Big Malware Problem - Rogue Anti Spyware Programs[RESOLVED]

charlieric · June 6, 2008

Need help please! Teen surfer loaded something nasty, and we have lost control of our computer. Here's an HJT log, we would LOVE some help. (Yeah, when you see this log you're probably going to laugh. This computer gets used by gamers, I-tuners, and who knows what. We parents are ready to clean some stuff off here, seriously!) Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:24:47 PM, on 6/5/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\lphc5lnj0eaat.exe

C:\WINDOWS\system32\sysrest32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus9.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;localhost

O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe

O4 - HKLM\..\Run: [uFC Media Manager Tray] "C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" /CustomId:UFC

O4 - HKLM\..\Run: [ufSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [lphc5lnj0eaat] C:\WINDOWS\system32\lphc5lnj0eaat.exe

O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe

O4 - HKLM\..\Run: [AXPDefender] C:\Program Files\AXPDefender\AXPDefender.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')

O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\All Users\Documents\AIM\aim.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.miniclip.com/games/ricochet-los...bGameLoader.cab

O16 - DPF: {5A9D4578-6649-4692-921B-ACA9ADAB007C} (UFC Class) - http://evideo.ufc.com/ufc/cabfiles/UFC_3_6_0_6.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxoramun...mjolauncher.cab

O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://evideo.ufc.com/ufc/cabfiles/Entriq_...0_15_Silent.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/heavyweap...aploader_v6.cab

O18 - Protocol: icoo - {86FE362E-74FA-4F71-8B69-B94D28880628} - C:\Program Files\ICOO Loader\addons\icoou.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--

End of file - 10986 bytes

Andro1d · June 6, 2008

Hello and Welcome to BT.

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Looking at your system now, one or more of the identified infections is a backdoor application which can allow attackers to access your computer, stealing passwords and personal data.
If this computer is ever used for on-line banking, I suggest you do the following immediately:
1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Please visit this web page for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Once you have finished installing the Windows Recovery Console, please continue with the rest of the tutorial at the above link.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

charlieric · June 7, 2008

Thanks for the start. I'll get on in and repost after I follow your instruction.

Andro1d · June 7, 2008

I will await the logs. :thumbsup:

charlieric · June 7, 2008

I will await the logs.

I trust your advice because my Trend Anti-virus hasn't been able to help me get rid of this yet, but why do they try to block my download of Combo Fix?

Andro1d · June 7, 2008

Hello again,

First, Trend-Micro isn't a very good AV program in my opinion. I have previsouly used it, and wasn't impressed at all with it in general. Missed a lot of malware on my pc, slow updates, etc. Now to answer your questions, ComboFix uses many advanced procedures that are used to stop system processes and do other important activities. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

charlieric · June 7, 2008

Hello again,
First, Trend-Micro isn't a very good AV program in my opinion. I have previsouly used it, and wasn't impressed at all with it in general. Missed a lot of malware on my pc, slow updates, etc. Now to answer your questions, ComboFix uses many advanced procedures that are used to stop system processes and do other important activities. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

That's what I would have guessed, and I think I'm about done with Trend.

In following the directions, I hit a small snag. When I drag the file I downloaded from Microsoft onto the ComboFix file, it asks me if I want to run ComboFix instead of seeming to set up Windows Recovery Console. Is this normal?

charlieric · June 7, 2008

Hello again,
First, Trend-Micro isn't a very good AV program in my opinion. I have previsouly used it, and wasn't impressed at all with it in general. Missed a lot of malware on my pc, slow updates, etc. Now to answer your questions, ComboFix uses many advanced procedures that are used to stop system processes and do other important activities. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
That's what I would have guessed, and I think I'm about done with Trend.
In following the directions, I hit a small snag. When I drag the file I downloaded from Microsoft onto the ComboFix file, it asks me if I want to run ComboFix instead of seeming to set up Windows Recovery Console. Is this normal?

OK, no matter, I ran everything just fine and here's the ComboFix log. It deleted one program, but there's still a bunch of junk left. Awaiting your next instructions:

ComboFix 08-06-06.4 - Owner 2008-06-06 20:15:22.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.398 [GMT -6:00]

Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\All Users\Desktop\AXPDefender.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender

C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Advanced XP Defender.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\How to register.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\License Agreement.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Register.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Advanced XP Defender\Uninstall.lnk

C:\Documents and Settings\Nickz folder\Application Data\AXPDefender

C:\Documents and Settings\Nickz folder\Application Data\FunWebProducts

C:\Documents and Settings\Nickz folder\Application Data\FunWebProducts\Data\Nickz folder\avatar.dat

C:\Documents and Settings\Owner\Application Data\AXPDefender

C:\Program Files\AXPDefender

C:\Program Files\AXPDefender\AXPDefender.exe

C:\Program Files\AXPDefender\AXPDefender.exe.local

C:\Program Files\AXPDefender\AXPDefenderSkin.dll

C:\Program Files\AXPDefender\database.dat

C:\Program Files\AXPDefender\license.txt

C:\Program Files\AXPDefender\MFC71.dll

C:\Program Files\AXPDefender\MFC71ENU.DLL

C:\Program Files\AXPDefender\msvcp71.dll

C:\Program Files\AXPDefender\msvcr71.dll

C:\Program Files\AXPDefender\Uninstall.exe

C:\WINDOWS\system32\sysrest32.exe

D:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_sysrest.sys

((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))

.

2008-06-06 15:27 . 2008-06-06 15:31 <DIR> d-------- C:\Program Files\Wrath of the Lich King Alpha

2008-06-06 10:48 . 2008-06-05 17:57 52,736 --a------ C:\WINDOWS\system32\18.tmp

2008-06-04 18:33 . 2008-06-04 18:33 <DIR> d-------- C:\Program Files\Spyware Doctor

2008-06-04 18:33 . 2008-06-04 18:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools

2008-06-04 18:33 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys

2008-06-04 18:33 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys

2008-06-04 18:33 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys

2008-06-04 18:33 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys

2008-06-04 00:28 . 2008-06-04 00:28 <DIR> d-------- C:\Documents and Settings\Nickz folder\Application Data\shc3lnj0eaat

2008-06-03 22:28 . 2008-06-03 22:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\shc3lnj0eaat

2008-06-03 21:05 . 2008-06-03 21:05 93,184 --a------ C:\WINDOWS\system32\lphc5lnj0eaat.exe

2008-06-03 21:05 . 2008-06-06 20:50 90,838 --a------ C:\WINDOWS\system32\phc5lnj0eaat.bmp

2008-05-24 16:08 . 2008-06-04 12:57 <DIR> d-------- C:\Program Files\Cheat Engine

2008-05-19 16:28 . 2008-06-06 15:25 <DIR> d----c--- C:\Patch's (sams game folder! dont delete plz)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-06 23:24 --------- d-----w C:\Program Files\Quicken

2008-06-06 21:27 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment

2008-06-06 00:10 --------- d-----w C:\Program Files\Trend Micro

2008-06-04 14:42 --------- d-----w C:\Program Files\LimeWire

2008-05-26 02:01 --------- d-----w C:\Program Files\World of Warcraft

2008-05-17 00:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM

2008-05-14 16:07 --------- d-----w C:\Program Files\Apple Software Update

2008-05-14 15:55 --------- d-----w C:\Program Files\iTunes

2008-05-14 15:53 --------- d-----w C:\Program Files\iPod

2008-05-14 15:44 --------- d-----w C:\Program Files\QuickTime

2008-05-10 00:42 --------- d-----w C:\Documents and Settings\Nickz folder\Application Data\Apple Computer

2008-05-02 22:22 205,328 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys

2008-05-02 22:21 36,368 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys

2008-05-02 22:17 1,169,240 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys

2008-04-25 15:08 --------- d-----w C:\Program Files\Bodog Poker

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2004-05-16 02:04 2,142,279 -c--a-w C:\Documents and Settings\The Boyz\gosetup.exe

.

<pre>
-c--a-w		   212,212 2008-05-24 22:25:31  C:\Patch's (sams game folder! dont delete plz)\2.4.1jumphack\ .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0519A9C9-064A-4cbc-BC47-D0EACD581477}]

2004-09-25 17:05 28672 --a--c--- C:\Program Files\ICOO Loader\addons\icooue.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{465A59EC-20E5-4fca-A38A-E5EC3C480218}]

2004-09-22 16:36 68096 --a--c--- C:\Program Files\ICOO Loader\addons\icoou.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVIEW"="nview.dll" [2003-05-03 00:19 835654 C:\WINDOWS\system32\nview.dll]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 19:27 68856]

"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2007-09-18 01:30 488712]

"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]

"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 16:51 118784]

"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]

"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]

"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 00:19 4640768]

"nwiz"="nwiz.exe" [2003-05-03 00:19 323584 C:\WINDOWS\system32\nwiz.exe]

"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]

"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 16:55 155648]

"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-25 21:29 180269]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ]

"ProfileWatcher"="C:\Program Files\ProfileWatcher\profilewatcher.exe" [ ]

"UFC Media Manager Tray"="C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe" [2007-03-12 23:15 387152]

"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-16 00:56 1398024]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

"lphc5lnj0eaat"="C:\WINDOWS\system32\lphc5lnj0eaat.exe" [2008-06-03 21:05 93184]

"sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\

mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 08:11:14 27136]

C:\Documents and Settings\Nickz folder\Start Menu\Programs\Startup\

hc_tray.lnk - C:\Program Files\Kuma Games\hcsystray\hc_tray.exe [2007-04-26 13:49:20 31944]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\

spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-07-26 02:57:44 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispBackgroundPage"= 1 (0x1)

"NoDispScrSavPage"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]

C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 04:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Documents and Settings\\All Users\\Documents\\iTunes\\iTunes.exe"=

"C:\\Program Files\\World of Warcraft\\WoW.exe"=

"C:\\Program Files\\World of Warcraft\\Repair.exe"=

"C:\\Program Files\\AIM\\aim.exe"=

"C:\\StubInstaller.exe"=

"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

"C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"=

"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"C:\\Program Files\\Kuma Games\\KumaClientHCnet.exe"=

"C:\\WINDOWS\\Installer\\{047882CA-975E-41FC-BE02-6D6396106C4E}\\ACDSee_PM_Shtcut.exe"=

"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"C:\\Program Files\\Warcraft III\\World Editor.exe"=

"C:\\Program Files\\Kontiki\\KService.exe"=

"C:\\Program Files\\Warcraft III\\Frozen Throne.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader

"6112:TCP"= 6112:TCP:Blizzard Downloader

"6112:UDP"= 6112:UDP:warcraft

.

Contents of the 'Scheduled Tasks' folder

"2008-06-05 19:57:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2008-06-06 23:26:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"

- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-06 20:51:26

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe

-> C:\Program Files\Softex\OmniPass\opxpgina.dll

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Softex\OmniPass\omniServ.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaServer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscript.exe

C:\Documents and Settings\Owner\Local Settings\temp\.ttA.tmp

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\WINDOWS\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2008-06-06 21:06:20 - machine was rebooted [Owner]

ComboFix-quarantined-files.txt 2008-06-07 03:05:41

Pre-Run: 17,470,369,792 bytes free

Post-Run: 20,852,535,296 bytes free

201 --- E O F --- 2008-05-28 23:57:26

Andro1d · June 7, 2008

Hello again,

Please download RogueRemover by RubberDucky here.

Double-click rr-free-setup.exe to begin installing the program.
Follow the setup instructions for installation.
Double-click the RogueRemover icon on your desktop.
Once the program runs, select Check for Updates.
When prompted, select Check for Updates.
If prompted again, click Download to receive the latest updates.
When completed, close the update window.
Next, click Scan
If it detects anything, select to remove all objects found.
Close RogueRemover

Edited June 7, 2008 by MoNsTeReNeRgY22

charlieric · June 7, 2008

Hello again,
Please download RogueRemover by RubberDucky here.
Double-click rr-free-setup.exe to begin installing the program.
Follow the setup instructions for installation.
Double-click the RogueRemover icon on your desktop.
Once the program runs, select Check for Updates.
When prompted, select Check for Updates.
If prompted again, click Download to receive the latest updates.
When completed, close the update window.
Next, click Scan
If it detects anything, select to remove all objects found.
Close RogueRemover

I downloaded and ran Rogue Remover after updating it. It said "nothing found".

Andro1d · June 7, 2008

Ok, well scan and pleae post the log it gives.

charlieric · June 8, 2008

Ok, well scan and pleae post the log it gives.

Monster, there's no log option given to me when I run RogueRemover. It also takes about three seconds for it to scan my computer, so I don't know if it is really working right. Am I doing something wrong?

Andro1d · June 8, 2008

Hey Charlie,

Mhmm, lets try a different tool if you don't mind.

NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.

Download FixIEDef.exe by ShadowPuterDude to the Desktop.
Note: FixIEDef now supports Non-English Language Systems
Double-click FixIEDef.exe:
That will open the About FixIEDef screen. Click OK to continue:
Next, press the Scan! button:
FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:
Wait for the scan to finish. It shouldn't take very long:
WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
After the !!! All Finished !!! message is displayed, click Exit:
Post the FixIEDef log file, located on the Desktop.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

See: http://www.beyondlogic.org/consulting/proc...processutil.htm

charlieric · June 8, 2008

Hey Charlie,
Mhmm, lets try a different tool if you don't mind.
NOTE: You will need to temporarily disable any programs you have running that will block attempts to edit the registry. As FixIEDef calls REGEDIT to delete registry keys added by Zlob, Trojan.Downloader.Delf, AntiSpyPro, and IE Defender.
Download FixIEDef.exe by ShadowPuterDude to the Desktop.
Note: FixIEDef now supports Non-English Language Systems
Double-click FixIEDef.exe:

That will open the About FixIEDef screen. Click OK to continue:

Next, press the Scan! button:

FixIEDef needs to run as Administrator to perform correctly. This message simply confirms it was able to run with admin privileges. Click OK to continue:

Wait for the scan to finish. It shouldn't take very long:

WARNING: FixIEDef will kill all copies of Internet Explorer and Explorer that are running, during removal of malicious files. The icons and Start Menu on your Desktop will not be visible while FixIEDef is removing malicious files. This is necessary to remove parts of the infection that would otherwise not be removed.
After the !!! All Finished !!! message is displayed, click Exit:

Post the FixIEDef log file, located on the Desktop.
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
See: http://www.beyondlogic.org/consulting/proc...processutil.htm

Here's the log, Monster. I should also note that I ran Trend virus scan this morning, and deleted or quarantined at least two infected viruses called Troj_Generic.ADV (or something like that). Since yesterday, I haven't had an instance of that pop-up box coming up warning me of malware, which then tries to install the bogus XP Defender 2008 or Malware Protector 2008 that was one of the original problems, so maybe some of this is now fixed. I do still have a set desktop background that has a spyware warning, and am unable to change the wallpaper or work our normal screensaver, which I found out today was due to changes that the malware made on those options in the registry. Anyway, FYI, and I'll await further instructions from you....

********************************************************************************

* *

* FixIEDef Log *

* Version 1.4.16.4411 *

* *

********************************************************************************

Created at 21:27:55 on Saturday, June 07, 2008

Time Zone : (GMT-07:00) Mountain Time (US & Canada)

Operating System : Microsoft Windows XP Home Edition

Service Pack Level: Service Pack 2

System Langauge : English (United States)

Processor : X86

Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

C:\WINDOWS\SwSys1.bmp

C:\WINDOWS\SwSys2.bmp

C:\WINDOWS\system32\Desktop.ico

C:\WINDOWS\system32\Help.ico

C:\WINDOWS\system32\IE.ico

C:\WINDOWS\system32\Open.ico

C:\WINDOWS\system32\Quick.ico

C:\WINDOWS\system32\Uninstall.ico

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done

ShadowPuterDude

Safe Surfing!!!

Andro1d · June 8, 2008

Hello again,

Step 1

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following.
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, double-click on SmitfraudFix.exe

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Step 2

Please download Deckard's System Scanner (DSS) to your desktop.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt into your thread.
An additional text file, Extra.txt,will also be available (by default) in the following FOLDER, C:\Deckard\System Scanner.
Please go to that folder and also copy the contents of Extra.txt to your post as well.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

charlieric · June 8, 2008

Hi again. Here are the new logs. Also, my Trend anti-virus is identifying a file in Smitfraudfix I downloaded as containing a virus, again the same Troj_Generic.ADV variety. I assume it is a false identification, so I didn't do anything. Another reason to get a different anti-virus program?

Rapport:

SmitFraudFix v2.323

Scan done at 8:31:31.93, Sun 06/08/2008

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

127.0.0.1 localhost

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

S!Ri's WS2Fix: LSP not Found.

GenericRenosFix by S!Ri

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E4642448-E7D1-47A5-BE6A-E7F27CB79F02}: DhcpNameServer=68.87.85.98 68.87.69.146

HKLM\SYSTEM\CS1\Services\Tcpip\..\{E4642448-E7D1-47A5-BE6A-E7F27CB79F02}: DhcpNameServer=68.87.85.98 68.87.69.146

HKLM\SYSTEM\CS2\Services\Tcpip\..\{E4642448-E7D1-47A5-BE6A-E7F27CB79F02}: DhcpNameServer=68.87.85.98 68.87.69.146

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.85.98 68.87.69.146

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

Registry Cleaning done.

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

And the logs from Deckard:

Deckard's System Scanner v20071014.68

Run by Owner on 2008-06-08 09:19:05

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 4 Restore Point(s) --

4: 2008-06-08 15:19:16 UTC - RP4 - Deckard's System Scanner Restore Point

3: 2008-06-08 02:58:56 UTC - RP3 - System Checkpoint

2: 2008-06-07 02:10:34 UTC - RP2 - ComboFix created restore point

1: 2008-06-07 02:09:31 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:20:05, on 6/8/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Softex\OmniPass\Omniserv.exe

C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe

C:\Program Files\Softex\OmniPass\OPXPApp.exe

C:\Program Files\Trend Micro\BM\TMBMSRV.exe

C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe

C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

C:\WINDOWS\Explorer.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\hkcmd.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\ALCXMNTR.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaTray.exe

C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\lphc5lnj0eaat.exe

C:\Program Files\Entriq\MediaSphere\Bin\EntriqMediaServer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe

C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe

C:\Documents and Settings\Owner\Desktop\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus9.hpwis.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,;localhost

O2 - BHO: ICOOExternal Class - {0519A9C9-064A-4cbc-BC47-D0EACD581477} - C:\Program Files\ICOO Loader\addons\icooue.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ICOODManager Class - {465A59EC-20E5-4fca-A38A-E5EC3C480218} - C:\Program Files\ICOO Loader\addons\icoou.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)