You are here:

Computer Security & Viruses/Thorny microsoft imposter trojan, etc. Acts like security/antivirus appl but interferes w/everything!

Advertisement

Expert: - 2/7/2010


Question
QUESTION: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:48 PM, on 2/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink

TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\sYSteM32\SvchOst.eXE
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\webserver\webserver.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator

5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\windows\freddy84.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\windows\pp14.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend

Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://www.earthlink.net/partner/more/msie/button/s

earch.html
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://www.earthlink.net/partner/more/msie/button/s

earch.html
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class -

{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program

Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) -

~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 85.13.206.114 uuu20091124.info
O1 - Hosts: 85.13.206.114 u07012010u.com
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Toolbar -

{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program

Files\Lexmark Toolbar\toolband.dll
O2 - BHO: EarthLink PopUp Blocker V2 -

{512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program

Files\EarthLink TotalAccess\Toolbar\ElnkPub.dll
O2 - BHO: IE_PopupBlocker Class -

{656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program

Files\EarthLink

TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO -

{9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program

Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar -

{E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program

Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Lexmark Toolbar -

{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program

Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: EarthLink Toolbar -

{C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program

Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program

Files\Adaptec\Easy CD Creator

5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program

Files\BellSouth Accelerator Technology\trayctl.exe"

/STARTUPLAUNCH
O4 - HKLM\..\Run: [REGSHAVE] C:\Program

Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program

Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program

Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program

Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime

.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program

Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server]

"C:\Program Files\Lexmark 5400 Series\fm3032.exe"

/s
O4 - HKLM\..\Run: [LXCTCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime

.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [sysldtray] C:\WINDOWS\ld16.exe
O4 - HKLM\..\Run: [sysfbtray]

C:\windows\freddy84.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp14.exe
O4 - HKLM\..\Run: [Captcha7] rundll "C:\Program

Files\captcha.dll",captcha
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program

Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

(User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = C:\Program

Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google

Search - res://C:\Program Files\EarthLink

TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:

START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ppctlcab -

http://ppupdates.ca.com/downloads/scanner/ppctlcab.

cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06}

(NeoterisSetup Control) -

https://easyaccess.trinity-health.org/dana-cached/s

etup/NeoterisSetup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Co

ntrols/en/x86/client/muweb_site.cab?1233679154046
O23 - Service: EarthLink Monitor Service

(EarthLinkMonitor) - Boingo Wireless, Inc. -

C:\Program Files\EarthLink

TotalAccess\WENGINE\wmonitor.exe
O23 - Service: lxcr_device -   -

C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: lxct_device -   -

C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc)

- NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony

Corporation - C:\Program Files\Common Files\Sony

Shared\AVLib\SPTISRV.exe
O23 - Service: webserver - Unknown owner -

C:\Program Files\webserver\webserver.exe

--
End of file - 7875 bytes

ANSWER: Hi Nancy

Your computer is very infected, so please follow the steps below to begin the removal process:

Restart the computer in Safe Mode by continuously tapping the F8 key on boot until a black screen with a menu appears.  Choose to Start Windows in Safe Mode with Networking.  Log on as usual.  

Please download Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/mbam/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.
*Run a Full Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.  Save that log and reboot normally.
* Post me that log, along with a new HJT scan log.

Brian

---------- FOLLOW-UP ----------

QUESTION: Contents: second Hijack This scan log, first malwarebytes scan log.

Malwarebytes' Anti-Malware 1.44
Database version: 3697
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

2/6/2010 12:39:47 PM
mbam-log-2010-02-06 (12-39-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 245154
Time elapsed: 36 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 100

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fioo32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webserver (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fio32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIO32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIOO32 (Worm.KoobFace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SfX (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.Koobface) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\captcha7 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\fioo32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\ld16.exe (Worm.Koobface) -> No action taken.
C:\WINDOWS\pp14.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1263922617.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1264009095.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265327165.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\freddy81.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265327233.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265330041.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265330412.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1263748862.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265330456.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265378520.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1263751417.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265384399.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265384435.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265384825.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1263825973.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265385454.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265385509.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265389150.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1265389189.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1263881873.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\rdr_1263882549.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\system32\fio32.dll (Worm.KoobFace) -> No action taken.
C:\WINDOWS\system32\drivers\fio32.sys (Worm.Koobface) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temp\zpskon_1263747399.exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\v2prx[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\fb.81[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\pp.14[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\pp.14[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\go[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\pp.14[3].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\go[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\fb.81[2].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\fb.84[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\v2captcha[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\go[4].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\v2captcha[3].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\A92D0D7W\pp.14[4].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\fb.84[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\go[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\go[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\go[6].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\go[3].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\go[4].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\pp.14[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\fb.81[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\v2captcha[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\go[5].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\8T5OL29D\v2prx[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\setup[1].exe (Worm.Koobface) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\go[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\fb.81[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\v2prx[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\Setup_312s1[1].exe (Rogue.Installer) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\v2prx[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\fb.84[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\fb.81[1].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\fb.81[3].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\go[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\go[3].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\fb.81[4].exe (Worm.Koobface) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\pp.14[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\v2captcha[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\XVU6NAWO\go[5].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2prx[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2webserver[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\fb.81[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\go[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\hosts2[1].exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\pp.14[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2prx[2].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2prx[3].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2prx[4].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\fb.81[2].exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2prx[6].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2captcha[1].exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\BF0IR2XO\v2prx[7].exe (Worm.KoobFace) -> No action taken.
C:\Program Files\captcha.dll (Worm.KoobFace) -> No action taken.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> No action taken.
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP460\A0048386.exe (Worm.KoobFace) -> No action taken.
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP464\A0048718.dll (Worm.Koobface) -> No action taken.
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP464\A0048728.dll (Worm.KoobFace) -> No action taken.
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP465\A0048756.dll (Worm.KoobFace) -> No action taken.
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP465\A0048766.dll (Worm.KoobFace) -> No action taken.
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP465\A0048776.dll (Worm.KoobFace) -> No action taken.
C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP465\A0048786.dll (Worm.KoobFace) -> No action taken.
C:\WINDOWS\0101120101465348.xxe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\010112010146114101.xxe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\01011201014650115.xxe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\01011201014610799.xxe (KoobFace.Trace) -> No action taken.
C:\WINDOWS\bk23567.dat (KoobFace.Trace) -> No action taken.
C:\WINDOWS\fdgg34353edfgdfdf (KoobFace.Trace) -> No action taken.
C:\WINDOWS\freddy84.exe (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Larry\Local Settings\Temp\zpskon_1265324414.exe (Worm.Koobface) -> No action taken.
C:\WINDOWS\rdr_1265305603.exe (Worm.Koobface) -> No action taken.
C:\WINDOWS\rdr_1265327222.exe (Worm.Koobface) -> No action taken.
C:\WINDOWS\rdr_1265330018.exe (Worm.Koobface) -> No action taken.
C:\WINDOWS\rdr_1265330454.exe (Worm.Koobface) -> No action taken.
C:\WINDOWS\rdr_1265385498.exe (Worm.Koobface) -> No action taken.

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:56 PM, on 2/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 85.13.206.114 uuu20091124.info
O1 - Hosts: 85.13.206.114 u07012010u.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPub.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [sysldtray] C:\WINDOWS\ld16.exe
O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy84.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp14.exe
O4 - HKLM\..\Run: [Captcha7] rundll "C:\Program Files\captcha.dll",captcha
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://easyaccess.trinity-health.org/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: lxct_device -   - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: webserver - Unknown owner - C:\Program Files\webserver\webserver.exe

--
End of file - 7210 bytes

Thanks, Brian!

Nancy

ANSWER: Hi Nancy

Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
*Important*-Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  If asked to install the Windows Recovery Console, please allow the program to do so.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Post me that log and a new HJT scan log in your follow-up.

Brian

---------- FOLLOW-UP ----------

QUESTION: ComboFix Log:

ComboFix 10-02-06.01 - Larry 02/06/2010  17:58:23.1.1 - FAT32x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.256.127 [GMT -5:00]
Running from: c:\documents and settings\Larry\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\captcha.dll
c:\program files\webserver
c:\program files\webserver\webserver.exe
c:\windows\01011201014610799.xxe
c:\windows\010112010146114101.xxe
c:\windows\01011201014650115.xxe
c:\windows\0101120101465348.xxe
c:\windows\bk23567.dat
c:\windows\desktop
c:\windows\desktop\ImageStation.lnk
c:\windows\fdgg34353edfgdfdf
c:\windows\freddy81.exe
c:\windows\freddy84.exe
c:\windows\ld16.exe
c:\windows\pp14.exe
c:\windows\rdr_1263748862.exe
c:\windows\rdr_1263751417.exe
c:\windows\rdr_1263825973.exe
c:\windows\rdr_1263881873.exe
c:\windows\rdr_1263882549.exe
c:\windows\rdr_1263922617.exe
c:\windows\rdr_1264009095.exe
c:\windows\rdr_1265305603.exe
c:\windows\rdr_1265327165.exe
c:\windows\rdr_1265327222.exe
c:\windows\rdr_1265327233.exe
c:\windows\rdr_1265330018.exe
c:\windows\rdr_1265330041.exe
c:\windows\rdr_1265330412.exe
c:\windows\rdr_1265330454.exe
c:\windows\rdr_1265330456.exe
c:\windows\rdr_1265378520.exe
c:\windows\rdr_1265384399.exe
c:\windows\rdr_1265384435.exe
c:\windows\rdr_1265384825.exe
c:\windows\rdr_1265385454.exe
c:\windows\rdr_1265385498.exe
c:\windows\rdr_1265385509.exe
c:\windows\rdr_1265389150.exe
c:\windows\rdr_1265389189.exe
c:\windows\system32\drivers\fio32.sys
c:\windows\system32\fio32.dll
c:\windows\Temp\tmp3.tmp

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FIOO32
-------\Legacy_WEBSERVER
-------\Service_fioo32
-------\Service_SfX
-------\Service_webserver
-------\Legacy_fio32
-------\Service_fio32


(((((((((((((((((((((((((   Files Created from 2010-01-06 to 2010-02-06  )))))))))))))))))))))))))))))))
.

2010-02-06 16:12 . 2010-02-06 16:12   --------   d-----w-   c:\documents and settings\Larry\Application Data\Malwarebytes
2010-02-06 16:12 . 2010-01-07 21:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 16:12 . 2010-02-06 16:12   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-06 16:12 . 2010-02-06 16:12   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-06 16:12 . 2010-01-07 21:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-05 17:03 . 2010-02-05 17:03   --------   d-----w-   c:\program files\Trend Micro
2010-01-21 23:53 . 2010-01-21 23:53   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-01-21 14:47 . 2007-10-23 14:27   110592   ----a-w-   c:\documents and settings\Larry\Application Data\U3\temp\cleanup.exe
2010-01-21 14:44 . 2008-05-02 15:41   3493888   ---ha-w-   c:\documents and settings\Larry\Application Data\U3\temp\Launchpad Removal.exe
2010-01-21 14:44 . 2010-01-21 14:44   --------   d-----w-   c:\documents and settings\Larry\Application Data\U3
2010-01-12 19:36 . 2009-11-21 15:51   471552   ------w-   c:\windows\system32\dllcache\aclayers.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 15:51 . 2001-09-08 15:52   471552   ----a-w-   c:\windows\AppPatch\AcLayers.dll
2004-11-27 20:58 . 2004-11-27 20:55   3835724   ----a-w-   c:\program files\generac.pdf
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"E6TaskPanel"="c:\program files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 942080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2005-01-16 684032]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"lxcrmon.exe"="c:\program files\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 286720]
"EzPrint"="c:\program files\Lexmark 5400 Series\ezprint.exe" [2007-03-19 82864]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]
"lxctmon.exe"="c:\program files\Lexmark 5400 Series\lxctmon.exe" [2007-03-19 291760]
"Lexmark 5400 Series Fax Server"="c:\program files\Lexmark 5400 Series\fm3032.exe" [2007-03-19 304048]
"LXCTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-1-9 200704]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup=c:\windows\pss\VAIO Action Setup (Server).lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 01:12   1695232   ----a-w-   c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2001-09-08 17:56   28672   ----a-w-   c:\windows\system32\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
2002-02-05 03:32   53248   ------w-   c:\program files\REGSHAVE\REGSHAVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZTgServerSwitch]
2001-09-11 00:36   2339   ----a-w-   c:\program files\support.com\client\lserver\Server.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\System32\\lxcrcoms.exe"=
"c:\\WINDOWS\\System32\\lxctcoms.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"53:TCP"= 53:TCP:webserver

R1 SonyFanC;FAN Control Device Service;c:\windows\system32\drivers\SonyFanC.sys [9/9/2001 1:57 PM 68116]
R2 EarthLinkMonitor;EarthLink Monitor Service;c:\program files\EarthLink TotalAccess\WENGINE\wmonitor.exe [1/26/2005 11:47 AM 65604]
R2 V7;V7;c:\windows\system32\drivers\V7.SYS [10/18/2004 3:33 PM 7196]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [9/8/2001 2:22 PM 54271]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\BW2NDIS5.SYS [11/1/2004 2:16 PM 17536]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/6/2010 11:12 AM 38224]
.
Contents of the 'Scheduled Tasks' folder

2004-10-18 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-09-08 01:12]

2004-10-18 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-09-08 01:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.earthlink.net
uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html
IE: EarthLink Google Search - c:\program files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
HKCU-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
HKLM-Run-Propel Accelerator - c:\program files\BellSouth Accelerator Technology\trayctl.exe
HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-06 18:06
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...  

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
 LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
 LXCTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\lxctcoms.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\lxcrcoms.exe
c:\windows\SoftwareDistribution\Download\4c8193e6fe0f09288b4175a7e06d452f\update\update.exe
.
**************************************************************************
.
Completion time: 2010-02-06  18:11:18 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-06 23:11

Pre-Run: 6,695,723,008 bytes free
Post-Run: 6,634,852,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 61F0169C63477ACD5123657449D43AC8

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:45:09 PM, on 2/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPub.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe"
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://easyaccess.trinity-health.org/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: lxcr_device -   - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: lxct_device -   - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6269 bytes

Thank you,

Nancy

Answer
Hi Nancy

Your HJT log file is coming up clean, so I think we got all the bugs out.  If you are still experiencing problems, just let me know.  Otherwise, please follow the final instructions below to finish the cleanup:

Uninstall Combofix by clicking Start->Run->Now type Combofix /u in the run box and click OK. Note the space between the x and the /u, it needs to be there.
Reset your System Restore Points.  Click Start->Settings->Control Panel then double-click the System icon. Select the System Restore tab and check "Turn off System Restore".  Now re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".
Run the Windows Disk Cleanup Utility.  Click Start->Run. In the run box, type cleanmgr, and then click OK.
Install a virus scanner.  I recommend the free Avira Anti-Vir which can be found here:
http://download.cnet.com/Avira-AntiVir-Personal-Free-Antivirus/3000-2239_4-10322
You may also choose to keep Malwarebytes' as a supplemental scanner.  Every few weeks, run the program, update the definitions, then run a Quick Scan.

As always, if there are any questions, I will be happy to help.

Brian  

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.