\Forrest_Croce
2009-06-20 01:22 . 2009-06-20 01:26 -------- d-----w- c:\program files\exif
2009-06-13 15:47 . 2009-07-09 01:24 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\FLVService
2009-06-13 15:47 . 2009-06-13 15:47 -------- d-----w- c:\program files\AskBarDis
2009-06-13 15:46 . 2009-06-13 15:47 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-13 15:46 . 2009-06-13 15:46 -------- d-----w- c:\windows\Ask & Record Toolbar
2009-06-13 15:45 . 2009-06-13 15:46 7349744 ----a-w- c:\program files\FLV PlayerATBSetup.exe
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\program files\FLV Player
2009-06-13 15:45 . 2009-06-13 15:45 -------- d-----w- c:\windows\Applian FLV Player
2009-06-13 14:32 . 2009-06-13 14:32 152576 ----a-w- c:\documents and settings\Tom\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 00:28 . 2008-12-14 17:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 00:28 . 2008-12-14 17:54 -------- d-----w- c:\program files\SpywareBlaster
2009-06-13 14:33 . 2005-11-22 14:50 -------- d-----w- c:\program files\Java
2009-05-21 18:33 . 2008-12-14 17:33 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 05:15 . 2004-08-10 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:08 . 2009-05-10 15:09 -------- d-----w- c:\program files\AntToolbar
2009-05-07 15:32 . 2004-08-10 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-03 14:02 . 2008-09-28 14:15 436 ----a-w- c:\documents and settings\Tom\Application Data\wklnhst.dat
2009-04-17 12:26 . 2004-08-10 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-08-23 17:34 . 2008-08-23 17:34 382352 ----a-w- c:\program files\jre-6u7-windows-i586-p-iftw.exe
2008-08-23 16:44 . 2008-08-23 16:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-08-17 15:55 . 2008-08-17 15:55 812344 ----a-w- c:\program files\HJTInstall.exe
2006-03-19 23:40 . 2006-03-20 00:40 22 --sha-w- c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-09_00.36.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-09 14:43 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 73728 c:\windows\temp\sophos_autoupdate1.dir\xmltok.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 57344 c:\windows\temp\sophos_autoupdate1.dir\xmlparse.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 14336 c:\windows\temp\sophos_autoupdate1.dir\xmlcpp.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 18432 c:\windows\temp\sophos_autoupdate1.dir\SharedRes.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 20480 c:\windows\temp\sophos_autoupdate1.dir\crypto.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 45056 c:\windows\temp\sophos_autoupdate1.dir\boost_date_time-vc71-mt-1_32.dll
+ 2009-07-09 14:43 . 2009-07-09 14:43 16384 c:\windows\temp\Perflib_Perfdata_b80.dat
+ 2009-07-09 14:43 . 2009-07-09 14:43 16384 c:\windows\temp\Perflib_Perfdata_630.dat
- 2009-07-09 00:34 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
+ 2009-07-09 14:43 . 2009-06-11 08:39 2970 c:\windows\temp\sophos_autoupdate1.dir\scf.dat
- 2009-07-09 00:34 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
+ 2009-07-09 14:43 . 2008-12-24 11:33 208896 c:\windows\temp\sophos_autoupdate1.dir\retailer.dll
- 2009-07-09 00:34 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
+ 2009-07-09 14:43 . 2008-07-22 18:48 348160 c:\windows\temp\sophos_autoupdate1.dir\MSVCR71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
+ 2009-07-09 14:43 . 2008-07-22 18:48 499712 c:\windows\temp\sophos_autoupdate1.dir\MSVCP71.DLL
- 2009-07-09 00:34 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
+ 2009-07-09 14:43 . 2008-07-22 18:48 745472 c:\windows\temp\sophos_autoupdate1.dir\libeay32.dll
- 2009-07-09 00:34 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-09 14:43 . 2008-12-23 19:47 159744 c:\windows\temp\sophos_autoupdate1.dir\libcurl.dll
+ 2009-07-09 14:43 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-07-09 00:34 . 2008-12-24 11:34 176128 c:\windows\temp\sophos_autoupdate1.dir\CidSync.dll
- 2009-07-09 00:34 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-07-09 14:43 . 2009-06-11 08:36 172032 c:\windows\temp\sophos_autoupdate1.dir\ChannelUpdater.dll
+ 2009-07-09 14:43 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
- 2009-07-09 00:34 . 2009-06-11 08:37 663552 c:\windows\temp\sophos_autoupdate1.dir\ALUpdate.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-11 21:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-05 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-09-27 1060864]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-09-27 61440]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"CirqueGesture"="c:\program files\Touchpad\Gesture.exe" [2005-10-03 123904]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"Glide"="glidew32.exe" - c:\windows\system32\glidew32.exe [2005-10-03 81920]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-22 27136]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
Updates from HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2005-11-22 36903]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\WINDOWS\\arpwrmsg.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\Program Files\\Touchpad\\Gesture.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\WINDOWS\\system32\\glidew32.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [9/30/2008 3:36 AM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [9/30/2008 3:36 AM 38528]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/7/2009 8:12 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [9/30/2008 3:36 AM 98304]
R3 glidesvc;GlidePoint Mouseclass Service;c:\windows\system32\drivers\glidesvc.sys [10/3/2005 1:06 AM 38183]
R3 gpmoups2;GlidePoint PS2 Touchpad Service;c:\windows\system32\drivers\gpmoups2.sys [10/3/2005 1:06 AM 14063]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [9/30/2008 3:36 AM 14976]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-06-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
2008-11-26 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 03:23]
2009-07-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009Core.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]
2009-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2485643383-4133149871-2139128564-1009UA.job
- c:\documents and settings\Tom\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-01 02:02]
2009-07-09 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]
2007-09-25 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-08-02 16:20]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.yahoo.com/uDefault_Search_URL =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopuSearchMigratedDefaultURL =
hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar =
hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopuSearchURL,(Default) =
hxxp://www.google.com/search?q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-07-09 07:43
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(1676)
c:\windows\system32\WININET.dll
c:\documents and settings\Tom\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-07-09 7:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 14:47
ComboFix2.txt 2009-07-09 03:06
ComboFix3.txt 2009-07-09 00:39
Pre-Run: 195,938,111,488 bytes free
Post-Run: 195,896,344,576 bytes free
274 --- E O F --- 2009-07-03 16:37
Malwarebytes' Anti-Malware 1.38
Database version: 2398
Windows 5.1.2600 Service Pack 3
7/9/2009 8:39:55 AM
mbam-log-2009-07-09 (08-39-55).txt
Scan type: Full Scan (C:\|D:\|K:\|)
Objects scanned: 287078
Time elapsed: 41 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 23
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e6ce2825-3f5f-4390-b9fd-13b68cf295f9} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\50e90ec4ec063d44bb935a0d02415732 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1f26a7a704abd8f4f8801f37167d691f (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\aa02c0f5889834c42886c1a98ea53266 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\b575e3c1288dd9e4a83e9e064562cdc1 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\d37f1f5d110c2ea4c85ec64e702394b9 (Rogue.MalwareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRVDRV (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\program files\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\c:\documents and settings\all users\start menu\programs\malwareremovalbot\ (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\drv (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
c:\documents and settings\All Users\Start Menu\Programs\MalwareRemovalBot (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
Files Infected:
c:\program files\drv\drv.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Tom\my documents\downloads\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-08-13-19\0.qit.vir (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-08-13-19\1.qit.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-08-59-53\0.qit.vir (Worm.Koobface) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Tom\application data\malwareremovalbot\quarantine\04-07-2009-16-10-12\0.qit.vir (Worm.Koobface) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACktnodrujgavfqakgy.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACrqoyoapxesfqhuqlr.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACtukcloteajanrodyl.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\UACudinyfoymvmtbaiqm.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\UACxehilxwboetqlrsth.sys.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066625.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066626.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066627.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066628.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP232\A0066629.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP201\A0054191.dll (Adware.BHO) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot on the Web.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Programs\malwareremovalbot\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\Desktop\MalwareRemovalBot.lnk (Rogue.MalwareRemovalBot) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Antivirus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:22 AM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Touchpad\Gesture.exe
C:\WINDOWS\system32\glidew32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\DISC\DiscGui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktopR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdateMgr.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CirqueGesture] C:\Program Files\Touchpad\Gesture.exe
O4 - HKLM\..\Run: [Glide] glidew32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ask and Record FLV Service] "C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe" /run
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Google Search -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://www.update.microsoft.com/microso ... 2556477203O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftup ... 2556525015O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
--
End of file - 10257 bytes