Jump to content

rougjedi

Members
 View Profile  See their activity

  • Posts

    10

  • Joined

  • Last visited

 Content Type 

Everything posted by rougjedi

  1. rougjedi
    Thank you so much for all your help!! I really appreciate it! I think this is all I needed. Again, thank you so much!
  2. rougjedi
    I found the ESET log in the folder you mentioned, and I've posted it below, along with another DDS log and attachment. ESETSmartInstaller@High as downloader log: all ok # version=6 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=e5e1c1d48bfb9b4181554fbf8639780a # end=stopped # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-10-14 04:36:48 # local_time=2009-10-13 11:36:48 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1026 21 83 97 7403532500000 # scanned=798 # found=0 # cleaned=0 # scan_time=167 ESETSmartInstaller@High as downloader log: all ok esets_scanner_update returned -1 esets_gle=53251 # version=6 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=e5e1c1d48bfb9b4181554fbf8639780a # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-10-14 06:09:20 # local_time=2009-10-14 01:09:20 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1026 21 83 97 7459050937500 # scanned=92465 # found=32 # cleaned=32 # scan_time=5351 C:\Qoobox\Quarantine\[68]-Submit_2009-10-12_23.04.22.zip multiple threats (deleted - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\bufezika.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\famizula.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\gehufidu.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\gudosaho.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\hejitavo.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\jafasatu.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\niwogepi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\vopepimi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\waduzaga.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\wutizipi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103683.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103684.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103685.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103833.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103834.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103835.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103836.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103837.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103838.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103839.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103840.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103841.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103962.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103963.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104084.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104085.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104166.exe a variant of Win32/Kryptik.AQV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104167.exe a variant of Win32/Kryptik.AQV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0104168.dll a variant of Win32/Adware.Virtumonde.NFR application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C ESETSmartInstaller@High as downloader log: all ok ESETSmartInstaller@High as downloader log: all ok # version=6 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6050 # api_version=3.0.2 # EOSSerial=e5e1c1d48bfb9b4181554fbf8639780a # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2009-10-14 09:11:40 # local_time=2009-10-14 04:11:40 (-0600, Central Daylight Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1026 21 83 97 78192968750 # scanned=92590 # found=0 # cleaned=0 # scan_time=6593 ####################################################################### DDS (Ver_09-09-29.01) - NTFSx86 Run by Adam Scharf at 19:52:19.03 on Thu 10/15/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.295 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\PackersScreenServer\PackersScreenServer.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\Adam Scharf\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html IE: &Search IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com Trusted Zone: musicmatch.com\online DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149] S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048] =============== Created Last 30 ================ 2009-10-13 23:03 <DIR> --d----- c:\program files\ESET 2009-10-12 22:52 14,592 a------- c:\windows\system32\drivers\kbdhid.sys 2009-10-08 18:42 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-08 18:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-08 18:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-07 18:38 <DIR> a-dshr-- C:\cmdcons 2009-10-07 18:37 236,544 a------- c:\windows\PEV.exe 2009-10-07 18:37 161,792 a------- c:\windows\SWREG.exe 2009-10-07 18:37 98,816 a------- c:\windows\sed.exe 2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro 2009-10-06 18:47 <DIR> --d----- C:\ARK 2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper 2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper ==================== Find3M ==================== 2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE 2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe 2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe 2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat ============= FINISH: 19:53:26.35 =============== Attach4.zip
  3. rougjedi
    I updated and ran Malwarebytes, which found no infections. I then ran ESET, which found 32 files and removed them. Unfortunately I missed a step and don't have the logfile. I then booted normally (not in safe mode) and ran both scans again, each returning zero infected files. I didn't have any security warnings or pop-ups (so far), and my computer seems to be running ok, possibly a little slowly but that could be my imagination. I've included a DDS log file below, and have attached the attach file. DDS (Ver_09-09-29.01) - NTFSx86 Run by Adam Scharf at 17:59:09.98 on Wed 10/14/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.163 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\PackersScreenServer\PackersScreenServer.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe C:\Program Files\NETGEAR\WG111T\wlan111t.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Documents and Settings\Adam Scharf\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html IE: &Search IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com Trusted Zone: musicmatch.com\online DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664] R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149] S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048] =============== Created Last 30 ================ 2009-10-13 23:03 <DIR> --d----- c:\program files\ESET 2009-10-12 22:52 14,592 a------- c:\windows\system32\drivers\kbdhid.sys 2009-10-08 18:42 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-08 18:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-08 18:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-07 18:38 <DIR> a-dshr-- C:\cmdcons 2009-10-07 18:37 236,544 a------- c:\windows\PEV.exe 2009-10-07 18:37 161,792 a------- c:\windows\SWREG.exe 2009-10-07 18:37 98,816 a------- c:\windows\sed.exe 2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro 2009-10-06 18:47 <DIR> --d----- C:\ARK 2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper 2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper ==================== Find3M ==================== 2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE 2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe 2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe 2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat ============= FINISH: 18:00:07.50 =============== Attach3.zip
  4. rougjedi
    Sorry, I was out of town for a couple of days and was unable to follow your instructions. I've run the CF Script that you gave me and it looked like it was successful in sending the results to the server. I've included the log file below, not sure if you need it or not. ComboFix 09-10-12.03 - Adam Scharf 10/12/2009 23:04.3.2 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.340 [GMT -5:00] Running from: c:\documents and settings\Adam Scharf\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Adam Scharf\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\windows\system32\bilayuje.dll file zipped: c:\windows\system32\dimoburi.dll.tmp file zipped: c:\windows\system32\dowuvedo.dll.tmp file zipped: c:\windows\system32\juguteto.dll file zipped: c:\windows\system32\lipulone.dll.tmp file zipped: c:\windows\system32\numosiko.dll file zipped: c:\windows\system32\patafudi.dll file zipped: c:\windows\system32\piseraho.dll . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Grisoft\AVG Anti-Spyware 7.5 c:\program files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe c:\program files\QuickTime\bak c:\program files\QuickTime\bak\qttask.exe c:\windows\system32\bilayuje.dll c:\windows\system32\dimoburi.dll.tmp c:\windows\system32\dowuvedo.dll.tmp c:\windows\system32\juguteto.dll c:\windows\system32\lipulone.dll.tmp c:\windows\system32\numosiko.dll c:\windows\system32\patafudi.dll c:\windows\system32\piseraho.dll . ((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 ))))))))))))))))))))))))))))))) . 2009-10-13 03:52 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys 2009-10-08 23:42 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-08 23:42 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-08 23:42 . 2009-10-08 23:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-07 00:45 . 2009-10-07 00:45 -------- d-----w- c:\program files\Trend Micro 2009-10-06 23:47 . 2009-10-06 23:47 -------- d-----w- C:\ARK 2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\BitZipper 2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\program files\BitZipper . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-07 23:49 . 2006-01-20 20:07 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\PackersScreenServer 2009-09-11 02:00 . 2009-09-11 02:00 -------- d-----w- c:\program files\Microsoft Silverlight 2009-08-28 17:42 . 2008-08-17 01:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-28 17:42 . 2008-08-17 01:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 17:42 . 2008-08-17 01:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-23 18:09 . 2008-08-21 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-25 10:23 . 2009-01-12 19:06 411368 ----a-w- c:\windows\system32\deploytk.dll 2005-07-28 18:51 . 2005-07-28 18:51 2944958 ------w- c:\program files\Skittles_Hunt_For_Grievous.EXE 2005-07-21 01:29 . 2005-07-21 01:29 6250584 ----a-w- c:\program files\Install_AIM.exe 2005-07-19 16:00 . 2005-07-19 15:58 2077424 ----a-w- c:\program files\WindowsXP-KB894391-x86-ENU.exe 2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll 2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll 2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll 2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll 2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll 2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll 2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll 2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll 2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll 2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll 2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2005-07-09 00:10 . 2004-10-15 00:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe 2004-07-27 21:50 . 2004-07-27 21:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe 2004-07-27 21:50 . 2004-07-27 21:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe 2006-04-03 19:28 . 2006-04-03 19:28 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe 2006-05-09 05:10 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe 2005-07-09 00:28 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe 2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe 2006-03-19 21:44 . 2007-09-14 15:48 421888 c:\program files\Grisoft\AVG Free\bak\avgcc.exe 2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe 2008-03-30 14:36 . 2008-03-30 14:36 267048 c:\program files\iTunes\iTunesHelper.exe 2003-11-19 22:48 . 2003-11-19 22:48 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe 2007-02-19 20:46 . 2007-02-19 20:46 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe 2003-07-01 01:56 . 2003-07-01 01:56 188416 c:\program files\Logitech\Video\bak\ISStart.exe 2003-07-01 02:00 . 2003-07-01 02:00 65536 c:\program files\Logitech\Video\bak\LogiTray.exe 2007-02-12 21:21 . 2007-02-12 21:21 734624 c:\program files\Microsoft Xbox 360 Accessories\bak\XboxStat.exe 2005-08-04 17:33 . 2006-01-19 15:06 11776 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe 2007-07-29 18:12 . 2006-11-16 16:42 183367 c:\program files\Plaxo\2.12.1.1\bak\PlaxoHelper.exe 2007-01-20 07:09 . 2007-01-20 07:09 200704 c:\program files\PowerISO\bak\PWRISOVM.EXE 2006-10-07 12:20 . 2006-10-07 12:20 6266880 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe.vir 2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\qoobox\Quarantine\C\Program Files\QuickTime\bak\qttask.exe.vir 2005-07-09 00:10 . 2005-09-20 14:32 77824 c:\windows\system32\bak\hkcmd.exe 2005-09-20 14:36 . 2005-09-20 14:36 114688 c:\windows\system32\bak\igfxpers.exe 2005-07-09 00:10 . 2005-09-20 14:35 94208 c:\windows\system32\bak\igfxtray.exe 2005-07-09 00:36 . 2005-05-31 09:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PackersScreenServerSvc"="c:\program files\PackersScreenServer\PackersScreenServer.exe" [2008-09-25 6003511] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080] c:\documents and settings\Adam Scharf\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2008-2-16 256000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-1-7 57344] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-12-4 884840] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-28 17:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Dtella@Purdue\\dtella.exe"= "c:\\Program Files\\ApexDC++\\ApexDC.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "60000:TCP"= 60000:TCP:DC Gate TCP Port "60000:UDP"= 60000:UDP:DC Gate UDP Port R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2008 8:59 PM 108552] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2008 8:58 PM 335240] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/16/2008 8:58 PM 908056] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 8:58 PM 297752] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/6/2007 10:04 PM 24652] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/26/2006 5:09 PM 17149] S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2/2/2007 8:56 PM 50048] . Contents of the 'Scheduled Tasks' folder 2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57] 2005-07-15 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: &Search IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com Trusted Zone: musicmatch.com\online Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab FF - ProfilePath - c:\documents and settings\Adam Scharf\Application Data\Mozilla\Firefox\Profiles\g7w2t0j0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-12 23:11 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2009-10-13 23:16 ComboFix-quarantined-files.txt 2009-10-13 04:16 ComboFix2.txt 2009-10-08 23:39 ComboFix3.txt 2009-10-07 23:51 Pre-Run: 10,273,095,680 bytes free Post-Run: 10,239,488,000 bytes free 207 --- E O F --- 2009-03-23 03:43 Upload was successful
  5. rougjedi
    I've run DDS again, and I have the log results below, as well as the attached file: DDS (Ver_09-09-29.01) - NTFSx86 NETWORK Run by Adam Scharf at 22:27:34.84 on Thu 10/08/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.222 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Adam Scharf\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: {632b28d4-765e-4296-81b3-07759d9d5d7c} - numosiko.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html IE: &Search IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com Trusted Zone: musicmatch.com\online DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, ============= SERVICES / DRIVERS =============== R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240] S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149] S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048] =============== Created Last 30 ================ 2009-10-08 18:42 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-08 18:42 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-08 18:42 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-07 18:38 <DIR> a-dshr-- C:\cmdcons 2009-10-07 18:37 229,888 a------- c:\windows\PEV.exe 2009-10-07 18:37 161,792 a------- c:\windows\SWREG.exe 2009-10-07 18:37 98,816 a------- c:\windows\sed.exe 2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro 2009-10-06 18:47 <DIR> --d----- C:\ARK 2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper 2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper ==================== Find3M ==================== 2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE 2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe 2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe 2009-07-07 09:51 88,576 a--sh--- c:\windows\system32\bilayuje.dll 2009-07-08 18:09 83,968 a--sh--- c:\windows\system32\juguteto.dll 2009-07-08 18:10 51,712 a--sh--- c:\windows\system32\numosiko.dll 2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\patafudi.dll 2009-07-07 09:51 51,712 a--sh--- c:\windows\system32\piseraho.dll 2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat ============= FINISH: 22:28:12.37 =============== Attach2.zip
  6. rougjedi
    I re-ran ComboFix and Malwarebytes again, and the logs are below (Malwarebytes items were removed): ComboFix 09-10-06.04 - Adam Scharf 10/08/2009 18:21.2.2 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.326 [GMT -5:00] Running from: c:\documents and settings\Adam Scharf\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\famizula.dll c:\windows\system32\hejitavo.dll c:\windows\system32\mukewaha.dll . ((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 ))))))))))))))))))))))))))))))) . 2009-10-08 23:09 . 2009-10-08 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\08418425 2009-10-07 00:45 . 2009-10-07 00:45 -------- d-----w- c:\program files\Trend Micro 2009-10-06 23:47 . 2009-10-06 23:47 -------- d-----w- C:\ARK 2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\BitZipper 2009-10-05 21:12 . 2009-10-05 21:12 -------- d-----w- c:\program files\BitZipper 2009-09-11 02:00 . 2009-09-11 02:00 -------- d-----w- c:\program files\Microsoft Silverlight . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-10-07 23:49 . 2006-01-20 20:07 -------- d-----w- c:\documents and settings\Adam Scharf\Application Data\PackersScreenServer 2009-08-28 17:42 . 2008-08-17 01:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-08-28 17:42 . 2008-08-17 01:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 17:42 . 2008-08-17 01:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-08-23 18:09 . 2008-08-21 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-25 10:23 . 2009-01-12 19:06 411368 ----a-w- c:\windows\system32\deploytk.dll 2005-07-28 18:51 . 2005-07-28 18:51 2944958 ------w- c:\program files\Skittles_Hunt_For_Grievous.EXE 2005-07-21 01:29 . 2005-07-21 01:29 6250584 ----a-w- c:\program files\Install_AIM.exe 2005-07-19 16:00 . 2005-07-19 15:58 2077424 ----a-w- c:\program files\WindowsXP-KB894391-x86-ENU.exe 2008-08-16 21:42 . 2008-08-16 21:42 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll 2008-08-16 21:42 . 2008-08-16 21:42 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll 2008-08-16 21:42 . 2008-08-16 21:42 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll 2008-08-16 21:42 . 2008-08-16 21:42 20800 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll 2008-08-16 21:43 . 2008-08-16 21:43 206136 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll 2008-08-16 21:42 . 2008-08-16 21:42 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll 2008-08-16 21:42 . 2008-08-16 21:42 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll 2008-05-21 12:41 . 2008-05-21 12:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll 2008-05-21 12:41 . 2008-05-21 12:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll 2008-05-21 12:41 . 2008-05-21 12:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll 2008-06-05 17:58 . 2008-06-05 17:58 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll 2008-08-16 21:42 . 2008-08-16 21:42 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll 2009-07-07 14:51 . 2009-07-07 14:51 88576 --sha-w- c:\windows\system32\bilayuje.dll 2009-07-06 18:59 . 2009-07-06 18:59 50176 --sha-w- c:\windows\system32\dimoburi.dll.tmp 2009-07-06 18:59 . 2009-07-06 18:59 50176 --sha-w- c:\windows\system32\dowuvedo.dll.tmp 2009-07-08 23:09 . 2009-07-08 23:09 51712 --sha-w- c:\windows\system32\fakuriyo.dll 2009-07-08 23:09 . 2009-07-08 23:09 83968 --sha-w- c:\windows\system32\juguteto.dll 2009-07-08 23:09 . 2009-07-08 23:09 61440 --sha-w- c:\windows\system32\kowajovu.dll 2009-07-06 18:59 . 2009-07-06 18:59 50176 --sha-w- c:\windows\system32\lipulone.dll.tmp 2009-07-08 23:10 . 2009-07-08 23:10 51712 --sha-w- c:\windows\system32\numosiko.dll 2009-07-06 19:00 . 2009-07-06 19:00 51712 --sha-w- c:\windows\system32\patafudi.dll 2009-07-07 14:51 . 2009-07-07 14:51 51712 --sha-w- c:\windows\system32\piseraho.dll 2009-07-08 23:09 . 2009-07-08 23:09 1050147 --sha-w- c:\windows\system32\yivilaje.exe . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2005-07-09 00:10 . 2004-10-15 00:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe 2004-07-27 21:50 . 2004-07-27 21:50 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe 2004-07-27 21:50 . 2004-07-27 21:50 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe 2006-04-03 19:28 . 2006-04-03 19:28 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe 2006-05-09 05:10 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe 2005-07-09 00:28 . 2005-02-23 21:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe 2007-03-15 15:09 . 2007-03-15 15:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe 2006-10-07 12:20 . 2006-10-07 12:20 6266880 c:\program files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe 2006-03-19 21:44 . 2007-09-14 15:48 421888 c:\program files\Grisoft\AVG Free\bak\avgcc.exe 2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe 2008-03-30 14:36 . 2008-03-30 14:36 267048 c:\program files\iTunes\iTunesHelper.exe 2003-11-19 22:48 . 2003-11-19 22:48 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe 2007-02-19 20:46 . 2007-02-19 20:46 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe 2003-07-01 01:56 . 2003-07-01 01:56 188416 c:\program files\Logitech\Video\bak\ISStart.exe 2003-07-01 02:00 . 2003-07-01 02:00 65536 c:\program files\Logitech\Video\bak\LogiTray.exe 2007-02-12 21:21 . 2007-02-12 21:21 734624 c:\program files\Microsoft Xbox 360 Accessories\bak\XboxStat.exe 2005-08-04 17:33 . 2006-01-19 15:06 11776 c:\program files\MUSICMATCH\Musicmatch Jukebox\bak\mimboot.exe 2007-07-29 18:12 . 2006-11-16 16:42 183367 c:\program files\Plaxo\2.12.1.1\bak\PlaxoHelper.exe 2007-01-20 07:09 . 2007-01-20 07:09 200704 c:\program files\PowerISO\bak\PWRISOVM.EXE 2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\program files\QuickTime\bak\qttask.exe 2008-05-27 14:50 . 2008-05-27 14:50 413696 c:\program files\QuickTime\QTTask.exe 2005-07-09 00:10 . 2005-09-20 14:32 77824 c:\windows\system32\bak\hkcmd.exe 2005-09-20 14:36 . 2005-09-20 14:36 114688 c:\windows\system32\bak\igfxpers.exe 2005-07-09 00:10 . 2005-09-20 14:35 94208 c:\windows\system32\bak\igfxtray.exe 2005-07-09 00:36 . 2005-05-31 09:33 122941 c:\windows\system32\dla\bak\tfswctrl.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{632b28d4-765e-4296-81b3-07759d9d5d7c}] 2009-07-08 23:10 51712 --sha-w- c:\windows\system32\numosiko.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PackersScreenServerSvc"="c:\program files\PackersScreenServer\PackersScreenServer.exe" [2008-09-25 6003511] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A] "08418425"="c:\documents and settings\All Users\Application Data\08418425\08418425.exe" [2009-10-08 1050147] "fonavoned"="c:\windows\system32\mukewaha.dll" [N/A] "rasefosiwo"="hejitavo.dll" [N/A] c:\documents and settings\Adam Scharf\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2008-2-16 256000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-1-7 57344] NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T\wlan111t.exe [2008-12-4 884840] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-28 17:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Dtella@Purdue\\dtella.exe"= "c:\\Program Files\\ApexDC++\\ApexDC.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AcroRd32.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "60000:TCP"= 60000:TCP:DC Gate TCP Port "60000:UDP"= 60000:UDP:DC Gate UDP Port R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2008 8:59 PM 108552] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2008 8:58 PM 335240] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/16/2008 8:58 PM 908056] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 8:58 PM 297752] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/6/2007 10:04 PM 24652] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/26/2006 5:09 PM 17149] S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?] S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2/2/2007 8:56 PM 50048] . Contents of the 'Scheduled Tasks' folder 2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57] 2005-07-15 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: &Search IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com Trusted Zone: musicmatch.com\online TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab FF - ProfilePath - c:\documents and settings\Adam Scharf\Application Data\Mozilla\Firefox\Profiles\g7w2t0j0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, . - - - - ORPHANS REMOVED - - - - SharedTaskScheduler-{8727dde2-e11e-490b-b9b1-96fecbe0b79d} - c:\windows\system32\niwogepi.dll SharedTaskScheduler-{5fb28d8a-ac65-4799-8a48-bfcee652c72f} - c:\windows\system32\mukewaha.dll SSODL-bogejadik-{8727dde2-e11e-490b-b9b1-96fecbe0b79d} - c:\windows\system32\niwogepi.dll SSODL-yomigusad-{5fb28d8a-ac65-4799-8a48-bfcee652c72f} - c:\windows\system32\mukewaha.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-08 18:30 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe . ************************************************************************** . Completion time: 2009-10-08 18:39 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-08 23:39 ComboFix2.txt 2009-10-07 23:51 Pre-Run: 10,317,164,544 bytes free Post-Run: 10,294,538,240 bytes free 217 --- E O F --- 2009-03-23 03:43 ########################################################### Malwarebytes' Anti-Malware 1.41 Database version: 2927 Windows 5.1.2600 Service Pack 3 (Safe Mode) 10/8/2009 7:34:26 PM mbam-log-2009-10-08 (19-34-21).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 194235 Time elapsed: 43 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 1 Folders Infected: 1 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fonavoned (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08418425 (Rogue.Multiple.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rasefosiwo (Trojan.Agent) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: C:\Documents and Settings\All Users\Application Data\08418425 (Rogue.Multiple.H) -> No action taken. Files Infected: C:\Documents and Settings\All Users\Application Data\08418425\08418425.bat (Rogue.Multiple.H) -> No action taken. C:\Documents and Settings\All Users\Application Data\08418425\08418425.exe (Rogue.Multiple.H) -> No action taken. C:\WINDOWS\system32\yivilaje.exe (Rogue.SecurityTool) -> No action taken. C:\WINDOWS\system32\fakuriyo.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\kowajovu.dll (Trojan.Vundo) -> No action taken.
  7. rougjedi
    I updated Malwarebytes again today and performed another full system scan and had the following logfile (again I saved the logfile before removing the infected files): Malwarebytes' Anti-Malware 1.41 Database version: 2926 Windows 5.1.2600 Service Pack 3 (Safe Mode) 10/8/2009 5:55:48 PM mbam-log-2009-10-08 (17-55-45).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 194432 Time elapsed: 42 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103955.exe (Rogue.SecurityTool) -> No action taken. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103957.exe (Rogue.SecurityTool) -> No action taken. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103958.ocx (Adware.Gdown) -> No action taken. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103959.exe (Rogue.SecurityTool) -> No action taken. C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1115\A0103960.exe (Rogue.SecurityTool) -> No action taken.
  8. rougjedi
    I was able to run ComboFix without having to rename it. After running ComboFix I was able to successfully install, update, and scan using Malwarebytes. I have included the log files from both of these scans below. I also removed all of the malware that Malwarebytes found on the scan, I just did that after saving the logfile so it says that no action was taken. ComboFix 09-10-06.04 - Adam Scharf 10/07/2009 18:41.1.2 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.351 [GMT -5:00] Running from: c:\documents and settings\Adam Scharf\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\desktop.ini c:\documents and settings\Adam Scharf\Local Settings\Temporary Internet Files\fbk.sts c:\program files\Common c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\run.log c:\windows\system32\bszip.dll c:\windows\system32\bufezika.dll c:\windows\system32\gehufidu.dll c:\windows\system32\gudosaho.dll c:\windows\system32\jafasatu.dll c:\windows\system32\niwogepi.dll c:\windows\system32\vopepimi.dll c:\windows\system32\waduzaga.dll c:\windows\system32\wutizipi.dll c:\windows\system32\ybeeg.ini c:\windows\system32\ybeeg.ini2 c:\windows\Tasks\htpxamoq.job . ((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\windows\system32\mswsock.dll ... is infected !! c:\windows\system32\drivers\tcpip.sys ... is infected !! ------- Sigcheck ------- Cryptography Services Error !! . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PackersScreenServerSvc"="c:\program files\PackersScreenServer\PackersScreenServer.exe" [2008-09-25 6003511] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-09-29 700416] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-08-28 17:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys] @="" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32"= "c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Program Files\\Dtella@Purdue\\dtella.exe"= "c:\\Program Files\\ApexDC++\\ApexDC.exe"= "c:\\Program Files\\DC++\\DCPlusPlus.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "60000:TCP"= 60000:TCP:DC Gate TCP Port "60000:UDP"= 60000:UDP:DC Gate UDP Port R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/16/2008 8:59 PM 108552] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/16/2008 8:58 PM 335240] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/16/2008 8:58 PM 908056] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/16/2008 8:58 PM 297752] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/6/2007 10:04 PM 24652] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [8/26/2006 5:09 PM 17149] S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2/2/2007 8:56 PM 50048] . Contents of the 'Scheduled Tasks' folder 2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57] 2005-07-15 c:\windows\Tasks\ISP signup reminder 1.job - c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: &Search IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com Trusted Zone: musicmatch.com\online TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - . - - - - ORPHANS REMOVED - - - - HKCU-Run-Aim6 - (no file) AddRemove-Age of Empires - e:\program files\Microsoft Games\Age of Empires\Uninstal.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-07 18:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'Explorer.EXE'(660) c:\progra~1\WINDOW~2\wmpband.dll c:\docume~1\ADAMSC~1\LOCALS~1\Temp\catchme.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: ~,10time:~,-3machine was rebootedCombobatch-by ComboFix-quarantined-files.txt 2009-10-07 23:51 Pre-Run: 10,125,328,384 bytes free Post-Run: 9,852,858,368 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 147 --- E O F --- 2009-03-23 03:43 ########################################################### Malwarebytes' Anti-Malware 1.41 Database version: 2922 Windows 5.1.2600 Service Pack 3 (Safe Mode) 10/7/2009 7:41:55 PM mbam-log-2009-10-07 (19-41-48).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 194008 Time elapsed: 43 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 4 Registry Data Items Infected: 1 Folders Infected: 2 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fonavoned (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\55342423 (Rogue.Multiple.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83495534 (Rogue.Multiple.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rasefosiwo (Trojan.Agent) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: C:\Documents and Settings\All Users\Application Data\55342423 (Rogue.Multiple.H) -> No action taken. C:\Documents and Settings\All Users\Application Data\83495534 (Rogue.Multiple.H) -> No action taken. Files Infected: C:\Documents and Settings\All Users\Application Data\55342423\55342423.bat (Rogue.Multiple.H) -> No action taken. C:\Documents and Settings\All Users\Application Data\55342423\55342423.exe (Rogue.Multiple.H) -> No action taken. C:\Documents and Settings\All Users\Application Data\83495534\83495534.bat (Rogue.Multiple.H) -> No action taken. C:\Documents and Settings\All Users\Application Data\83495534\83495534.exe (Rogue.Multiple.H) -> No action taken. C:\i386\GTDownDE_87.ocx (Adware.Gdown) -> No action taken. C:\WINDOWS\system32\badusuke.exe (Rogue.SecurityTool) -> No action taken. C:\WINDOWS\system32\mawaboga.exe (Rogue.SecurityTool) -> No action taken. C:\Documents and Settings\Adam Scharf\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> No action taken. C:\WINDOWS\system32\beludafa.dll (Trojan.Vundo) -> No action taken. C:\WINDOWS\system32\guhiziho.dll (Trojan.Vundo) -> No action taken.
  9. rougjedi
    I ran DDS.exe and also RootRepeal and got the following logs. I've separated the DDS log from the RootRepeal log with a line of #. The Attach file for the DDS.exe run I have zipped and attached. DDS (Ver_09-09-29.01) - NTFSx86 NETWORK Run by Adam Scharf at 21:24:01.70 on Tue 10/06/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.193 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Adam Scharf\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyOverride = localhost uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [Aim6] uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [PackersScreenServerSvc] "c:\program files\packersscreenserver\PackersScreenServer.exe" /svc uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [fonavoned] Rundll32.exe "c:\windows\system32\niwogepi.dll",a mRun: [55342423] c:\documents and settings\all users\application data\55342423\55342423.exe mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\documents and settings\adam scharf\start menu\programs\startup\PowerReg Scheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html IE: &Search IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: doginhispen.com Trusted Zone: whataboutadog.com Trusted Zone: musicmatch.com\online DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://active.macromedia.com/director/cabs/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} - hxxp://media.cdigix.com/Performer/downloads/PerformerSetup.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v45/pool/pool.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.shockwave.com/content/luxor/sis/mjolauncher.cab DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab TCP: {21C903F1-41E3-4F4C-BEB3-5E1309E710B2} = 64.186.63.132,64.141.177.150 Filter: text/html - {9157cd03-c369-4924-ae5a-337bc7e0ab3d} - Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll AppInit_DLLs: avgrsstx.dll umenqp.dll ytqlyh.dll c:\windows\system32\niwogepi.dll,vopepimi.dll,jodilose.dll,gehufidu.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SSODL: keruvowip - {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll STS: mujuzedij: {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkLBtQG LSA: Notification Packages = scecli gehufidu.dll rafomife.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\adamsc~1\applic~1\mozilla\firefox\profiles\g7w2t0j0.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query= FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.zencast, ============= SERVICES / DRIVERS =============== R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-8-16 108552] R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-16 335240] S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-8-16 27784] S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-8-16 908056] S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-16 297752] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-6 24652] S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2006-8-26 17149] S3 xusb20;Xbox 360 Wireless Receiver for Windows Driver Service;c:\windows\system32\drivers\xusb20.sys [2007-2-2 50048] =============== Created Last 30 ================ 2009-10-06 19:45 <DIR> --d----- c:\program files\Trend Micro 2009-10-06 19:25 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-06 19:24 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-06 19:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-06 18:47 <DIR> --d----- C:\ARK 2009-10-06 14:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\55342423 2009-10-05 16:12 <DIR> --d----- c:\docume~1\adamsc~1\applic~1\BitZipper 2009-10-05 16:12 <DIR> --d----- c:\program files\BitZipper ==================== Find3M ==================== 2009-08-28 12:42 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-28 12:42 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2005-07-28 13:51 2,944,958 -------- c:\program files\Skittles_Hunt_For_Grievous.EXE 2005-07-20 20:29 6,250,584 a------- c:\program files\Install_AIM.exe 2005-07-19 11:00 2,077,424 a------- c:\program files\WindowsXP-KB894391-x86-ENU.exe 2009-07-06 13:59 26,624 a--sh--- c:\windows\system32\bufezika.dll 2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\gehufidu.dll 2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\guhiziho.dll 2009-07-06 14:00 37,888 a--sh--- c:\windows\system32\jafasatu.dll 2009-07-06 14:00 50,176 a--sh--- c:\windows\system32\jodilose.dll 2009-07-06 13:59 1,050,147 a--sh--- c:\windows\system32\mawaboga.exe 2009-07-06 14:00 88,576 a--sh--- c:\windows\system32\niwogepi.dll 2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\patafudi.dll 2009-07-06 14:00 50,176 a--sh--- c:\windows\system32\rafomife.dll 2009-07-06 14:00 50,176 a--sh--- c:\windows\system32\sagujele.dll 2009-07-06 14:00 51,712 a--sh--- c:\windows\system32\vopepimi.dll 2008-03-15 14:00 237,595 a--sh--- c:\windows\system32\ybeeg.ini2 2008-08-18 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081820080819\index.dat ============= FINISH: 21:24:57.54 =============== ############################################################# ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/06 21:31 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF7FC3000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8ADE000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF753B000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: c:\windows\ntbtlog.txt Status: Size mismatch (API: 337046, Raw: 336922) ==EOF== Attach.zip
  10. rougjedi
    I've picked up malware, i believe some type of rogue-anti-virus, that I am unable to get rid of with Malwarebytes. When I attempt to execute Malwarebytes, no screens pop up, and when I go back to check the Malwarebytes folder the application file is gone. I am able to start Windows XP in Safe Mode without any pop-ups or anti-virus notifications, but I am still unable to run Malwarebytes, even after uninstalling and reinstalling. I have included a Trend Micro HijackThis log file below: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:45:34 PM, on 10/6/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Safe mode with network support Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DS R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [fonavoned] Rundll32.exe "c:\windows\system32\niwogepi.dll",a O4 - HKLM\..\Run: [55342423] C:\Documents and Settings\All Users\Application Data\55342423\55342423.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PackersScreenServerSvc] "C:\Program Files\PackersScreenServer\PackersScreenServer.exe" /svc O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: LUMIX Simple Viewer.lnk = ? O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ? O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.doginhispen.com O15 - Trusted Zone: *.whataboutadog.com O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {276595D9-1388-512A-F24E-B6B3DE32B732} (MNPerformer Class) - http://media.cdigix.com/Performer/download...formerSetup.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v45/pool/pool.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/sis/mjolauncher.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-tri...zylomplayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{21C903F1-41E3-4F4C-BEB3-5E1309E710B2}: NameServer = 64.186.63.132,64.141.177.150 O17 - HKLM\System\CS1\Services\Tcpip\..\{21C903F1-41E3-4F4C-BEB3-5E1309E710B2}: NameServer = 64.186.63.132,64.141.177.150 O17 - HKLM\System\CS2\Services\Tcpip\..\{21C903F1-41E3-4F4C-BEB3-5E1309E710B2}: NameServer = 64.186.63.132,64.141.177.150 O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Filter hijack: text/html - {9157cd03-c369-4924-ae5a-337bc7e0ab3d} - C:\WINDOWS\system32\mst120.dll O20 - AppInit_DLLs: avgrsstx.dll umenqp.dll ytqlyh.dll c:\windows\system32\niwogepi.dll,vopepimi.dll,jodilose.dll,gehufidu.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O21 - SSODL: keruvowip - {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll O22 - SharedTaskScheduler: mujuzedij - {5e9733b6-1f7c-43bd-a751-3db03d7b33d3} - c:\windows\system32\niwogepi.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 11002 bytes
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.