[Charlie Themalwarehater]

Need help please! Teen surfer loaded something nasty, and we have lost control of our computer. Here's an HJT log, we would LOVE some help. (Yeah, when you see this log you're probably going to laugh. This computer gets used by gamers, I-tuners, and who knows what. We parents are ready to clean some stuff off here, seriously!) Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:47 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lphc5lnj0eaat.exe
C:\WINDOWS\system32\sysrest32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;localhost
O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [UFC Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:UFC
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lphc5lnj0eaat] C:\WINDOWS\system32\lphc5lnj0eaat.exe
O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe
O4 - HKLM\..\Run: [AXPDefender] C:\Program Files\AXPDefender\AXPDefender.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\All Users\Documents\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/games/ricochet-los...bGameLoader.cab
O16 - DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} (UFC Class) - http://evideo.ufc.co...UFC_3_6_0_6.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxoramun...mjolauncher.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://evideo.ufc.com/ufc/cabfiles/Entriq_...0_15_Silent.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweap...aploader_v6.cab
O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 10986 bytes

[MoNsTeReNeRgY22]

Hello and Welcome to BT.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Quote

Looking at your system now, one or more of the identified infections is a backdoor application which can allow attackers to access your computer, stealing passwords and personal data.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Please visit this web page for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.
Once you have finished installing the Windows Recovery Console, please continue with the rest of the tutorial at the above link.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

[Charlie Themalwarehater]

Thanks for the start. I'll get on in and repost after I follow your instruction.

[MoNsTeReNeRgY22]

I will await the logs.

[Charlie Themalwarehater]

MoNsTeReNeRgY22, on Jun 6 2008, 06:06 PM, said:

I will await the logs.

I trust your advice because my Trend Anti-virus hasn't been able to help me get rid of this yet, but why do they try to block my download of Combo Fix?

[MoNsTeReNeRgY22]

Hello again,

First, Trend-Micro isn't a very good AV program in my opinion. I have previsouly used it, and wasn't impressed at all with it in general. Missed a lot of malware on my pc, slow updates, etc. Now to answer your questions, ComboFix uses many advanced procedures that are used to stop system processes and do other important activities. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

[Charlie Themalwarehater]

MoNsTeReNeRgY22, on Jun 6 2008, 06:36 PM, said:

Hello again,

First, Trend-Micro isn't a very good AV program in my opinion. I have previsouly used it, and wasn't impressed at all with it in general. Missed a lot of malware on my pc, slow updates, etc. Now to answer your questions, ComboFix uses many advanced procedures that are used to stop system processes and do other important activities. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

That's what I would have guessed, and I think I'm about done with Trend.

In following the directions, I hit a small snag. When I drag the file I downloaded from Microsoft onto the ComboFix file, it asks me if I want to run ComboFix instead of seeming to set up Windows Recovery Console. Is this normal?

[Charlie Themalwarehater]

Charlie Themalwarehater, on Jun 6 2008, 06:43 PM, said:

MoNsTeReNeRgY22, on Jun 6 2008, 06:36 PM, said:

Hello again,

First, Trend-Micro isn't a very good AV program in my opinion. I have previsouly used it, and wasn't impressed at all with it in general. Missed a lot of malware on my pc, slow updates, etc. Now to answer your questions, ComboFix uses many advanced procedures that are used to stop system processes and do other important activities. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

That's what I would have guessed, and I think I'm about done with Trend.

In following the directions, I hit a small snag. When I drag the file I downloaded from Microsoft onto the ComboFix file, it asks me if I want to run ComboFix instead of seeming to set up Windows Recovery Console. Is this normal?

OK, no matter, I ran everything just fine and here's the ComboFix log. It deleted one program, but there's still a bunch of junk left. Awaiting your next instructions:

ComboFix 08-06-06.4 - Owner 2008-06-06 20:15:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.398 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Desktop\AXPDefender.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Advanced XP Defender.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\How to register.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\License Agreement.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Register.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Uninstall.lnk
C:\Documents and Settings\Nickz folder\Application Data\AXPDefender
C:\Documents and Settings\Nickz folder\Application Data\FunWebProducts
C:\Documents and Settings\Nickz folder\Application Data\FunWebProducts\Data\Nickz folder\avatar.dat
C:\Documents and Settings\Owner\Application Data\AXPDefender
C:\Program Files\AXPDefender
C:\Program Files\AXPDefender\AXPDefender.exe
C:\Program Files\AXPDefender\AXPDefender.exe.local
C:\Program Files\AXPDefender\AXPDefenderSkin.dll
C:\Program Files\AXPDefender\database.dat
C:\Program Files\AXPDefender\license.txt
C:\Program Files\AXPDefender\MFC71.dll
C:\Program Files\AXPDefender\MFC71ENU.DLL
C:\Program Files\AXPDefender\msvcp71.dll
C:\Program Files\AXPDefender\msvcr71.dll
C:\Program Files\AXPDefender\Uninstall.exe
C:\WINDOWS\system32\sysrest32.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-06 15:27 . 2008-06-06 15:31 <DIR> d-------- C:\Program Files\Wrath of the Lich King Alpha
2008-06-06 10:48 . 2008-06-05 17:57 52,736 --a------ C:\WINDOWS\system32\18.tmp
2008-06-04 18:33 . 2008-06-04 18:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-06-04 18:33 . 2008-06-04 18:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-06-04 18:33 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-06-04 18:33 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-06-04 18:33 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-06-04 18:33 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-06-04 00:28 . 2008-06-04 00:28 <DIR> d-------- C:\Documents and Settings\Nickz folder\Application Data\shc3lnj0eaat
2008-06-03 22:28 . 2008-06-03 22:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\shc3lnj0eaat
2008-06-03 21:05 . 2008-06-03 21:05 93,184 --a------ C:\WINDOWS\system32\lphc5lnj0eaat.exe
2008-06-03 21:05 . 2008-06-06 20:50 90,838 --a------ C:\WINDOWS\system32\phc5lnj0eaat.bmp
2008-05-24 16:08 . 2008-06-04 12:57 <DIR> d-------- C:\Program Files\Cheat Engine
2008-05-19 16:28 . 2008-06-06 15:25 <DIR> d----c--- C:\Patch's (sams game folder! dont delete plz)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 23:24 --------- d-----w C:\Program Files\Quicken
2008-06-06 21:27 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-06-06 00:10 --------- d-----w C:\Program Files\Trend Micro
2008-06-04 14:42 --------- d-----w C:\Program Files\LimeWire
2008-05-26 02:01 --------- d-----w C:\Program Files\World of Warcraft
2008-05-17 00:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-14 16:07 --------- d-----w C:\Program Files\Apple Software Update
2008-05-14 15:55 --------- d-----w C:\Program Files\iTunes
2008-05-14 15:53 --------- d-----w C:\Program Files\iPod
2008-05-14 15:44 --------- d-----w C:\Program Files\QuickTime
2008-05-10 00:42 --------- d-----w C:\Documents and Settings\Nickz folder\Application Data\Apple Computer
2008-05-02 22:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2008-05-02 22:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2008-05-02 22:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
2008-04-25 15:08 --------- d-----w C:\Program Files\Bodog Poker
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2004-05-16 02:04 2,142,279 -c--a-w C:\Documents and Settings\The Boyz\gosetup.exe
.

<pre>
-c--a-w		   212,212 2008-05-24 22:25:31  C:\Patch's (sams game folder! dont delete plz)\2.4.1jumphack\ .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0519A9C9-064A-4cbc-BC47-D0EACD581477}]
2004-09-25 17:05 28672 --a--c--- C:\Program Files\ICOO Loader\addons\icooue.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{465A59EC-20E5-4fca-A38A-E5EC3C480218}]
2004-09-22 16:36 68096 --a--c--- C:\Program Files\ICOO Loader\addons\icoou.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-05-03 00:19 835654 C:\WINDOWS\system32\nview.dll]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 19:27 68856]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 01:30 488712]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 00:19 4640768]
"nwiz"="nwiz.exe" [2003-05-03 00:19 323584 C:\WINDOWS\system32\nwiz.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-25 21:29 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]
"ProfileWatcher"="C:\Program Files\ProfileWatcher\profilewatcher.exe" [ ]
"UFC Media Manager Tray"="C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2007-03-12 23:15 387152]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"lphc5lnj0eaat"="C:\WINDOWS\system32\lphc5lnj0eaat.exe" [2008-06-03 21:05 93184]
"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 08:11:14 27136]

C:\Documents and Settings\Nickz folder\Start Menu\Programs\Startup\
hc_tray.lnk - C:\Program Files\Kuma Games\hcsystray\hc_tray.exe [2007-04-26 13:49:20 31944]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-07-26 02:57:44 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"= 1 (0x1)
"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 04:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Documents and Settings\\All Users\\Documents\\iTunes\\iTunes.exe"=
"C:\\Program Files\\World of Warcraft\\WoW.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\Kuma Games\\KumaClientHCnet.exe"=
"C:\\WINDOWS\\Installer\\{047882CA-975E-41FC-BE02-6D6396106C4E}\\ACDSee_PM_Shtcut.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Warcraft III\\World Editor.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6112:UDP"= 6112:UDP:warcraft


.
Contents of the 'Scheduled Tasks' folder
"2008-06-05 19:57:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 23:26:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 20:51:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\Owner\Local Settings\temp\.ttA.tmp
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-06 21:06:20 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-06-07 03:05:41

Pre-Run: 17,470,369,792 bytes free
Post-Run: 20,852,535,296 bytes free

201 --- E O F --- 2008-05-28 23:57:26

[MoNsTeReNeRgY22]

Hello again,

Please download RogueRemover by RubberDucky here.

• Double-click rr-free-setup.exe to begin installing the program.
  
• Follow the setup instructions for installation.
  
• Double-click the RogueRemover icon on your desktop.
  
• Once the program runs, select Check for Updates.
  
• When prompted, select Check for Updates.
  
• If prompted again, click Download to receive the latest updates.
  
• When completed, close the update window.
  
• Next, click Scan
  
• If it detects anything, select to remove all objects found.
  
• Close RogueRemover

This post has been edited by MoNsTeReNeRgY22: 06 June 2008 - 11:03 PM

[Charlie Themalwarehater]

MoNsTeReNeRgY22, on Jun 6 2008, 10:02 PM, said:

Hello again,

Please download RogueRemover by RubberDucky here.

• Double-click rr-free-setup.exe to begin installing the program.
  
• Follow the setup instructions for installation.
  
• Double-click the RogueRemover icon on your desktop.
  
• Once the program runs, select Check for Updates.
  
• When prompted, select Check for Updates.
  
• If prompted again, click Download to receive the latest updates.
  
• When completed, close the update window.
  
• Next, click Scan
  
• If it detects anything, select to remove all objects found.
  
• Close RogueRemover

I downloaded and ran Rogue Remover after updating it. It said "nothing found".

[MoNsTeReNeRgY22]

Ok, well scan and pleae post the log it gives.

[Charlie Themalwarehater]

MoNsTeReNeRgY22, on Jun 7 2008, 05:52 PM, said:

Ok, well scan and pleae post the log it gives.

Monster, there's no log option given to me when I run RogueRemover. It also takes about three seconds for it to scan my computer, so I don't know if it is really working right. Am I doing something wrong?

[MoNsTeReNeRgY22]

Hey Charlie,

Mhmm, lets try a different tool if you don't mind.

• NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.

• Download FixIEDef.exe by ShadowPuterDude to the Desktop.
  Note: FixIEDef now supports Non-English Language Systems
  
  
  
• Double-click FixIEDef.exe:
  
  
  
  
• That will open the About FixIEDef screen. Click OK to continue:
  
  
  
  
• Next, press the Scan! button:
  
  
  
  
• FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
  
  
  
  
• Wait for the scan to finish. It shouldn't take very long:
  
  
  
  
  
  
  
• WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
  
  
  
• After the !!! All Finished !!! message is displayed, click Exit:
  
  
  
  
• Post the FixIEDef log file, located on the Desktop.
  
  Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

See: http://www.beyondlog...processutil.htm

[Charlie Themalwarehater]

MoNsTeReNeRgY22, on Jun 7 2008, 09:43 PM, said:

Hey Charlie,

Mhmm, lets try a different tool if you don't mind.

• NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.

• Download FixIEDef.exe by ShadowPuterDude to the Desktop.
  Note: FixIEDef now supports Non-English Language Systems
  
  
  
• Double-click FixIEDef.exe:
  
  
  
  
• That will open the About FixIEDef screen. Click OK to continue:
  
  
  
  
• Next, press the Scan! button:
  
  
  
  
• FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
  
  
  
  
• Wait for the scan to finish. It shouldn't take very long:
  
  
  
  
  
  
  
• WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
  
  
  
• After the !!! All Finished !!! message is displayed, click Exit:
  
  
  
  
• Post the FixIEDef log file, located on the Desktop.
  
  Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

See: http://www.beyondlog...processutil.htm

Here's the log, Monster. I should also note that I ran Trend virus scan this morning, and deleted or quarantined at least two infected viruses called Troj_Generic.ADV (or something like that). Since yesterday, I haven't had an instance of that pop-up box coming up warning me of malware, which then tries to install the bogus XP Defender 2008 or Malware Protector 2008 that was one of the original problems, so maybe some of this is now fixed. I do still have a set desktop background that has a spyware warning, and am unable to change the wallpaper or work our normal screensaver, which I found out today was due to changes that the malware made on those options in the registry. Anyway, FYI, and I'll await further instructions from you....

********************************************************************************
* *
* FixIEDef Log *
* Version 1.4.16.4411 *
* *
********************************************************************************

Created at 21:27:55 on Saturday, June 07, 2008

Time Zone : (GMT-07:00) Mountain Time (US & Canada)

Operating System : Microsoft Windows XP Home Edition
Service Pack Level: Service Pack 2
System Langauge : English (United States)
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\SwSys1.bmp
C:\WINDOWS\SwSys2.bmp
C:\WINDOWS\system32\Desktop.ico
C:\WINDOWS\system32\Help.ico
C:\WINDOWS\system32\IE.ico
C:\WINDOWS\system32\Open.ico
C:\WINDOWS\system32\Quick.ico
C:\WINDOWS\system32\Uninstall.ico

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done

ShadowPuterDude

Safe Surfing!!!

[MoNsTeReNeRgY22]

Hello again,

Step 1
Please download SmitfraudFix (by S!Ri) to your Desktop.

• Next, please reboot your computer in Safe Mode by doing the following.
  
• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Step 2
Please download Deckard's System Scanner (DSS) to your desktop.

• Close all applications and windows.
  
• Double-click on dss.exe to run it, and follow the prompts.
  
• When the scan is complete, a text file will open - Main.txt
  
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt into your thread.
  
• An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
  
• Please go to that folder and also copy the contents of Extra.txt to your post as well.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.