Lots of problems

[Dugan06]

had this computer for a while now and we've been using CA and its not catching something. we got changed homepages fake 'privacy center' warnings and fake microsoft updates. sometimes i cant even log into my user account. new user here and with hijackthis but ive dealt a little with spyware. any help is appreciated. here my log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:09 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\US54SE_Utility\ZDWlan.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitPim\bitpimw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Customize Your Settings
R3 - URLSearchHook: (no name) - {a6e4a4eb-d169-4e99-8988-250fcbafe767} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\Program Files\iWin Games\iWinGamesHookIE.dll
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [agent.exe] C:\Program Files\Privacy center\agent.exe
O4 - Global Startup: MSI US54SE 802.11b+g USB Stick Utility.lnk = C:\Program Files\MSI\US54SE_Utility\ZDWlan.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Escape%20Rosecliff%20Island/Images/stg_drm.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1201388762315
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Blood%20Ties/Images/armhelper.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: iWinTrusted - iWin Inc. - C:\Program Files\iWin Games\iWinTrusted.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7663 bytes

 

[Dugan06]

actually i use firefox v 3.0.7

 

[Osiris]

Uninstall Viewpoint

Do you play iWin Games?
C:\Program Files\iWin Games\iWinTrusted.exe

Run Combofix and then malwarebytes and post their logs

 

[Dugan06]

ComboFix 09-03-19.02 - matt 2009-03-21 15:41:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.84 [GMT -4:00]
Running from: c:\documents and settings\matt\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ios.dat
c:\windows\system32\c.ico
c:\windows\system32\m.ico
c:\windows\system32\m3.ico
c:\windows\system32\p.ico
c:\windows\system32\s.ico
c:\windows\system32\sf.ico

.
((((((((((((((((((((((((( Files Created from 2009-02-21 to 2009-03-21 )))))))))))))))))))))))))))))))
.

2009-03-20 19:40 . 2009-03-20 19:40 <DIR> d-------- c:\documents and settings\pam\Application Data\ArcadeTown
2009-03-20 19:39 . 2009-03-20 19:40 <DIR> d-------- c:\program files\AmazingAdventures2_at
2009-03-20 18:11 . 2009-03-20 18:11 <DIR> d-------- c:\program files\Trend Micro
2009-03-19 22:58 . 2009-03-20 00:32 <DIR> d-------- c:\program files\iWin.com
2009-03-19 22:52 . 2009-03-21 15:24 <DIR> d-------- c:\program files\iWin Games
2009-03-19 16:35 . 2009-03-19 16:35 <DIR> d-------- c:\documents and settings\matt\Application Data\Privacy center
2009-03-19 11:22 . 2009-03-19 11:22 <DIR> d-------- c:\documents and settings\pam\Application Data\Total Eclipse
2009-03-18 21:00 . 2009-03-18 21:02 <DIR> d-------- c:\program files\The Hidden Prophecies of Nostradamus
2009-03-16 21:59 . 2009-03-16 22:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sandlot Games
2009-03-16 21:43 . 2009-03-16 22:08 <DIR> d-------- c:\program files\Sandlot Games
2009-03-15 18:43 . 2009-03-15 18:43 <DIR> d-------- c:\documents and settings\pam\Application Data\Lost in the City
2009-03-14 00:31 . 2009-03-14 00:31 <DIR> d-------- c:\documents and settings\pam\Application Data\Anabel
2009-03-10 22:01 . 2004-08-04 00:56 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-10 15:33 . 2009-03-10 15:33 <DIR> d-------- c:\program files\Turbogames.ru
2009-03-09 15:39 . 2009-03-09 20:58 31 --a------ c:\windows\sav.ini
2009-03-03 16:43 . 2009-03-03 16:43 <DIR> d-------- c:\documents and settings\pam\Application Data\BrandX Games
2009-03-03 16:34 . 2009-03-03 16:35 <DIR> d-------- c:\program files\PlayPond
2009-03-01 23:38 . 2009-03-01 23:38 <DIR> d-------- c:\program files\Riva
2009-03-01 20:56 . 2009-03-01 20:56 <DIR> d-------- c:\documents and settings\pam\Application Data\SerpentOfIsis
2009-02-26 16:26 . 2009-02-26 16:26 <DIR> d-------- c:\program files\BitPim
2009-02-26 16:13 . 2009-02-26 16:15 <DIR> d-------- c:\program files\V CAST Music with Rhapsody
2009-02-24 21:22 . 2009-02-24 21:22 <DIR> d-------- c:\program files\Adobe Media Player
2009-02-24 21:18 . 2009-02-24 21:18 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-24 15:15 . 2009-02-24 15:15 <DIR> d-------- c:\program files\SyncCell
2009-02-24 15:15 . 2009-02-24 15:23 <DIR> d-------- c:\documents and settings\matt\Application Data\SyncCell
2009-02-24 15:15 . 2009-02-24 15:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\matt
2009-02-24 15:15 . 2009-02-24 15:15 19 --a------ c:\windows\info9.ini
2009-02-24 15:15 . 2009-02-24 15:15 19 --a------ c:\windows\info7.ini
2009-02-24 15:15 . 2009-02-24 15:15 19 --a------ c:\windows\info4.ini
2009-02-24 15:15 . 2009-02-24 15:15 19 --a------ c:\windows\info10.ini
2009-02-24 15:00 . 2009-02-24 15:00 <DIR> d-------- c:\program files\Verizon Wireless
2009-02-24 14:57 . 2009-02-24 14:57 <DIR> d-------- c:\program files\LG Electronics
2009-02-24 14:57 . 2007-04-09 10:55 22,912 --a------ c:\windows\system32\drivers\lgusbmodem.sys
2009-02-24 14:57 . 2007-04-09 10:56 21,248 --a------ c:\windows\system32\drivers\lgusbdiag.sys
2009-02-24 14:57 . 2007-04-09 10:53 12,672 --a------ c:\windows\system32\drivers\lgusbbus.sys
2009-02-21 22:19 . 2009-02-21 22:30 <DIR> d-------- c:\documents and settings\pam\Application Data\RobinsonCrusoeCG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-21 19:25 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-21 05:15 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k7
2009-03-21 05:15 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k6
2009-03-21 05:15 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k5
2009-03-21 05:15 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k4
2009-03-21 05:15 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k3
2009-03-21 05:15 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k2
2009-03-21 05:15 64 ----a-w c:\windows\system32\drivers\kmxcfg.u2k1
2009-03-21 05:15 269,272 ----a-w c:\windows\system32\drivers\kmxcfg.u2k0
2009-03-21 02:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-20 01:49 --------- d-----w c:\program files\Yahoo! Games
2009-03-20 01:49 --------- d-----w c:\program files\Alawar
2009-03-19 18:21 --------- d-----w c:\program files\RealArcade
2009-03-19 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\AlawarWrapper
2009-03-19 00:54 --------- d-----w c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-03-15 22:03 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2009-03-13 20:03 --------- d-----w c:\program files\AOL Games
2009-03-11 02:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-10 23:43 --------- d-----w c:\documents and settings\matt\Application Data\Azureus
2009-03-10 04:03 --------- d-----w c:\program files\Yahoo!
2009-03-07 21:36 --------- d-----w c:\program files\Retro64 Games
2009-03-04 03:28 --------- d-----w c:\documents and settings\pam\Application Data\SpinTop Games
2009-03-02 02:43 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 00:12 --------- d-----w c:\documents and settings\pam\Application Data\PlayFirst
2009-02-27 22:39 --------- d-----w c:\program files\PlayFirst
2009-02-27 22:32 --------- d-----w c:\program files\Oberon Media
2009-02-27 03:27 --------- d-----w c:\program files\MSN Games
2009-02-26 20:15 --------- d-----w c:\program files\Common Files\Real
2009-02-26 06:24 --------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games
2009-02-24 18:57 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-22 17:10 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-02-19 20:03 --------- d-----w c:\documents and settings\All Users\Application Data\Oberon Media
2009-02-15 19:21 --------- d-----w c:\program files\NOS
2009-02-15 19:21 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-02-13 05:25 --------- d-----w c:\documents and settings\All Users\Application Data\HoverBee Studios
2009-02-13 02:45 --------- d-----w c:\documents and settings\All Users\Application Data\Intenium
2009-02-12 04:10 --------- d-----w c:\documents and settings\Skylar\Application Data\BigFish
2009-02-11 02:43 --------- d-----w c:\documents and settings\pam\Application Data\Gold Casual Games
2009-02-11 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\Gold Casual Games
2009-02-10 03:05 --------- d-----w c:\documents and settings\All Users\Application Data\GameHouse
2009-02-09 19:51 --------- d-----w c:\documents and settings\pam\Application Data\Artogon
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 22:42 --------- d-----w c:\documents and settings\pam\Application Data\GameHouse
2009-02-07 22:41 --------- d-----w c:\program files\GameHouse
2009-02-05 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\Nick Chase A Detective Story
2009-02-04 21:22 --------- d-----w c:\program files\bfgclient
2009-02-03 01:12 --------- d-----w c:\documents and settings\pam\Application Data\HSA
2009-02-02 02:01 --------- d-----w c:\documents and settings\pam\Application Data\Jetsetter
2009-02-02 00:32 --------- d-----w c:\program files\ReflexiveArcade
2009-02-01 05:06 --------- d-----w c:\documents and settings\All Users\Application Data\AdventureChronicles1
2009-02-01 05:03 --------- d-----w c:\documents and settings\pam\Application Data\Pharaohs Secret
2009-01-30 23:20 --------- d-----w c:\documents and settings\pam\Application Data\Coyotes Tale
2009-01-28 19:55 --------- d-----w c:\documents and settings\All Users\Application Data\WildWestQuest2
2009-01-28 19:33 --------- d-----w c:\documents and settings\All Users\Application Data\Enkord
2009-01-27 20:25 --------- d-----w c:\documents and settings\pam\Application Data\Island
2009-01-27 19:59 --------- d-----w c:\documents and settings\pam\Application Data\RobinsonCrusoe
2009-01-27 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\HiddenSecretsNightmare
2009-01-27 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2009-01-21 01:58 --------- d-----w c:\documents and settings\Skylar\Application Data\Download Manager
2009-01-15 07:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 07:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 07:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 07:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 07:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 07:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 07:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 07:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 07:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 06:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-14 19:49 63,488 ----a-w c:\windows\xobglu16.dll
2009-01-14 19:49 23,552 ----a-w c:\windows\xobglu32.dll
2008-10-30 01:12 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-02-27 03:55 0 ----a-w c:\program files\temp01
2001-11-23 17:08 712,704 ----a-r c:\windows\inf\OTHER\AUDIO3D.DLL
2008-08-23 01:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082220080823\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-23 181488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

c:\documents and settings\Skylar\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MSI US54SE 802.11b+g USB Stick Utility.lnk - c:\program files\MSI\US54SE_Utility\ZDWlan.exe [2008-02-03 483328]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="c:\program files\Privacy center\pc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 14:30 79368 c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.hfyu"= huffyuv.dll
"msacm.divxa32"= DivXa32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^pam^Start Menu^Programs^Startup^iWin Desktop Alerts.lnk]
path=c:\documents and settings\pam\Start Menu\Programs\Startup\iWin Desktop Alerts.lnk
backup=c:\windows\pss\iWin Desktop Alerts.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^pam^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\pam\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 20:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cafwc]
--a------ 2008-07-31 17:03 1193200 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfasem]
--a------ 2008-07-31 17:03 173296 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\capfupgrade]
--a------ 2008-07-31 17:03 259312 c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
--a------ 2008-09-09 08:40 234736 c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cctray]
--a------ 2009-01-23 16:10 181488 c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CoolSwitch]
--a------ 2002-03-19 18:30 45632 c:\windows\system32\TaskSwitch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
-ra------ 2007-10-07 16:33 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
-ra------ 2007-10-07 16:33 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
-ra------ 2007-10-07 16:33 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-09-10 17:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QOELOADER]
--a----t- 2008-03-04 22:03 14088 c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\V CAST Music with Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-06-24 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-06-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-06-24 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-06-24 115216]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-06-24 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-06-24 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-24 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-06-24 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2008-08-17 185584]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2008-02-03 20608]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-02-15 33752]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2009-01-05 23096]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 c:\windows\Tasks\User_Feed_Synchronization-{2E3951A2-B283-4E1E-8AAF-82A2D02DE2BB}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 03:01]
.

 

[Dugan06]

rest of it-----

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{a6e4a4eb-d169-4e99-8988-250fcbafe767} - (no file)
WebBrowser-{A6E4A4EB-D169-4E99-8988-250FCBAFE767} - (no file)
HKCU-Run-agent.exe - c:\program files\Privacy center\agent.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
DPF: ActiveGS.cab - hxxp://www.virtualapple.org/activegs.cab
FF - ProfilePath - c:\documents and settings\matt\Application Data\Mozilla\Firefox\Profiles\cw3h4ubk.default\
FF - component: c:\documents and settings\matt\Application Data\Mozilla\Firefox\Profiles\cw3h4ubk.default\extensions\{a6e4a4eb-d169-4e99-8988-250fcbafe767}\components\FFAlert.dll
FF - plugin: c:\documents and settings\matt\Application Data\Mozilla\Firefox\Profiles\cw3h4ubk.default\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-21 15:44:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(2000)
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(380)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-03-21 15:46:52
ComboFix-quarantined-files.txt 2009-03-21 19:46:49

Pre-Run: 166,360,653,824 bytes free
Post-Run: 169,549,942,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

302 --- E O F --- 2009-03-17 22:35:44

 

[Osiris]

Are you still having issues?

 

[Dugan06]

Malwarebytes' Anti-Malware 1.34
Database version: 1882
Windows 5.1.2600 Service Pack 3

3/21/2009 8:36:35 PM
mbam-log-2009-03-21 (20-36-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 217553
Time elapsed: 46 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\spbho.tiebho (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\matt\Start Menu\Programs\Privacy center (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\dbases (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\keys (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\temp (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Desktop\WindowsSuperPack\WPatcherP5575987\Windows XP Keygen.exe (Malware.Tool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CF3D5CA-FFEA-4438-BC3C-0B40D99D730B}\RP421\A0104604.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CF3D5CA-FFEA-4438-BC3C-0B40D99D730B}\RP422\A0104660.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Start Menu\Programs\Privacy center\Privacy center.lnk (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\dbases\cg.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\dbases\mw.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\dbases\rd.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\dbases\sc.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\dbases\sm.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\dbases\sp.dat (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\keys\cg.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\keys\rd.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\keys\sc.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\keys\sp.key (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\temp\settings.ini (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\matt\Application Data\Privacy center\temp\spfilter (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.

 

[Dugan06]

malwarebytes i think got wat i was talking about. things seem better. thx for everything!!!

 

[Osiris]

What you need to do now is reboot and run malwarebytes again to see if it comes up clean