# This is the most annoying virus



## TryingToProve

I am telling you. I will just be working and this stupid same crap will pop up. Some security shield warning fake virus bull crap. Is there any way you can tell me how I am getting this virus? Please? I ran malwarebytes and got this:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6827

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

6/10/2011 11:04:49 AM
mbam-log-2011-06-10 (11-04-49).txt

Scan type: Quick scan
Objects scanned: 145074
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Documents and Settings\QuentinAshleyAli\Local Settings\Application Data\qqxqoxtw.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\quentinashleyali\local settings\temp\60B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\quentinashleyali\local settings\temp\60C.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\quentinashleyali\local settings\temp\jar_cache5531316482205283128.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\quentinashleyali\start menu\Programs\security shield.lnk (Rogue.SecurityShield) -> Quarantined and deleted successfully.

HIJACK:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:07:53 AM, on 6/10/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\AOL\1300136716\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AOL 9.5\waol.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRAM FILES\CHARTNET\Serialno_1000\bin\mtclient.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\PROGRAM FILES\CHARTNET\SERIALNO_1000\BIN\mtvclient.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - !{ba00b7b1-0351-477a-b948-23e3ee5a73d4} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1300136716\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [limewire plus+] "C:\Program Files\Limewire Plus+\limewire.exe" -h
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Unknown owner - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (file missing)

--
End of file - 4592 bytes


----------



## johnb35

Either one of a few different ways.

1.  revisiting a malicious website that automatically puts it on your system.
2.  using p2p software to download illegal software/music.  I see you have limewire installed.  Limewire is shut down by the government and needs to be uninstalled.
3.  Opening unknown/spam emails and clicking on the links.

Also noticed, limewire was not in your other hijackths logs in the other thread.  It just seems you need better surfing habits and possibly using a web site advisor installed such as WOT.

http://www.mywot.com/

Run combofix again to make sure nothing else is there.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## TryingToProve

ComboFix 11-06-10.09 - QuentinAshleyAli 06/10/2011  17:54:52.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.895.525 [GMT -5:00]
Running from: c:\documents and settings\QuentinAshleyAli\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\msado320.tlb
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-10 to 2011-06-10  )))))))))))))))))))))))))))))))
.
.
2011-06-10 16:07 . 2011-06-10 16:07	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsla0c5c1ab.sys
2011-06-10 07:28 . 2011-05-09 20:46	6962000	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\mpengine.dll
2011-06-09 14:14 . 2009-05-18 18:17	26600	----a-w-	c:\windows\system32\drivers\GEARAspiWDM.sys
2011-06-09 14:14 . 2008-04-17 17:12	107368	----a-w-	c:\windows\system32\GEARAspi.dll
2011-06-09 14:13 . 2011-06-09 14:13	--------	d-----w-	c:\program files\iPod
2011-06-09 14:13 . 2011-06-09 14:14	--------	d-----w-	c:\program files\iTunes
2011-06-09 14:13 . 2011-06-09 14:14	--------	d-----w-	c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-06-09 14:12 . 2011-06-09 14:12	--------	d-----w-	c:\program files\Apple Software Update
2011-06-09 14:12 . 2011-06-09 14:12	--------	d-----w-	c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Apple
2011-06-09 14:11 . 2011-06-09 14:11	--------	d-----w-	c:\program files\Bonjour
2011-06-09 14:04 . 2011-06-09 14:04	--------	d-----w-	c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Limewire Plus+
2011-05-17 19:20 . 2011-05-17 19:20	--------	d-----w-	c:\documents and settings\All Users\Application Data\NCH Swift Sound
2011-05-17 19:20 . 2011-06-01 23:46	--------	d-----w-	c:\documents and settings\QuentinAshleyAli\Application Data\NCH Swift Sound
2011-05-16 14:02 . 2011-05-29 14:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 14:02 . 2011-05-29 14:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-09 20:46 . 2011-02-08 12:11	6962000	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-05 16:14 . 2011-05-05 16:14	388096	----a-r-	c:\documents and settings\QuentinAshleyAli\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-06 21:20 . 2011-04-06 21:20	91424	----a-w-	c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20	75040	----a-w-	c:\windows\system32\jdns_sd.dll
2011-04-06 21:20 . 2011-04-06 21:20	197920	----a-w-	c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20	107808	----a-w-	c:\windows\system32\dns-sd.exe
2011-03-18 18:32 . 2011-02-14 22:05	71072	----a-w-	c:\windows\CouponPrinter.ocx
.
.
(((((((((((((((((((((((((((((   SnapShot_2011-06-03_10.15.01   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-10 16:07 . 2011-06-10 16:07	16384              c:\windows\temp\Perflib_Perfdata_58c.dat
+ 2011-06-09 14:12 . 2011-05-10 13:06	42496              c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaapl.sys
+ 2011-06-09 14:12 . 2011-05-10 13:06	18432              c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\netaapl.sys
+ 2011-06-09 14:14 . 2009-05-18 18:17	26600              c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2011-06-09 14:12 . 2011-06-09 14:12	27136              c:\windows\Installer\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}\AppleSoftwareUpdateIco.exe
+ 2011-06-09 14:14 . 2008-04-17 17:12	107368              c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2011-06-09 14:12 . 2011-06-09 14:12	771584              c:\windows\Installer\2e89dce.msi
+ 2011-06-09 14:10 . 2011-06-09 14:10	811520              c:\windows\Installer\2e89d72.msi
+ 2011-06-09 14:15 . 2011-06-09 14:15	380928              c:\windows\Installer\{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}\iTunesIco.exe
+ 2011-06-09 14:12 . 2011-05-10 13:06	4517664              c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaaplrc.dll
+ 2011-06-09 14:12 . 2011-04-08 19:59	1461992              c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\wdfcoinstaller01009.dll
+ 2011-06-09 14:15 . 2011-06-09 14:15	6541312              c:\windows\Installer\2e89dd5.msi
+ 2011-06-09 14:12 . 2011-06-09 14:12	3085312              c:\windows\Installer\2e89da0.msi
+ 2011-06-09 14:11 . 2011-06-09 14:11	1984000              c:\windows\Installer\2e89d9b.msi
+ 2009-12-05 01:45 . 2011-04-29 16:29	42829768              c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]
"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"HostManager"="c:\program files\Common Files\AOL\1300136716\ee\AOLSoftware.exe" [2009-07-20 41264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1300136716\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 MpKsla0c5c1ab;MpKsla0c5c1ab;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsla0c5c1ab.sys [6/10/2011 11:07 AM 28752]
S1 MpKsl62027b3a;MpKsl62027b3a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B274C892-B322-42AF-BC78-4B4A78AC5295}\MpKsl62027b3a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B274C892-B322-42AF-BC78-4B4A78AC5295}\MpKsl62027b3a.sys [?]
S1 MpKslf2687b69;MpKslf2687b69;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B274C892-B322-42AF-BC78-4B4A78AC5295}\MpKslf2687b69.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B274C892-B322-42AF-BC78-4B4A78AC5295}\MpKslf2687b69.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 11:16 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 11:16 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/16/2011 9:02 AM 39984]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLA0C5C1AB
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-06-10 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-10 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-10 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-10 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-05 16:16]
.
2011-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-05 16:16]
.
2011-06-10 c:\windows\Tasks\hpwebreg_CN0AF22KXT05D2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\hpwebreg.exe [2010-06-14 22:10]
.
2011-06-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 76.85.229.110 76.85.229.111
FF - ProfilePath - c:\documents and settings\QuentinAshleyAli\Application Data\Mozilla\Firefox\Profiles\bdg8hvb6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://search.bearshare.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com/web?src=ffb&systemid=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: protocol-handler.warn-external.dnUpdate - false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-10 18:00
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-06-10  18:02:03
ComboFix-quarantined-files.txt  2011-06-10 23:01
ComboFix2.txt  2011-06-03 10:17
ComboFix3.txt  2011-02-07 22:39
.
Pre-Run: 143,689,342,976 bytes free
Post-Run: 143,738,724,352 bytes free
.
- - End Of File - - 4E963D780B6834ABFED1487493089510
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:26:59 PM, on 6/10/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\AOL\1300136716\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AOL 9.5\waol.exe
C:\Program Files\AOL 9.5\shellmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - !{ba00b7b1-0351-477a-b948-23e3ee5a73d4} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1300136716\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.5\AOL.EXE" -b
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Unknown owner - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (file missing)

--
End of file - 4380 bytes


----------



## johnb35

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Killall::

Folder::
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Limewire Plus+

Driver::
MpKsl62027b3a
MpKslf2687b69

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## TryingToProve

I cannot find combofix to put it on my desktop. where would it be?


----------



## johnb35

Code:
	

c:\documents and settings\QuentinAshleyAli\My Documents\Downloads\ComboFix.exe


Move it to your desktop area


----------



## TryingToProve

Thank you! Here it is 

ComboFix 11-06-10.09 - QuentinAshleyAli 06/10/2011  20:32:23.5.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.895.570 [GMT -5:00]
Running from: c:\documents and settings\QuentinAshleyAli\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\QuentinAshleyAli\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxAPI.dll
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DifXInstall32.exe
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\DIFxInstallLog.txt
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\GEARAspiWDM.inf
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\gearaspiwdmx86.cat
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspi.dll
c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}\x86\x86\GEARAspiWDM.sys
c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Limewire Plus+
c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Limewire Plus+\Data\FailedSNodes.dat
c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Limewire Plus+\Data\ShareH.dat
c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Limewire Plus+\Data\ShareL.dat
c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Limewire Plus+\Data\SNodes.dat
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL62027B3A
-------\Legacy_MPKSLF2687B69
-------\Service_MpKsl62027b3a
-------\Service_MpKslf2687b69
.
.
(((((((((((((((((((((((((   Files Created from 2011-05-11 to 2011-06-11  )))))))))))))))))))))))))))))))
.
.
2011-06-11 01:39 . 2011-06-11 01:39	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsl01c601d8.sys
2011-06-10 23:27 . 2011-06-10 23:27	28752	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKslcc8a2449.sys
2011-06-10 07:28 . 2011-05-09 20:46	6962000	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\mpengine.dll
2011-06-09 14:14 . 2009-05-18 18:17	26600	----a-w-	c:\windows\system32\drivers\GEARAspiWDM.sys
2011-06-09 14:14 . 2008-04-17 17:12	107368	----a-w-	c:\windows\system32\GEARAspi.dll
2011-06-09 14:13 . 2011-06-09 14:13	--------	d-----w-	c:\program files\iPod
2011-06-09 14:13 . 2011-06-09 14:14	--------	d-----w-	c:\program files\iTunes
2011-06-09 14:12 . 2011-06-09 14:12	--------	d-----w-	c:\program files\Apple Software Update
2011-06-09 14:12 . 2011-06-09 14:12	--------	d-----w-	c:\documents and settings\QuentinAshleyAli\Local Settings\Application Data\Apple
2011-06-09 14:11 . 2011-06-09 14:11	--------	d-----w-	c:\program files\Bonjour
2011-05-17 19:20 . 2011-05-17 19:20	--------	d-----w-	c:\documents and settings\All Users\Application Data\NCH Swift Sound
2011-05-17 19:20 . 2011-06-01 23:46	--------	d-----w-	c:\documents and settings\QuentinAshleyAli\Application Data\NCH Swift Sound
2011-05-16 14:02 . 2011-05-29 14:11	39984	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-16 14:02 . 2011-05-29 14:11	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-09 20:46 . 2011-02-08 12:11	6962000	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-05 16:14 . 2011-05-05 16:14	388096	----a-r-	c:\documents and settings\QuentinAshleyAli\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-06 21:20 . 2011-04-06 21:20	91424	----a-w-	c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20	75040	----a-w-	c:\windows\system32\jdns_sd.dll
2011-04-06 21:20 . 2011-04-06 21:20	197920	----a-w-	c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20	107808	----a-w-	c:\windows\system32\dns-sd.exe
2011-03-18 18:32 . 2011-02-14 22:05	71072	----a-w-	c:\windows\CouponPrinter.ocx
.
.
(((((((((((((((((((((((((((((   SnapShot_2011-06-03_10.15.01   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-06-11 01:39 . 2011-06-11 01:39	16384              c:\windows\temp\Perflib_Perfdata_7b8.dat
+ 2011-06-09 14:12 . 2011-05-10 13:06	42496              c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaapl.sys
+ 2011-06-09 14:12 . 2011-05-10 13:06	18432              c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\netaapl.sys
+ 2011-06-09 14:14 . 2009-05-18 18:17	26600              c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2011-06-09 14:12 . 2011-06-09 14:12	27136              c:\windows\Installer\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}\AppleSoftwareUpdateIco.exe
+ 2011-06-09 14:14 . 2008-04-17 17:12	107368              c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2011-06-09 14:12 . 2011-06-09 14:12	771584              c:\windows\Installer\2e89dce.msi
+ 2011-06-09 14:10 . 2011-06-09 14:10	811520              c:\windows\Installer\2e89d72.msi
+ 2011-06-09 14:15 . 2011-06-09 14:15	380928              c:\windows\Installer\{C897FCB3-2F8B-4185-8035-79E2AF3A92A4}\iTunesIco.exe
+ 2011-06-09 14:12 . 2011-05-10 13:06	4517664              c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaaplrc.dll
+ 2011-06-09 14:12 . 2011-04-08 19:59	1461992              c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\wdfcoinstaller01009.dll
+ 2011-06-09 14:15 . 2011-06-09 14:15	6541312              c:\windows\Installer\2e89dd5.msi
+ 2011-06-09 14:12 . 2011-06-09 14:12	3085312              c:\windows\Installer\2e89da0.msi
+ 2011-06-09 14:11 . 2011-06-09 14:11	1984000              c:\windows\Installer\2e89d9b.msi
+ 2009-12-05 01:45 . 2011-04-29 16:29	42829768              c:\windows\system32\MRT.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="c:\program files\AOL 9.5\AOL.EXE" [2009-10-28 50536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-09-27 16844800]
"SkyTel"="SkyTel.EXE" [2007-08-03 1826816]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"HostManager"="c:\program files\Common Files\AOL\1300136716\ee\AOLSoftware.exe" [2009-07-20 41264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1300136716\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 MpKsl01c601d8;MpKsl01c601d8;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsl01c601d8.sys [6/10/2011 8:39 PM 28752]
R1 MpKslcc8a2449;MpKslcc8a2449;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKslcc8a2449.sys [6/10/2011 6:27 PM 28752]
S1 MpKsla0c5c1ab;MpKsla0c5c1ab;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsla0c5c1ab.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsla0c5c1ab.sys [?]
S1 MpKsld1c287cd;MpKsld1c287cd;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsld1c287cd.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6BB86095-4623-4287-A019-61B30B4452EA}\MpKsld1c287cd.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 11:16 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/5/2011 11:16 AM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [5/16/2011 9:02 AM 39984]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL01C601D8
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-06-10 c:\windows\Tasks\At1.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-11 c:\windows\Tasks\At2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-11 c:\windows\Tasks\At3.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-10 c:\windows\Tasks\At4.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\HPCustPartic.exe [2010-06-14 22:07]
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-05 16:16]
.
2011-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-05-05 16:16]
.
2011-06-10 c:\windows\Tasks\hpwebreg_CN0AF22KXT05D2.job
- c:\program files\HP\HP Deskjet 1000 J110 series\Bin\hpwebreg.exe [2010-06-14 22:10]
.
2011-06-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 76.85.229.110 76.85.229.111
FF - ProfilePath - c:\documents and settings\QuentinAshleyAli\Application Data\Mozilla\Firefox\Profiles\bdg8hvb6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - AOL Search
FF - prefs.js: browser.startup.homepage - hxxp://search.bearshare.com/
FF - prefs.js: keyword.URL - hxxp://search.bearshare.com/web?src=ffb&systemid=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: protocol-handler.warn-external.dnUpdate - false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-10 20:39
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2808)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\AOL 9.5\waol.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\AOL 9.5\shellmon.exe
.
**************************************************************************
.
Completion time: 2011-06-10  20:41:47 - machine was rebooted
ComboFix-quarantined-files.txt  2011-06-11 01:41
ComboFix2.txt  2011-06-10 23:02
ComboFix3.txt  2011-06-03 10:17
ComboFix4.txt  2011-02-07 22:39
.
Pre-Run: 143,687,905,280 bytes free
Post-Run: 143,694,573,568 bytes free
.
- - End Of File - - 150C06F4EC12A09AF74B2DE57CBB04B3


----------



## johnb35

Ok, we may have to restore one of those folders I had you delete, let me know if you have any adverse reactions because of it.

However, one more script to run.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Driver::
MpKsla0c5c1ab
MpKsld1c287cd


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

How's the system running now?





ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## TryingToProve

It will not let me save it to my desktop. I also am having a problem. I cannot go to soapcentral.com. It shows 404 error message on the top of the page then crashes.


----------



## TryingToProve

I am on soapcentral.com. I have went there for years and that dang systems shield virus popped up again!!!


----------



## johnb35

Ok, something is really weird here.  I don't think its from soap central, maybe an external link from it though.  Facebook external links will get you almost every time.

OK. lets try this, something I don't recommend but in some cases is needed.  Do a system restore to a few days before you got originally infected.  You last posted on June 1st.  So maybe go a few days before that and then rescan your system with malwarebytes and hijackthis.


----------



## TryingToProve

Awesome, I will do that! Thank you =)


----------



## TryingToProve

I tried. It said it could not be restored????


----------



## johnb35

Try a few more days back.  How far back did you go?


----------



## TryingToProve

05/31/11


----------



## johnb35

Try to go back farther.  It may or may not work though.  I had to go back a week on a clients computer before it actually worked.


----------



## alexr1090

Not sure if this will help but just boot into safe mode and let ur antivirus run a full scan, should delete it and while in safe mode chances are that the program won't run so it won't have administrative privledges which I'm sure it has whenever you bootup normally now so it won't be able to replace itself after you've deleted it in safe mode and then restart your computer.  And also, don't use aol instant messenger if you are, and don't use bearshare or limewire either, all three of those programs have extra crap you don't want that slows your computer down and or invades your privacy... and I know what you're thinking... something like "i don't care what it installs I want to use it" and I understand, I've been there before, and there are programs for people like us  

Instead of aol im install pidgin, it'll connect to ur aol account and let u chat on there just the same (unless you chat with ur webcam, don't think it supports that yet), and it'll let you connect to just about any other im client's server (tounge twister on the brain lol) that you may have lol.  And...hm, read up on torrents to replace bearshare and limewire(lol typed myspace first instead of limewire, weird).  But yeah just send me a message if you're having issues with torrents.


----------



## TryingToProve

okay thanks so much


----------

