Please help me out...

Question

At first i was just getting the popups that have the infection warnings and what not and just while I was about to post this 67 Error 404 windows came up. Heres my log.   Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:00:00 PM, on 6/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeC:\WINDOWS\system32\afinding.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\WINDOWS\Explorer.EXEc:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\PROGRA~1\McAfee\MPS\mps.exeC:\WINDOWS\system32\perfs.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSc:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32outing.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wserving.exeC:\Program Files\Lexmark 2400 Series\ezprint.exeC:\Program Files\Java\jre1.5.0_10\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\McAfee\MBK\McAfeeDataBackup.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\Rundll32.exeC:\Program Files\McAfee\MPS\mpsevh.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\lxcrcoms.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLF2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system\svchost.exeO3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO4 - HKLM\..\Run: [EzPrint] 'C:\Program Files\Lexmark 2400 Series\ezprint.exe'O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe'O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exeO4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exeO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O4 - HKLM\..\Run: [BM27a1b3a5] Rundll32.exe 'C:\WINDOWS\system32\uhqaaeun.dll',sO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cabO16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://193.69.140.40/activex/AMC.cabO16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cabO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeO23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exeO23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32outing.exeO23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe --End of file - 8834 bytes Any help would be greatly apprecitated.

shockwave210 · Answer

*No i've only posted it here. *I've removed the cracked software already. *I removed limewire and morpheus. *Yes i have authority. *No I haven't fixed entries yet.   Hope this helps.

Bugbatter · Answer

Thanks for the info. We are ready to begin.

Please download Malwarebytes' Anti-Malware from Here or Here

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. :(see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Please include a fresh HijackThis log as well.
Notes:

**If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Bugbatter · Answer

Welcome. Thank you for using Dell Community Forums.
I am reviewing your log.
In the meantime, you can help me by doing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. If you have music files in those programs' folders that you want to save, please move those music files to another directory.
A list of P2P's is here: http://www.castlecops.com/t204179-P2P_programs_we_ask_that_you_remove_first.html

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

* During the course of our cleanup please do not do any online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

I look forward to your reply.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HijackThis log at the top of this board to start a new forum topic.

shockwave210 · Answer

Heres the Hijack log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:30:10 PM, on 6/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeC:\WINDOWS\system32\afinding.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\PROGRA~1\McAfee\MPS\mps.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\wserving.exeC:\WINDOWS\Explorer.EXEC:\Program Files\McAfee\MPS\mpsevh.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\Lexmark 2400 Series\ezprint.exeC:\Program Files\Java\jre1.5.0_10\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\McAfee\MBK\McAfeeDataBackup.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\lxcrcoms.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {0F660F64-F4C9-477F-8529-44181B717472} - (no file)O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dllO2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO4 - HKLM\..\Run: [EzPrint] 'C:\Program Files\Lexmark 2400 Series\ezprint.exe'O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe'O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exeO4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exeO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cabO16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://193.69.140.40/activex/AMC.cabO16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cabO20 - Winlogon Notify: gebcdde - gebcdde.dll (file missing)O20 - Winlogon Notify: ljJAPgHb - ljJAPgHb.dll (file missing)O20 - Winlogon Notify: pmnmkHxY - pmnmkHxY.dll (file missing)O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: AFinding Service (AFinding) - Unknown owner - C:\WINDOWS\system32\afinding.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeO23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSO23 - Service: WServing Service (WServing) - Unknown owner - C:\WINDOWS\system32\wserving.exe --End of file - 9440 bytes

shockwave210 · Answer

Alrighty, that seemed to remove alot of files with "Vundo" in the file name. Heres the log:

Malwarebytes' Anti-Malware 1.18
Database version: 873

6:23:12 PM 6/20/2008
mbam-log-6-20-2008 (18-23-12).txt

Scan type: Quick Scan
Objects scanned: 64946
Time elapsed: 30 minute(s), 0 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 22
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 36

Memory Processes Infected:
C:\WINDOWS\system32\routing.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\perfs.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\khfefEWO.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\coihxifl.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4a473982-845a-46fd-8759-593acaaa835a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{4a473982-845a-46fd-8759-593acaaa835a} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b7fef1a8-d67f-4a72-aa79-a6bfdc78c697} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b7fef1a8-d67f-4a72-aa79-a6bfdc78c697} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\routing (Trojan.Agent) -> Quarantined and deleted successfully.

Ill post the hijack log in another reply.

Bugbatter · Answer

So far so good, but you still have Rootkit.Gen in there.

Please print these instructions and refer to them for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleaning the system:

C:\ComboFix.txt
New HijackThis log.

Note: The above instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.

shockwave210 · Answer

AT log:  Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:30:39 PM, on 6/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\PROGRA~1\McAfee\MPS\mps.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\lxcrcoms.exeC:\WINDOWS\Explorer.EXEC:\Program Files\McAfee\MPS\mpsevh.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lexmark 2400 Series\ezprint.exeC:\Program Files\Java\jre1.5.0_10\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\McAfee\MBK\McAfeeDataBackup.exeC:\Program Files\iTunes\iTunesHelper.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dllO2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO4 - HKLM\..\Run: [EzPrint] 'C:\Program Files\Lexmark 2400 Series\ezprint.exe'O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe'O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exeO4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exeO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cabO16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://193.69.140.40/activex/AMC.cabO16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cabO20 - Winlogon Notify: gebcdde - gebcdde.dll (file missing)O20 - Winlogon Notify: ljJAPgHb - ljJAPgHb.dll (file missing)O20 - Winlogon Notify: pmnmkHxY - pmnmkHxY.dll (file missing)O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeO23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS --End of file - 9451 bytes

shockwave210 · Answer

ComboFix 08-06-20.4 - Spencer 2008-06-20 22:05:37.1 - NTFSx86Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.542 [GMT -7:00]Running from: C:\Documents and Settings\Spencer\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\Spencer\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point * Resident AV is active . (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))). C:\Program Files\internet explorer\keygen.exeC:\Program Files\outlookC:\WINDOWS\BM27a1b3a5.xmlC:\WINDOWS\Downloaded Program Files\setup.infC:\WINDOWS\pskt.iniC:\WINDOWS\system\_sv_CMD_C:\WINDOWS\system32\afinding.exeC:\WINDOWS\system32\coihxifl.dllC:\WINDOWS\system32\comsa32.sysC:\WINDOWS\system32\dmhuncxq.dllC:\WINDOWS\system32\drivers
pf.sysC:\WINDOWS\system32\fbghnwpv.iniC:\WINDOWS\system32\hgjlm.bak1C:\WINDOWS\system32\hgjlm.bak2C:\WINDOWS\system32\hgjlm.iniC:\WINDOWS\system32\hpimkync.iniC:\WINDOWS\system32\khfefEWO.dllC:\WINDOWS\system32\mcrh.tmpC:\WINDOWS\system32\OWEfefhk.iniC:\WINDOWS\system32\packet.dllC:\WINDOWS\system32\phkhxcle.iniC:\WINDOWS\system32\qpyfjdob.iniC:\WINDOWS\system32\seuhuusb.iniC:\WINDOWS\system32\sjdxnmjo.iniC:\WINDOWS\system32\uhqaaeun.dllC:\WINDOWS\system32\uijkwjuu.iniC:\WINDOWS\system32\wpcap.dllC:\WINDOWS\system32\WServing.exeC:\WINDOWS\system32\wsfdnjky.iniD:\Autorun.inf .(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))). -------\Legacy_AFINDING-------\Legacy_DOMAINSERVICE-------\Legacy_NPF-------\Legacy_PERFMONS-------\Legacy_ROUTING-------\Legacy_WSERVING-------\Service_AFinding-------\Service_NPF-------\Service_WServing (((((((((((((((((((((((((   Files Created from 2008-05-21 to 2008-06-21  ))))))))))))))))))))))))))))))). 2008-06-20 17:51 . 2008-06-20 17:51   d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-20 17:51 . 2008-06-20 17:51   d-------- C:\Documents and Settings\Spencer\Application Data\Malwarebytes 2008-06-20 17:51 . 2008-06-20 17:51   d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-20 17:51 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-20 17:51 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-20 13:57 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-06-20 13:57 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe 2008-06-20 13:57 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe 2008-06-20 00:11 . 2008-06-20 00:11   d-------- C:\Program Files\MSXML 6.0 2008-06-20 00:11 . 2008-06-20 00:11 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-06-19 22:56 . 2008-06-19 22:59   d-------- C:\WINDOWS\$regcmp$ 2008-06-19 19:48 . 2008-06-19 19:48 1,835,245 ---hs---- C:\WINDOWS\system32\wsfdnjky.tmp 2008-06-19 13:11 . 2008-06-19 13:11   d-------- C:\Documents and Settings\All Users\Application Data\Sony 2008-06-18 18:49 . 2008-06-18 18:49   d-------- C:\Documents and Settings\Spencer\Application Data\Publish Providers 2008-06-18 18:48 . 2008-06-18 18:48   d-------- C:\Documents and Settings\Spencer\Application Data\Sony 2008-06-18 18:28 . 2008-06-18 18:28   d-------- C:\Program Files\MSBuild 2008-06-18 18:24 . 2008-06-18 18:24   d-------- C:\WINDOWS\system32\XPSViewer 2008-06-18 18:23 . 2008-06-18 18:23   d-------- C:\Program Files\Reference Assemblies 2008-06-18 18:23 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll 2008-06-18 18:17 . 2008-06-18 18:45   d-------- C:\Program Files\Sony Setup 2008-06-18 18:17 . 2008-06-18 18:17   d-------- C:\Documents and Settings\Spencer\Application Data\Sony Setup 2008-06-16 21:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2008-06-16 21:20 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll 2008-06-16 21:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2008-06-16 15:29 . 2008-06-16 15:29   d-------- C:\Program Files\Windows Journal Viewer 2008-06-16 15:17 . 2008-06-16 15:18   d-------- C:\Program Files\Windows Live 2008-06-16 15:17 . 2008-06-16 15:17   d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2008-06-16 15:16 . 2008-06-16 15:16   d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2008-06-15 12:19 . 2008-06-15 12:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-06-10 15:18 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys 2008-06-10 15:18 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-05 18:37 . 2008-06-05 18:37   d-------- C:\Program Files\AudioConverter Studio 2008-05-27 19:24 . 2008-05-27 19:24   d-------- C:\Program Files\Common Files\Adobe AIR 2008-05-27 19:24 . 2008-05-27 19:24   d-------- C:\Program Files\Adobe Media Player 2008-05-26 19:07 . 2008-05-26 19:08 25 --a------ C:\WINDOWS\SW_Win2000X48.DLL 2008-05-26 19:06 . 2008-05-26 19:06   d-------- C:\Program Files\Softinterface, Inc 2008-05-26 18:13 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll 2008-05-26 18:13 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll 2008-05-26 18:13 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll 2008-05-26 18:13 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll 2008-05-26 18:13 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll 2008-05-26 18:13 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll 2008-05-26 18:13 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll 2008-05-26 18:13 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll 2008-05-26 18:13 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll 2008-05-26 18:13 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll 2008-05-26 18:13 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll 2008-05-26 18:12 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2008-05-26 18:12 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll 2008-05-26 18:12 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll 2008-05-26 18:12 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll 2008-05-26 18:12 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll 2008-05-26 18:12 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll 2008-05-26 18:12 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll 2008-05-26 18:12 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll 2008-05-26 18:09 . 2008-05-26 18:09   d-------- C:\Program Files\LucasArts 2008-05-26 13:18 . 2008-05-26 13:19   d-------- C:\Program Files\Free Tube Finder 2008-05-26 13:18 . 2008-06-06 15:00 221,184 --a------ C:\WINDOWS\system32\TubeFinder.exe .((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-06-21 05:13 --------- d-----w C:\Program Files\lx_cats2008-06-20 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-06-20 20:30 --------- d-----w C:\Program Files\TweakNow RegCleaner Std2008-06-20 06:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP2008-06-19 20:11 --------- d-----w C:\Program Files\VstPlugins2008-06-19 19:12 --------- d-----w C:\Documents and Settings\Spencer\Application Data\uTorrent2008-06-17 04:42 --------- d-----w C:\Program Files\Microsoft Silverlight2008-06-13 22:53 --------- d-----w C:\Program Files\Morpheus2008-06-12 14:04 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Vso2008-06-10 00:14 --------- d-----w C:\Program Files\Free FLV Converter2008-05-27 01:13 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-05-26 00:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink2008-05-19 05:16 --------- d-----w C:\Documents and Settings\Spencer\Application Data\GetRightToGo2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\driversmcast.sys2008-05-04 16:07 87,608 ----a-w C:\Documents and Settings\Spencer\Application Data\inst.exe2008-05-04 16:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys2008-05-04 16:07 47,360 ----a-w C:\Documents and Settings\Spencer\Application Data\pcouffin.sys2008-05-04 16:07 --------- d-----w C:\Program Files\VSO2008-04-24 23:07 --------- d-----w C:\Program Files\McAfee2008-02-14 00:46 90,192 ----a-w C:\Documents and Settings\Spencer\Application Data\GDIPFONTCACHEV1.DAT2007-12-08 03:11 22,328 ----a-w C:\Documents and Settings\Spencer\Application Data\PnkBstrK.sys2007-07-28 20:36 25 ----a-w C:\Documents and Settings\Spencer\RomInfo.dat2007-01-21 22:51 88,880 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT. (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shownREGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]'EzPrint'='C:\Program Files\Lexmark 2400 Series\ezprint.exe' [2006-02-06 22:10 98304]'LXCRCATS'='C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll' [2006-02-24 04:54 65536]'SunJavaUpdateSched'='C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe' [2006-11-09 16:07 49263]'RTHDCPL'='RTHDCPL.EXE' [2007-03-21 14:49 16126464 C:\WINDOWS\RTHDCPL.exe]'Alcmtr'='ALCMTR.EXE' [2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe]'McAfee Backup'='C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe' [2007-01-16 13:59 4838952]'MBkLogOnHook'='C:\Program Files\McAfee\MBK\LogOnHook.exe' [2007-01-08 11:22 20480]'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' [2008-03-28 23:37 413696]'iTunesHelper'='C:\Program Files\iTunes\iTunesHelper.exe' [2008-03-30 10:36 267048]'combofix'='C:\WINDOWS\system32\CF24402.exe' [2004-08-04 12:00 388608] [HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]'NoAutoUpdate'= 1 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]'SFCDisable'=dword:00000004 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\gebcdde]gebcdde.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\ljJAPgHb]ljJAPgHb.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\pmnmkHxY]pmnmkHxY.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]'msacm.clmp3enc'= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversionun-disabled]'iPodVideoConverter_upgrade'='C:\Program Files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe' /upgrade [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]'DisableMonitoring'=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]'DisableMonitoring'=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]'EnableFirewall'= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]'%windir%\system32\sessmgr.exe'='C:\Program Files\Common Files\AOL\Loader\aolload.exe'='C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe'='C:\Program Files\Messenger\msmsgs.exe'='C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe'='C:\Documents and Settings\Spencer\Desktop\utorrent.exe'='C:\Program Files\Electronic Arts\Battlefield 2142\pb\PnkBstrB.exe'='C:\Program Files\LimeWire\LimeWire.exe'='C:\Program Files\Morpheus\Morpheus.exe'='C:\WINDOWS\system32\PnkBstrA.exe'='C:\WINDOWS\system32\PnkBstrB.exe'='C:\Program Files\Microsoft Games\Halo\halo.exe'='C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe'='C:\Program Files\Bonjour\mDNSResponder.exe'='C:\Program Files\iTunes\iTunes.exe'='C:\Program Files\Windows Live\Messenger\msnmsgr.exe'='C:\Program Files\Windows Live\Messenger\livecall.exe'= R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 05:47]R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 04:40]R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 18:39]S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 19:10]S3 smrtdrv;SMART Technologies Inc. Mirror Driver;C:\WINDOWS\system32\DRIVERS\smrtdrv.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26b3a809-93cf-11dc-b02e-0018f82c6c7b}]\Shell\AutoRun\command - F:\Shell\explore\Command - F:\RECYCLER\INFO.exe\Shell\open\Command - F:\RECYCLER\INFO.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78f1cde1-4d8a-11db-9115-806d6172696f}]\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb.Contents of the 'Scheduled Tasks' folder'2008-06-11 03:49:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job'- C:\Program Files\Apple Software Update\SoftwareUpdate.exe'2007-11-15 09:00:01 C:\WINDOWS\Tasks\McDefragTask.job'- c:\PROGRA~1\mcafee\mqc\QcConsol.exe''2008-05-01 08:00:01 C:\WINDOWS\Tasks\McQcTask.job'- c:\PROGRA~1\mcafee\mqc\QcConsol.exe.************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-06-20 22:12:24Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0 **************************************************************************.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\ati2evxx.exeC:\WINDOWS\system32\ati2evxx.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exeC:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exeC:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exeC:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\McAfee\MPF\MpfSrv.exeC:\Program Files\McAfee\MPS\mps.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\Program Files\McAfee\MPS\mpsevh.exeC:\WINDOWS\system32\lxcrcoms.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe.**************************************************************************.Completion time: 2008-06-20 22:18:05 - machine was rebooted [Spencer]ComboFix-quarantined-files.txt  2008-06-21 05:18:01 Pre-Run: 91,594,899,456 bytes freePost-Run: 91,987,496,960 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS='Microsoft Windows XP Home Edition' /noexecute=optin /fastdetectC:\CMDCONS\BOOTSECT.DAT='Microsoft Windows Recovery Console' /cmdcons 265 --- E O F --- 2008-06-20 07:11:40

Bugbatter · Answer

Please ensure that ALL your security programs are disabled before running this. Open Notepad and copy/paste the following text between the lines below. Do not copy the dotted lines. ** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces. It will copy correctly to Notepad if you highlight and copy as is. ----------------------------------------------------------------------------------- Registry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\gebcdde][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\ljJAPgHb][-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\pmnmkHxY] ---------------------------------------------------------------------------- Save this as CFScript.txt Referring to the picture above, drag CFScript into ComboFix.exe You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix. CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall. When finished, a log is produced here: C:\ComboFix.txt In your next reply, please post that log along with a new HijackThis log.

shockwave210 · Answer

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:26:49 PM, on 6/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\PROGRA~1\McAfee\MPS\mps.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\McAfee\MPS\mpsevh.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\lxcrcoms.exeC:\Program Files\Java\jre1.5.0_10\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\McAfee\MBK\McAfeeDataBackup.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dllO2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO4 - HKLM\..\Run: [EzPrint] 'C:\Program Files\Lexmark 2400 Series\ezprint.exe'O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe'O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exeO4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exeO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cabO16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://193.69.140.40/activex/AMC.cabO16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cabO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeO23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS --End of file - 9180 bytes

shockwave210 · Answer

ComboFix 08-06-20.4 - Spencer 2008-06-21 15:17:24.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.595 [GMT -7:00]
Running from: C:\Documents and Settings\Spencer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Spencer\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-20 17:51 . 2008-06-20 17:51

d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-20 17:51 . 2008-06-20 17:51 d-------- C:\Documents and Settings\Spencer\Application Data\Malwarebytes
2008-06-20 17:51 . 2008-06-20 17:51 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-20 17:51 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-20 17:51 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-20 13:57 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-20 13:57 . 2008-06-15 15:28 81,920 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-06-20 13:57 . 2008-05-23 18:21 81,920 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-20 00:11 . 2008-06-20 00:11 d-------- C:\Program Files\MSXML 6.0
2008-06-20 00:11 . 2008-06-20 00:11 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-19 22:56 . 2008-06-19 22:59 d-------- C:\WINDOWS\$regcmp$
2008-06-19 19:48 . 2008-06-19 19:48 1,835,245 ---hs---- C:\WINDOWS\system32\wsfdnjky.tmp
2008-06-19 13:11 . 2008-06-19 13:11 d-------- C:\Documents and Settings\All Users\Application Data\Sony
2008-06-18 18:49 . 2008-06-18 18:49 d-------- C:\Documents and Settings\Spencer\Application Data\Publish Providers
2008-06-18 18:48 . 2008-06-18 18:48 d-------- C:\Documents and Settings\Spencer\Application Data\Sony
2008-06-18 18:28 . 2008-06-18 18:28 d-------- C:\Program Files\MSBuild
2008-06-18 18:24 . 2008-06-18 18:24 d-------- C:\WINDOWS\system32\XPSViewer
2008-06-18 18:23 . 2008-06-18 18:23 d-------- C:\Program Files\Reference Assemblies
2008-06-18 18:23 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-18 18:17 . 2008-06-18 18:45 d-------- C:\Program Files\Sony Setup
2008-06-18 18:17 . 2008-06-18 18:17 d-------- C:\Documents and Settings\Spencer\Application Data\Sony Setup
2008-06-16 21:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-16 21:20 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-16 21:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-16 15:29 . 2008-06-16 15:29 d-------- C:\Program Files\Windows Journal Viewer
2008-06-16 15:17 . 2008-06-16 15:18 d-------- C:\Program Files\Windows Live
2008-06-16 15:17 . 2008-06-16 15:17 d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-16 15:16 . 2008-06-16 15:16 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-15 12:19 . 2008-06-15 12:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-10 15:18 . 2008-06-13 06:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 15:18 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-05 18:37 . 2008-06-05 18:37 d-------- C:\Program Files\AudioConverter Studio
2008-05-27 19:24 . 2008-05-27 19:24 d-------- C:\Program Files\Common Files\Adobe AIR
2008-05-27 19:24 . 2008-05-27 19:24 d-------- C:\Program Files\Adobe Media Player
2008-05-26 19:06 . 2008-05-26 19:06 d-------- C:\Program Files\Softinterface, Inc
2008-05-26 18:13 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-05-26 18:13 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-26 18:13 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-05-26 18:13 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-26 18:13 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-05-26 18:13 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-05-26 18:13 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-26 18:13 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-26 18:13 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-05-26 18:13 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-05-26 18:13 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-05-26 18:12 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-26 18:12 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-05-26 18:12 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-26 18:12 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-05-26 18:12 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-26 18:12 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-05-26 18:12 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-05-26 18:12 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-05-26 18:09 . 2008-05-26 18:09 d-------- C:\Program Files\LucasArts
2008-05-26 13:18 . 2008-05-26 13:19 d-------- C:\Program Files\Free Tube Finder
2008-05-26 13:18 . 2008-06-06 15:00 221,184 --a------ C:\WINDOWS\system32\TubeFinder.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 22:11 --------- d-----w C:\Program Files\lx_cats
2008-06-20 22:37 2,396 ----a-w C:\WINDOWS\system32\tmp.reg
2008-06-20 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-20 20:30 --------- d-----w C:\Program Files\TweakNow RegCleaner Std
2008-06-20 06:13 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-19 20:11 --------- d-----w C:\Program Files\VstPlugins
2008-06-19 19:12 --------- d-----w C:\Documents and Settings\Spencer\Application Data\uTorrent
2008-06-17 04:42 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-13 22:53 --------- d-----w C:\Program Files\Morpheus
2008-06-12 14:04 --------- d-----w C:\Documents and Settings\Spencer\Application Data\Vso
2008-06-10 00:14 --------- d-----w C:\Program Files\Free FLV Converter
2008-05-27 01:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-26 00:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-05-19 05:16 --------- d-----w C:\Documents and Settings\Spencer\Application Data\GetRightToGo
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-04 16:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-04 16:07 47,360 ----a-w C:\Documents and Settings\Spencer\Application Data\pcouffin.sys
2008-05-04 16:07 --------- d-----w C:\Program Files\VSO
2008-04-25 17:36 98,304 ----a-w C:\WINDOWS\system32\DVM.dll
2008-04-24 23:07 --------- d-----w C:\Program Files\McAfee
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-02-14 00:46 90,192 ----a-w C:\Documents and Settings\Spencer\Application Data\GDIPFONTCACHEV1.DAT
2007-12-08 03:11 22,328 ----a-w C:\Documents and Settings\Spencer\Application Data\PnkBstrK.sys
2007-07-28 20:36 25 ----a-w C:\Documents and Settings\Spencer\RomInfo.dat
2007-01-21 22:51 88,880 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-06-20_22.17.36.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-21 05:11:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-21 22:10:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-06 22:10 98304]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 04:54 65536]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07 49263]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 14:49 16126464 C:\WINDOWS\RTHDCPL.exe]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59 4838952]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22 20480]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"iPodVideoConverter_upgrade"="C:\Program Files\E-Zsoft\iPodVideoConverter\iPodVideoConverter.exe" /upgrade

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"C:\\Documents and Settings\\Spencer\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Electronic Arts\\Battlefield 2142\\pb\\PnkBstrB.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Morpheus\\Morpheus.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 05:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 04:40]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 18:39]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;C:\WINDOWS\system32\DRIVERS\el575nd5.sys [2001-08-17 19:10]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;C:\WINDOWS\system32\DRIVERS\smrtdrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78f1cde1-4d8a-11db-9115-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder
"2008-06-11 03:49:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-15 09:00:01 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-05-01 08:00:01 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 15:19:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-21 15:20:36
ComboFix-quarantined-files.txt 2008-06-21 22:20:24
ComboFix2.txt 2008-06-21 21:58:31
ComboFix3.txt 2008-06-21 05:18:06

Pre-Run: 91,957,796,864 bytes free
Post-Run: 91,941,306,368 bytes free

180 --- E O F --- 2008-06-20 07:11:40

Bugbatter · Answer

Please run HijackThis and place a checkmark next to the following:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL

Close all other windows and Click "Fix Checked". Close hijackThis.

Please ensure that ALL your security programs are disabled before running this script and ComboFix again.

Open Notepad and copy/paste the following text between the lines below. Do not copy the dotted lines.
** Make sure you copy/paste ALL the text at once. Do not try to edit extra spaces. It will copy correctly to Notepad if you highlight and copy as is.

-----------------------------------------------------------------------------------

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
C:\\Documents and Settings\\Spencer\\Desktop\\utorrent.exe"=-
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-
"C:\\Program Files\\Morpheus\\Morpheus.exe"=-

----------------------------------------------------------------------------

Save this as CFScript.txt

Referring to the picture above, drag CFScript into ComboFix.exe
You will be prompted to run Combofix again. Follow the same instructions you did before for running ComboFix.
CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced here: C:\ComboFix.txt

In your next reply, please post that log along with a new HijackThis log.

If everything is running well after that, we'll update your Java.

shockwave210 · Answer

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:28:00 PM, on 6/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeC:\PROGRA~1\McAfee\MSC\mcpromgr.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exec:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\PROGRA~1\McAfee\MPS\mps.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\McAfee\MPS\mpsevh.exec:\PROGRA~1\mcafee.com\agent\mcagent.exeC:\WINDOWS\system32\lxcrcoms.exeC:\Program Files\Java\jre1.5.0_10\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\McAfee\MBK\McAfeeDataBackup.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEc:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Windows Live\Messenger\usnsvc.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dllO2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLLO3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar	oolband.dllO4 - HKLM\..\Run: [EzPrint] 'C:\Program Files\Lexmark 2400 Series\ezprint.exe'O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [SunJavaUpdateSched] 'C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe'O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exeO4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exeO4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottimeO4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe'O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe (file missing)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin
pjpi150_10.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32
wprovau.dllO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cabO16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cabO16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cabO16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://193.69.140.40/activex/AMC.cabO16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://128.230.73.133/activex/AMC.cabO23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exeO23 - Service: GoogleDesktopManager - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exeO23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exeO23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exeO23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exeO23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exeO23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exeO23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exeO23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exeO23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeO23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafeeedirsvcedirsvc.exeO23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeO23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exeO23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exeO23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exeO23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS --End of file - 9239 bytes

shockwave210 · Answer