Jump to content

randomactsofwhatnot

Honorary Members
  • Posts

    39
  • Joined

  • Last visited

Everything posted by randomactsofwhatnot

  1. Okay, cool. I'll give that online armor a shot, it looks pretty good. Thanks again for all your help.
  2. Thanks so much for all your help. =) One quick question, I tried Outpost awhile back on my computer but it made it so I couldn't connect to the internet. I had to do a system restore to have it work again. Is there a particular firewall that you would recommend? If not, I will just create a system restore point and try out the various ones until I get one to work. >.< Thanks again. =D
  3. Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 4:43:49 PM, on 12/29/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\PopUp Killer\PopUpKiller.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\java.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-842925246-790525478-725345543-1004\..\Run: [Google Update] "C:\Documents and Settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?') O4 - HKUS\S-1-5-21-842925246-790525478-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O15 - Trusted Zone: http://*.mcafee.com O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.9.36.138:82/wg_webeye.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 7545 bytes
  4. Yep, the beta version works just fine. =) I'm doing a scan right now. Will have the report shortly. Thanks.
  5. Okay, so I did the following: Navigate to Start --> Run, and enter this command: sc delete sptd A black window opened for a second, then closed. Here is the log from the security check. Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 9.0 `````````````````````````````` Anti-malware/Other Utilities Check: CCleaner Java 6 Update 17 Adobe Flash Player 10 Adobe Reader 9 `````````````````````````````` Process Check: objlist.exe by Laurent AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` I just wanted to mention two things. I did another scan with F-Secure Online and here is the result. Should I be concerned about those 7 malware files that weren't cleaned? Because when I did the ESET OnlineScan earlier, it came up clean. Also, I still can't seem to install HijackThis. Are you guys still using that program as a check and do you know where I can get a clean copy? Btw, thank you very much for all your help. It is much appreciated. =) Scanning Report Monday, December 28, 2009 20:01:51 - 22:05:19 Computer name: DAVE Scanning type: Scan system for malware, spyware and rootkits Target: C:\ F:\ G:\ 9 malware found TrackingCookie.Doubleclick (spyware) System (Disinfected) TrackingCookie.Revsci (spyware) System (Disinfected) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0041139.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0042122.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0042641.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0044640.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0045658.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0046208.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0046516.EXE (Not cleaned) Statistics Scanned: Files: 56521 System: 3510 Not scanned: 21 Actions: Disinfected: 2 Renamed: 0 Deleted: 0 Not cleaned: 7 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\1956 C:\WINDOWS\SYSTEM32\MRT.EXE C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\D48A3B967BA5709DF048E8F2A49CF8A6\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\B7F0B2892B21211A5630518D058F48D9\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\9CF59263A134AB3FBBEE78365A2FA5FC\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\6B4E49F1A78B9558FEEB103A07B06A32\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\6913C676E5D33978934CAA46C49FDC75\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\678162639E69C808C1768AB6340EAE25\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\2C95B28351986132D7F36DD28EECE9B0\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\0DD0244816FFB4B094C1CABA4C3B1178\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\07A96DE176867BC25B7DC839D22B07E2\UPDATE\UPDATE.EXE C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\RANDOM.EXE.EXE Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics
  6. Here is the system look log. SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 16:50 on 28/12/2009 by Dave Huynh (Administrator - Elevation successful) ========== filefind ========== Searching for "sptd.sys" No files found. -=End Of File=- I did an ESET OnlineScan and it came up clean. After the scan, I did a google search with explorer and the link did not redirect me this time, which is good. From my combo-fix logs that I posted earlier, can you tell me how bad my computer was infected? I think it's okay, but I just wanted to check with you to see if there is anything you suggest doing.
  7. Hi, I uploaded the file and it came up clean. https://www.virustotal.com/analisis/078994c...35d3-1258702504 Should I do another F-Secure Scan? Okay, I'm getting ahead of myself, I will just wait for your reply. Thanks.
  8. I don't think I'm familiar with that file. c:\program files\Freenet\bin\wrapper-windows-x86-32.exe Should I upload it to that total virus website in one of your previous post? I was able to get the script to run with the combofix that I renamed xmas.exe and connect to the net. Below is the log report. ComboFix 09-12-26.01 - Dave Huynh 12/26/2009 19:50:31.10.1 - x86 Running from: c:\documents and settings\Dave Huynh\Desktop\xmas.exe Command switches used :: c:\documents and settings\Dave Huynh\Desktop\CFScript.txt AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} file zipped: c:\documents and settings\HelpAssistant\Desktop\Unused Desktop Shortcuts\New Folder\+++.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\HelpAssistant\Desktop\Unused Desktop Shortcuts\New Folder\+++.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ROOTY -------\Service_rooty ((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 ))))))))))))))))))))))))))))))) . 2009-12-20 20:05 . 2009-12-20 20:05 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-12-18 03:30 . 2009-12-18 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2009-12-14 01:35 . 2009-12-14 01:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData 2009-12-14 01:34 . 2009-12-14 01:34 -------- d-----w- c:\documents and settings\HelpAssistant\Shared 2009-12-14 01:14 . 2009-12-20 20:48 -------- d-----w- c:\documents and settings\HelpAssistant 2009-12-13 21:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-27 01:04 . 2007-04-18 23:42 -------- d-----w- c:\program files\Freenet 2009-12-27 00:47 . 2006-07-18 20:12 -------- d-----w- c:\program files\PopUp Killer 2009-12-25 00:14 . 2006-09-25 06:00 -------- d-----w- c:\program files\BitTorrent 2009-12-20 20:41 . 2009-09-14 13:40 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\HPAppData 2009-12-20 20:04 . 2009-12-20 20:04 152576 ----a-w- c:\documents and settings\Dave Huynh\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-12-20 20:03 . 2009-12-20 20:03 79488 ----a-w- c:\documents and settings\Dave Huynh\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-12-20 19:46 . 2009-12-20 20:18 0 ----a-w- c:\documents and settings\HelpAssistant\ntuser.tmp 2009-12-20 19:43 . 2006-07-23 19:47 -------- d-----w- c:\program files\Java 2009-12-20 19:28 . 2009-12-24 04:39 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll 2009-12-14 00:56 . 2008-11-24 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-14 00:56 . 2009-09-11 03:28 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-12 19:23 . 2009-12-24 04:39 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe 2009-12-12 19:23 . 2009-12-24 04:39 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe 2009-12-12 19:23 . 2009-12-24 04:39 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2009-12-10 02:34 . 2009-12-10 02:33 593920 ----a-w- c:\documents and settings\Dave Huynh\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe 2009-12-03 21:14 . 2009-08-23 03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 21:13 . 2009-08-23 03:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-29 12:54 . 2006-09-25 06:00 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\BitTorrent 2009-11-28 19:35 . 2006-07-18 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2009-11-21 15:51 . 2003-07-16 20:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-13 00:47 . 2009-04-06 21:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-11-13 00:47 . 2009-04-06 21:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-11-13 00:47 . 2009-04-06 21:03 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-11-13 00:47 . 2009-04-06 21:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-11-13 00:46 . 2009-11-13 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2009-11-13 00:46 . 2009-04-06 21:03 -------- d-----w- c:\program files\AVG 2009-11-11 22:02 . 2006-07-18 21:17 -------- d-----w- c:\program files\DivX 2009-11-11 22:01 . 2009-11-11 22:00 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-11-11 21:56 . 2006-11-12 20:49 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\DivX 2009-11-09 21:33 . 2009-11-09 21:33 3584 ----a-r- c:\documents and settings\Dave Huynh\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe 2009-11-09 21:33 . 2009-11-09 21:33 -------- d-----w- c:\program files\Windows Installer Clean Up 2009-11-09 21:32 . 2009-11-09 21:32 -------- d-----w- c:\program files\MSECACHE 2009-11-09 17:21 . 2009-09-08 22:34 -------- d-----w- c:\program files\HP 2009-11-09 17:13 . 2009-11-09 17:13 -------- d-----w- c:\program files\Common Files\xing shared 2009-11-09 17:12 . 2009-10-23 23:26 -------- d-----w- c:\program files\MagicDVDRipper 2009-11-09 17:12 . 2009-10-18 05:58 -------- d-----w- c:\program files\mkv2vob 2009-11-09 17:12 . 2009-11-09 17:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-09 16:59 . 2008-05-16 06:15 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\dvdcss 2009-11-09 16:41 . 2008-08-15 03:38 -------- d-----w- c:\program files\Safari 2009-11-01 04:49 . 2007-01-10 06:27 -------- d-----w- c:\program files\Common Files\Real 2009-10-29 07:45 . 2006-04-28 14:58 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-18 05:58 . 2009-10-18 05:58 29184 ----a-r- c:\documents and settings\Dave Huynh\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe 2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2003-07-16 20:42 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2003-07-16 20:42 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-07 21:55 . 2008-12-26 19:17 21060 ---ha-w- c:\windows\system32\mlfcache.dat 2009-08-19 17:35 . 2009-08-19 17:35 184 ----a-w- c:\program files\avqin.txt 2009-08-18 01:27 . 2009-08-18 01:27 124 ----a-w- c:\program files\uwxo.txt 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-15 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpKiller"="c:\program files\PopUp Killer\PopUpKiller.EXE" [2001-08-27 95232] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-01 180269] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-13 00:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Kremlin Sentry.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Kremlin Sentry.lnk backup=c:\windows\pss\Kremlin Sentry.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] 2002-12-17 16:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] 2008-07-14 06:14 4608 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-05-14 00:58 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2009-06-15 19:53 133104 ----atw- c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2001-12-06 16:01 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2003-11-03 17:46 4800512 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpKiller] 2001-08-27 20:54 95232 ----a-w- c:\program files\PopUp Killer\PopUpKiller.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-11-01 04:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21142:TCP"= 21142:TCP:BitComet 21142 TCP "21142:UDP"= 21142:UDP:BitComet 21142 UDP "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "3246:TCP"= 3246:TCP:Services "2479:TCP"= 2479:TCP:Services "3389:TCP"= 3389:TCP:Remote Desktop "4884:TCP"= 4884:TCP:Services "6649:TCP"= 6649:TCP:Services R1 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-13 333192] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-13 360584] S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-13 285392] S2 freenet-darknet-8888;Freenet 0.7 darknet-8888;c:\program files\Freenet\bin\wrapper-windows-x86-32.exe [2007-04-06 204800] S2 SBKUPNT;SBKUPNT;c:\windows\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc getPlusHelper REG_MULTI_SZ getPlusHelper . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Dave Huynh\Application Data\Mozilla\Firefox\Profiles\utysktab.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-26 20:02 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2268) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\java.exe c:\windows\System32\nvsvc32.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\system32\wscntfy.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2009-12-26 20:08:41 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-27 01:08 ComboFix2.txt 2009-12-26 22:36 ComboFix3.txt 2009-12-23 03:04 ComboFix4.txt 2009-08-23 03:19 Pre-Run: 60,496,502,784 bytes free Post-Run: 60,403,453,952 bytes free - - End Of File - - DD57A73E00188590E79B514D914A3A2E
  9. Okay, I first tried to rename the file to randomacts.exe then I transferred it over and double-clicked it. A blue screen popped up and read, 'NIRCMDC' is not recognized as an internal or external command, operable program or batch file. Please wait. ComboFix is preparing to run. Access is denied. Access is denied. Then a little windows pop up box appeared and it read, ERUNT Windows cannot find 'ERUNT'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. Then, I downloaded a fresh copy and renamed it xmas.exe. This time it ran just fine. The blue window popped up and went through the stages up to 50 then it started to prepare the log report. Attached below is the combofix (xmas.exe) log report. ComboFix 09-12-26.01 - Dave Huynh 12/26/2009 17:24:39.9.1 - x86 Running from: c:\documents and settings\Dave Huynh\Desktop\xmas.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 ))))))))))))))))))))))))))))))) . 2009-12-24 04:39 . 2009-12-12 19:23 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe 2009-12-24 04:39 . 2009-12-12 19:23 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe 2009-12-24 04:39 . 2009-12-20 19:28 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll 2009-12-24 04:39 . 2009-12-12 19:23 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll 2009-12-20 20:05 . 2009-12-20 20:05 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-12-20 20:04 . 2009-12-20 20:04 152576 ----a-w- c:\documents and settings\Dave Huynh\Application Data\Sun\Java\jre1.6.0_17\lzma.dll 2009-12-20 20:03 . 2009-12-20 20:03 79488 ----a-w- c:\documents and settings\Dave Huynh\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll 2009-12-18 03:30 . 2009-12-18 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2009-12-14 01:35 . 2009-12-14 01:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData 2009-12-14 01:34 . 2009-12-14 01:34 -------- d-----w- c:\documents and settings\HelpAssistant\Shared 2009-12-14 01:14 . 2009-12-20 20:48 -------- d-----w- c:\documents and settings\HelpAssistant 2009-12-13 21:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll 2009-12-10 02:33 . 2009-12-10 02:34 593920 ----a-w- c:\documents and settings\Dave Huynh\Application Data\GRETECH\GomPlayer\GrLauncherTempSetup.exe 2009-12-10 02:33 . 2007-03-22 10:46 126976 ----a-w- c:\documents and settings\Dave Huynh\Application Data\GRETECH\GomPlayer\GrLauncher.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-26 22:25 . 2007-04-18 23:42 -------- d-----w- c:\program files\Freenet 2009-12-26 22:21 . 2006-07-18 20:12 -------- d-----w- c:\program files\PopUp Killer 2009-12-25 00:14 . 2006-09-25 06:00 -------- d-----w- c:\program files\BitTorrent 2009-12-20 20:41 . 2009-09-14 13:40 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\HPAppData 2009-12-20 19:46 . 2009-12-20 20:18 0 ----a-w- c:\documents and settings\HelpAssistant\ntuser.tmp 2009-12-20 19:43 . 2006-07-23 19:47 -------- d-----w- c:\program files\Java 2009-12-14 00:56 . 2008-11-24 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-14 00:56 . 2009-09-11 03:28 4844296 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-12-03 21:14 . 2009-08-23 03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 21:13 . 2009-08-23 03:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-29 12:54 . 2006-09-25 06:00 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\BitTorrent 2009-11-28 19:35 . 2006-07-18 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2009-11-21 15:51 . 2003-07-16 20:23 471552 ----a-w- c:\windows\AppPatch\aclayers.dll 2009-11-13 00:47 . 2009-04-06 21:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-11-13 00:47 . 2009-04-06 21:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-11-13 00:47 . 2009-04-06 21:03 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-11-13 00:47 . 2009-04-06 21:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-11-13 00:46 . 2009-11-13 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2009-11-13 00:46 . 2009-04-06 21:03 -------- d-----w- c:\program files\AVG 2009-11-11 22:02 . 2006-07-18 21:17 -------- d-----w- c:\program files\DivX 2009-11-11 22:01 . 2009-11-11 22:00 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-11-11 21:56 . 2006-11-12 20:49 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\DivX 2009-11-09 21:33 . 2009-11-09 21:33 3584 ----a-r- c:\documents and settings\Dave Huynh\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe 2009-11-09 21:33 . 2009-11-09 21:33 -------- d-----w- c:\program files\Windows Installer Clean Up 2009-11-09 21:32 . 2009-11-09 21:32 -------- d-----w- c:\program files\MSECACHE 2009-11-09 17:21 . 2009-09-08 22:34 -------- d-----w- c:\program files\HP 2009-11-09 17:13 . 2009-11-09 17:13 -------- d-----w- c:\program files\Common Files\xing shared 2009-11-09 17:12 . 2009-10-23 23:26 -------- d-----w- c:\program files\MagicDVDRipper 2009-11-09 17:12 . 2009-10-18 05:58 -------- d-----w- c:\program files\mkv2vob 2009-11-09 17:12 . 2009-11-09 17:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-09 16:59 . 2008-05-16 06:15 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\dvdcss 2009-11-09 16:41 . 2008-08-15 03:38 -------- d-----w- c:\program files\Safari 2009-11-01 04:49 . 2007-01-10 06:27 -------- d-----w- c:\program files\Common Files\Real 2009-10-29 07:45 . 2006-04-28 14:58 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-18 05:58 . 2009-10-18 05:58 29184 ----a-r- c:\documents and settings\Dave Huynh\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe 2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2003-07-16 20:42 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2003-07-16 20:42 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-07 21:55 . 2008-12-26 19:17 21060 ---ha-w- c:\windows\system32\mlfcache.dat 2009-08-19 17:35 . 2009-08-19 17:35 184 ----a-w- c:\program files\avqin.txt 2009-08-18 01:27 . 2009-08-18 01:27 124 ----a-w- c:\program files\uwxo.txt 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-15 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpKiller"="c:\program files\PopUp Killer\PopUpKiller.EXE" [2001-08-27 95232] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-01 180269] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-13 00:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Kremlin Sentry.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Kremlin Sentry.lnk backup=c:\windows\pss\Kremlin Sentry.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] 2002-12-17 16:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] 2008-07-14 06:14 4608 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-05-14 00:58 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2009-06-15 19:53 133104 ----atw- c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2001-12-06 16:01 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2003-11-03 17:46 4800512 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpKiller] 2001-08-27 20:54 95232 ----a-w- c:\program files\PopUp Killer\PopUpKiller.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-11-01 04:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21142:TCP"= 21142:TCP:BitComet 21142 TCP "21142:UDP"= 21142:UDP:BitComet 21142 UDP "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "3246:TCP"= 3246:TCP:Services "2479:TCP"= 2479:TCP:Services "3389:TCP"= 3389:TCP:Remote Desktop "4884:TCP"= 4884:TCP:Services "6649:TCP"= 6649:TCP:Services R1 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x] R2 freenet-darknet-8888;Freenet 0.7 darknet-8888;c:\program files\Freenet\bin\wrapper-windows-x86-32.exe [2007-04-06 204800] R3 rooty;rooty;c:\windows\system32\drivers\rooty.sys [x] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-13 333192] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-13 360584] S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-13 285392] S2 SBKUPNT;SBKUPNT;c:\windows\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc getPlusHelper REG_MULTI_SZ getPlusHelper . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Dave Huynh\Application Data\Mozilla\Firefox\Profiles\utysktab.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Dave Huynh\Application Data\Mozilla\Firefox\Profiles\utysktab.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-26 17:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3300) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-12-26 17:36:35 ComboFix-quarantined-files.txt 2009-12-26 22:36 ComboFix2.txt 2009-12-23 03:04 ComboFix3.txt 2009-08-23 03:19 Pre-Run: 60,528,066,560 bytes free Post-Run: 60,490,420,224 bytes free - - End Of File - - 96DB6B5AB79D723337804D50F393E73A
  10. Hi again, Okay. I tried it but it fail to work. I got the green status bar load then it asked me about the disclaimer, I clicked okay and it just sat there. I was thinking, should I rename combofix before I download it?
  11. No need to apologies, it's the holidays. I understand. Hope yours went well. Anyways, should I forget about the script then? Should I still be connected to the internet? Thanks, Dave
  12. Hi Chris, First, I downloaded the latest version of combo fix, then I copied the code in a notepad file and saved it as CFScript.txt. I transferred it from my clean computer to my infected on and placed both on the desktop. I disabled my anti-virus software, connected to the internet and proceeded to drag the script over the combo fix icon. The green status bar loaded for a second, and a disclaimer popped up. I click okay. I waited and waited but nothing else happened. Was it suppose to run through the stages like it did the first time? I'm not sure what I did wrong?
  13. Hi Chris, First, is the SystemLook log and then directly below it is the ComboFix log. I copied my HiJackThisInstall from my clean computer to my infected computer to try to install it, but when I click to install. The HiJackThis icon was a blanked/white icon. I'm not sure why. Well, it would not let me run it so I couldn't get a log. Any suggestions? Anyways, thanks for your continue help. =) SystemLook v1.0 by jpshortstuff (29.08.09) Log created at 21:31 on 22/12/2009 by Dave Huynh (Administrator - Elevation successful) ========== filefind ========== Searching for "+++.EXE" C:\Documents and Settings\HelpAssistant\Desktop\Unused Desktop Shortcuts\New Folder\+++.exe --a--- 462336 bytes [01:21 14/12/2009] [20:41 11/08/2009] 6E3581E88A3D98A9EDFF2F61B222765D -=End Of File=- ComboFix 09-12-21.08 - Dave Huynh 12/22/2009 21:43:15.8.1 - x86 Running from: c:\documents and settings\Dave Huynh\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\lifexuma.reg c:\windows\pymymi._sy c:\windows\system32\iqewi.bat c:\windows\ydydisu._sy . original MBR restored successfully ! . ((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 ))))))))))))))))))))))))))))))) . 2009-12-20 20:05 . 2009-12-20 20:05 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-12-18 03:30 . 2009-12-18 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2009-12-14 01:35 . 2009-12-14 01:35 -------- d-----w- c:\documents and settings\HelpAssistant\UserData 2009-12-14 01:34 . 2009-12-14 01:34 -------- d-----w- c:\documents and settings\HelpAssistant\Shared 2009-12-14 01:14 . 2009-12-20 20:48 -------- d-----w- c:\documents and settings\HelpAssistant 2009-12-13 21:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-23 02:56 . 2007-04-18 23:42 -------- d-----w- c:\program files\Freenet 2009-12-23 02:33 . 2006-07-18 20:12 -------- d-----w- c:\program files\PopUp Killer 2009-12-20 20:41 . 2009-09-14 13:40 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\HPAppData 2009-12-20 19:46 . 2009-12-20 20:18 0 ----a-w- c:\documents and settings\HelpAssistant\ntuser.tmp 2009-12-20 19:43 . 2006-07-23 19:47 -------- d-----w- c:\program files\Java 2009-12-14 00:56 . 2008-11-24 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-12-03 21:14 . 2009-08-23 03:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 21:13 . 2009-08-23 03:26 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-29 12:54 . 2006-09-25 06:00 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\BitTorrent 2009-11-28 19:35 . 2006-07-18 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2009-11-13 00:47 . 2009-04-06 21:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-11-13 00:47 . 2009-04-06 21:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-11-13 00:47 . 2009-04-06 21:03 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-11-13 00:47 . 2009-04-06 21:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-11-13 00:46 . 2009-11-13 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2009-11-13 00:46 . 2009-04-06 21:03 -------- d-----w- c:\program files\AVG 2009-11-11 22:02 . 2006-07-18 21:17 -------- d-----w- c:\program files\DivX 2009-11-11 22:01 . 2009-11-11 22:00 -------- d-----w- c:\program files\Common Files\DivX Shared 2009-11-11 21:56 . 2006-11-12 20:49 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\DivX 2009-11-09 21:33 . 2009-11-09 21:33 -------- d-----w- c:\program files\Windows Installer Clean Up 2009-11-09 21:32 . 2009-11-09 21:32 -------- d-----w- c:\program files\MSECACHE 2009-11-09 17:21 . 2009-09-08 22:34 -------- d-----w- c:\program files\HP 2009-11-09 17:13 . 2009-11-09 17:13 -------- d-----w- c:\program files\Common Files\xing shared 2009-11-09 17:12 . 2009-10-23 23:26 -------- d-----w- c:\program files\MagicDVDRipper 2009-11-09 17:12 . 2009-10-18 05:58 -------- d-----w- c:\program files\mkv2vob 2009-11-09 17:12 . 2009-11-09 17:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-11-09 16:59 . 2008-05-16 06:15 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\dvdcss 2009-11-09 16:41 . 2008-08-15 03:38 -------- d-----w- c:\program files\Safari 2009-11-01 04:49 . 2007-01-10 06:27 -------- d-----w- c:\program files\Common Files\Real 2009-10-29 07:45 . 2006-04-28 14:58 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30 . 2006-05-14 09:13 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2003-07-16 20:42 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38 . 2003-07-16 20:42 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-07 21:55 . 2008-12-26 19:17 21060 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll 2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll 2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll 2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll 2009-08-19 17:35 . 2009-08-19 17:35 184 ----a-w- c:\program files\avqin.txt 2009-08-18 01:27 . 2009-08-18 01:27 124 ----a-w- c:\program files\uwxo.txt 2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll 2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-15 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpKiller"="c:\program files\PopUp Killer\PopUpKiller.EXE" [2001-08-27 95232] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-01 180269] "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-11-13 00:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Kremlin Sentry.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Kremlin Sentry.lnk backup=c:\windows\pss\Kremlin Sentry.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] 2002-12-17 16:28 684032 ----a-w- c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-06-12 07:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] 2008-07-14 06:14 4608 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2009-05-14 00:58 177472 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] 2007-09-07 23:01 43008 ----a-w- c:\program files\BitTorrent\bittorrent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2009-06-15 19:53 133104 ----atw- c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] 2001-12-06 16:01 196608 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2009-07-13 18:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] 2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2003-11-03 17:46 4800512 ----a-w- c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpKiller] 2001-08-27 20:54 95232 ----a-w- c:\program files\PopUp Killer\PopUpKiller.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2009-11-01 04:48 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21142:TCP"= 21142:TCP:BitComet 21142 TCP "21142:UDP"= 21142:UDP:BitComet 21142 UDP "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "3246:TCP"= 3246:TCP:Services "2479:TCP"= 2479:TCP:Services "3389:TCP"= 3389:TCP:Remote Desktop "4884:TCP"= 4884:TCP:Services "6649:TCP"= 6649:TCP:Services R1 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [x] R3 rooty;rooty;c:\windows\system32\drivers\rooty.sys [x] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-13 333192] S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-13 360584] S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-13 285392] S2 freenet-darknet-8888;Freenet 0.7 darknet-8888;c:\program files\Freenet\bin\wrapper-windows-x86-32.exe [2007-04-06 204800] S2 SBKUPNT;SBKUPNT;c:\windows\system32\Drivers\SBKUPNT.SYS [2001-07-13 14976] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc getPlusHelper REG_MULTI_SZ getPlusHelper . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Dave Huynh\Application Data\Mozilla\Firefox\Profiles\utysktab.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Dave Huynh\Application Data\Mozilla\Firefox\Profiles\utysktab.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll FF - plugin: c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - MSConfigStartUp-11057184 - c:\documents and settings\All Users\Application Data\11057184\11057184.exe MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe MSConfigStartUp-Monopod - c:\docume~1\DAVEHU~1\LOCALS~1\Temp\b.exe MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_07\bin\jusched.exe MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-22 21:55 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1520) c:\windows\system32\WININET.dll c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\AVG\AVG9\avgchsvx.exe c:\program files\AVG\AVG9\avgrsx.exe c:\program files\AVG\AVG9\avgcsrvx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\System32\nvsvc32.exe c:\windows\system32\java.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\program files\AVG\AVG9\avgnsx.exe c:\windows\system32\wscntfy.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\program files\HP\Digital Imaging\bin\hpqbam08.exe c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe . ************************************************************************** . Completion time: 2009-12-22 22:04:15 - machine was rebooted ComboFix-quarantined-files.txt 2009-12-23 03:03 ComboFix2.txt 2009-08-23 03:19 Pre-Run: 60,608,790,528 bytes free Post-Run: 60,581,232,640 bytes free - - End Of File - - 1BA76E67C6D6488ABD1F577AAE700F15
  14. I just wanted to mention one thing that I noticed. When I do a search using google in the explorer browser, when I click on any link, I get redirected. The one I got redirected to was questbooster.com This doesn't happen with chrome or firefox because I did the same search afterwards. I haven't used explorer in a long time but the only reason I even found out was because I used it to run the performance scan today. After the scan I decided to do a quick search and that's how I discovered it.
  15. Hi Chris, I uploaded the file as requested and here is the link with the info from Virus Total. http://www.virustotal.com/analisis/23ebf17...a88a-1251692860 As far as I know, I'm not familiar with that particular file. It's strange, when I looked in the folder you told me it was in - C:\DOCUMENTS AND SETTINGS\DAVE HUYNH\DESKTOP\UNUSED DESKTOP SHORTCUTS\NEW FOLDER\+++.EXE, I couldn't find it. I was only able to find it by going to start and doing a search for it. After that, I went to uninstall the following: Java
  16. Three quick things that I notice. 1) I tried to install HijackThis. I've used the program before, but when I installed it this time. The little icon was blanked out. And when I tried to click on it, it said - "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. 2) It still runs slower than normal on start up and when I try to perform any operation. I can hear it chugging in the background. 3) For some reason, I can seem to go into stand by mode. Before it would go into stand by mode right away, but now it shows the preparing to stand by screen but just sits there. I know this may seem nit picky, but I'm just a little worried.
  17. Hi Chris, Thanks for your help. I don't know if this makes a difference but I zoned out for a minute and ran the F-Secure Online Scanner first. About a few minutes in, I forgot that I hadn't done the update on MBAM and didn't run a quick scan. It was already a few minutes in, so I just let it complete the scan. It found 9 files which it said was infected. 1 file was cleaned while 8 were not. Below is the long report from the scan. After the F-Secure Online Scan, I then updated the MBAM and ran a quick scan. The scan for that is below this log report. Scanning Report Friday, December 18, 2009 22:30:42 - 00:03:46 Computer name: DAVE Scanning type: Scan system for malware, spyware and rootkits Target: C:\ G:\ 9 malware found BehavesLike:Win32.Malware (spyware) System (Disinfected) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0041139.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0042122.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0042641.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0044640.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0045658.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\SYSTEM VOLUME INFORMATION\_RESTORE{46D9C59D-24E9-43D3-99E7-838FA8E5CB7E}\RP124\A0046208.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\DOCUMENTS AND SETTINGS\HELPASSISTANT\DESKTOP\UNUSED DESKTOP SHORTCUTS\NEW FOLDER\+++.EXE (Not cleaned) BehavesLike:Win32.Malware (virus) C:\DOCUMENTS AND SETTINGS\DAVE HUYNH\DESKTOP\UNUSED DESKTOP SHORTCUTS\NEW FOLDER\+++.EXE (Not cleaned) Statistics Scanned: Files: 55989 System: 3458 Not scanned: 21 Actions: Disinfected: 1 Renamed: 0 Deleted: 0 Not cleaned: 8 Submitted: 0 Files not scanned: C:\PAGEFILE.SYS C:\WINDOWS\TEMP\HSPERFDATA_SYSTEM\2592 C:\WINDOWS\SYSTEM32\MRT.EXE C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE C:\WINDOWS\SYSTEM32\CONFIG\SAM C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM C:\WINDOWS\SYSTEM32\CONFIG\SECURITY C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\D48A3B967BA5709DF048E8F2A49CF8A6\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\B7F0B2892B21211A5630518D058F48D9\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\9CF59263A134AB3FBBEE78365A2FA5FC\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\6B4E49F1A78B9558FEEB103A07B06A32\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\6913C676E5D33978934CAA46C49FDC75\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\678162639E69C808C1768AB6340EAE25\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\2C95B28351986132D7F36DD28EECE9B0\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\0DD0244816FFB4B094C1CABA4C3B1178\UPDATE\UPDATE.EXE C:\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\07A96DE176867BC25B7DC839D22B07E2\UPDATE\UPDATE.EXE C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\RANDOM.EXE.EXE Options Scanning engines: Scanning options: Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR Use advanced heuristics As stated above, the next thing I did was update my MBAM and ran a quick scan. The scan looks clean. Below is the log file from that scan. Malwarebytes' Anti-Malware 1.42 Database version: 3383 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/18/2009 12:24:39 AM mbam-log-2009-12-18 (00-24-39).txt Scan type: Quick Scan Objects scanned: 121566 Time elapsed: 6 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) The last thing I did was download the security check and ran it. Here is the checkup.txt log. Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! AVG Free 9.0 `````````````````````````````` Anti-malware/Other Utilities Check: CCleaner Java SE Runtime Environment 6 Update 1 Java 6 Update 2 Java 6 Update 5 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10 Adobe Reader 9 `````````````````````````````` Process Check: objlist.exe by Laurent AVG avgwdsvc.exe AVG avgtray.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` I think everything is okay. I was just concern there might be something lurking in there. I have a question. What browser would you recommend using? My current default browser is Firefox and I have WOT installed on it. Please let me know if there is anything you think I need to do. Thank you so much again and I will wait for further instructions.
  18. After having a clean computer for awhile, I recently had an issue. For some reason my computer logged me off. I never had this happen before so I shut it down and when it loaded again, there was an exclamation mark on my avg icon in the system tray in the bottom right corner of my desktop. I immediately opened malawarebytes and did an update and ran a full scan. It found two files which it cleaned. Below is the log file Malwarebytes' Anti-Malware 1.42 Database version: 3356 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/13/2009 9:59:28 PM mbam-log-2009-12-13 (21-59-28).txt Scan type: Full Scan (C:\|G:\|) Objects scanned: 235032 Time elapsed: 1 hour(s), 58 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Dave Huynh\Local Settings\temp\dkgfdf.dll (Malware.Packer) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Local Settings\temp\dkgfdf.dll (Malware.Packer) -> Quarantined and deleted successfully. After finishing, it asked to reboot to finish the process. I did that and when it loaded again, the exclamation mark was gone on the avg icon in the system tray in the bottom right hand corner. I then opened avg and did an update and ran a full scan. It found nothing. I then opened malawarebytes again and did a quick scan and it didn't find anything. Here is the log report from the quick scan Malwarebytes' Anti-Malware 1.42 Database version: 3357 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 12/14/2009 2:09:43 AM mbam-log-2009-12-14 (02-09-43).txt Scan type: Quick Scan Objects scanned: 119691 Time elapsed: 19 minute(s), 10 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Even though it seems to be clean, my computer has been running a little sluggish ever since. I am worried my browser has been comprised because when I recently logged into my ebay account, it took awhile to load and when it final loaded it had a page asking me for my personal info. Not sure if it's just the browser, avg, both or if the whole computer is infected. I was using firefox at the time, but I also have explorer, safari and chrome that I can use if needed. I was suspicious so I went to a clean laptop and quickly changed all my passwords. I am still worried there may be something lurking that I cannot see. I am only using the infected computer to run test until I can be sure it is safe again. Below is the DDS file. The attach.txt and ark.txt have been zipped into one and added to this post as well. Thank you malwarebyte team in advance for any help you can provide me, and if there is anything else I need to do, please let me know. DDS (Ver_09-12-01.01) - NTFSx86 Run by Dave Huynh at 21:33:22.32 on Mon 12/14/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07 AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\dave huynh\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [PopUpKiller] c:\program files\popup killer\PopUpKiller.EXE mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe dPolicies-explorer: NoSetActiveDesktop = 1 (0x1) dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll Trusted Zone: internet Trusted Zone: mcafee.com DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} - hxxp://200.9.36.138:82/wg_webeye.cab DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\davehu~1\applic~1\mozilla\firefox\profiles\utysktab.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\dave huynh\application data\mozilla\firefox\profiles\utysktab.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll FF - plugin: c:\documents and settings\dave huynh\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ ==================== Find3M ==================== 2009-12-03 21:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-11-13 00:47:13 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-11-13 00:47:13 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-11-13 00:47:02 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys 2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll 2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-07 21:55:06 21060 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-25 16:41:28 90112 ----a-w- c:\windows\system32\dpl100.dll 2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll 2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll 2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll 2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll 2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll 2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll 2009-08-19 17:35:14 184 ----a-w- c:\program files\avqin.txt 2009-08-18 01:27:01 124 ----a-w- c:\program files\uwxo.txt 2008-08-24 20:53:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat ============= FINISH: 21:35:25.06 =============== Attach.zip
  19. Hi miekiemoes, I just bookmarked the links you left in your last comment. I will definitely check out your site and the other site as well. Thanks again for everything. You have been most kind and helpful.
  20. I just did as you instructed and it uninstalled fine. My computer seems to be running normal now. I did a scan with Malwarebytes' Anti-Malware and it came up clean. I would like to thank you so, so much for your help! You have been very courteous and helpful.
  21. Sure. I just did another scan. This time when I ran ComboFix, it asked to update the program. I did. After it updated, it proceeded to run and below is the results from the scan. ComboFix 09-07-28.01 - Dave Huynh 07/28/2009 12:43.3.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.617 [GMT -4:00] Running from: c:\documents and settings\Dave Huynh\Desktop\random.exe.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\TEMP\jbigi19003lib.tmp c:\windows\TEMP\jcpuid19002lib.tmp . ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-28 ))))))))))))))))))))))))))))))) . 2009-07-26 23:30 . 2009-07-26 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\11057184 2009-07-19 05:58 . 2009-07-19 06:01 -------- d-----w- c:\documents and settings\Dave Huynh\Local Settings\Application Data\Temp 2009-07-10 02:41 . 2009-07-10 02:41 -------- d-----w- c:\documents and settings\Dave Huynh\Local Settings\Application Data\Help 2009-07-07 18:06 . 2009-07-07 18:05 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-07-07 01:59 . 2009-07-07 01:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-28 16:52 . 2007-04-18 23:42 -------- d-----w- c:\program files\Freenet 2009-07-28 16:48 . 2006-07-18 20:12 -------- d-----w- c:\program files\PopUp Killer 2009-07-27 19:57 . 2008-11-24 20:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-27 19:57 . 2008-12-26 20:31 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-07-27 02:29 . 2009-04-06 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-07-26 18:23 . 2006-09-25 06:00 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\BitTorrent 2009-07-23 03:23 . 2008-08-25 04:00 3532 ----a-w- C:\drmHeader.bin 2009-07-13 17:36 . 2008-11-24 20:13 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 17:36 . 2008-11-24 20:13 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-09 05:56 . 2007-01-10 06:27 -------- d-----w- c:\program files\Common Files\Real 2009-07-07 18:06 . 2009-04-06 21:03 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-26 19:19 . 2008-06-03 22:53 -------- d-----w- c:\program files\eMule 2009-06-24 20:51 . 2006-07-25 20:25 23336 ----a-w- c:\documents and settings\Dave Huynh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-24 17:38 . 2009-04-06 21:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-06-24 17:38 . 2009-04-06 21:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-06-24 02:29 . 2009-06-24 02:29 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\GRETECH 2009-06-24 00:52 . 2009-06-24 00:52 -------- d-----w- c:\program files\GRETECH 2009-06-22 04:54 . 2008-05-16 06:15 -------- d-----w- c:\documents and settings\Dave Huynh\Application Data\dvdcss 2009-06-16 14:36 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2003-07-16 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-09 16:51 . 2006-07-18 20:34 -------- d-----w- c:\program files\Common Files\Adobe 2009-06-03 19:09 . 2006-07-23 20:24 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-06-01 04:02 . 2009-06-01 04:02 29184 ----a-r- c:\documents and settings\Dave Huynh\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe 2009-06-01 04:02 . 2009-06-01 04:02 -------- d-----w- c:\program files\mkv2vob 2009-06-01 04:01 . 2008-08-06 07:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2009-05-17 20:00 . 2009-05-17 20:00 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe 2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll 2009-05-01 18:26 . 2009-04-06 21:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2008-10-21 01:27 . 2008-10-21 01:27 19893 ----a-w- c:\program files\Common Files\odeviwifu.lib 2008-10-21 01:27 . 2008-10-21 01:27 16468 ----a-w- c:\program files\Common Files\zubugif.vbs 2008-10-21 01:27 . 2008-10-21 01:27 11256 ----a-w- c:\program files\Common Files\axaxuqo.vbs 2009-07-22 04:52 . 2008-08-27 08:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll . ((((((((((((((((((((((((((((( SnapShot@2009-07-27_19.42.47 ))))))))))))))))))))))))))))))))))))))))) . - 2005-04-27 14:53 . 2008-10-16 20:38 44544 c:\windows\system32\pngfilt.dll + 2005-04-27 14:53 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll + 2006-11-08 02:03 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll - 2006-11-08 02:03 . 2008-10-16 20:38 52224 c:\windows\system32\msfeedsbs.dll - 2003-07-16 20:31 . 2008-10-16 20:38 27648 c:\windows\system32\jsproxy.dll + 2003-07-16 20:31 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll + 2003-07-16 20:30 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll - 2003-07-16 20:30 . 2008-10-16 20:38 44544 c:\windows\system32\iernonce.dll + 2009-04-10 23:31 . 2009-04-29 04:55 78336 c:\windows\system32\ieencode.dll - 2003-07-16 20:30 . 2008-10-16 13:11 70656 c:\windows\system32\ie4uinit.exe + 2003-07-16 20:30 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe - 2006-10-17 16:58 . 2008-10-16 20:38 63488 c:\windows\system32\icardie.dll + 2006-10-17 16:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll - 2006-05-10 05:23 . 2008-10-16 20:38 44544 c:\windows\system32\dllcache\pngfilt.dll + 2006-05-10 05:23 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll + 2007-05-08 20:59 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll - 2007-05-08 20:59 . 2008-10-16 20:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll - 2006-05-10 05:22 . 2008-10-16 20:38 27648 c:\windows\system32\dllcache\jsproxy.dll + 2006-05-10 05:22 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll + 2007-05-08 20:59 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe - 2007-05-08 20:59 . 2008-10-16 13:11 13824 c:\windows\system32\dllcache\ieudinit.exe + 2006-11-07 08:26 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll - 2006-11-07 08:26 . 2008-10-16 20:38 44544 c:\windows\system32\dllcache\iernonce.dll + 2009-04-29 04:55 . 2009-04-29 04:55 78336 c:\windows\system32\dllcache\ieencode.dll + 2006-11-07 08:26 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe - 2006-11-07 08:26 . 2008-10-16 13:11 70656 c:\windows\system32\dllcache\ie4uinit.exe + 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll - 2007-08-20 10:04 . 2008-10-16 20:38 63488 c:\windows\system32\dllcache\icardie.dll + 2009-07-27 21:00 . 2008-10-16 20:38 44544 c:\windows\ie7updates\KB969897-IE7\pngfilt.dll + 2009-07-27 21:00 . 2008-10-16 20:38 52224 c:\windows\ie7updates\KB969897-IE7\msfeedsbs.dll + 2009-07-27 21:00 . 2008-10-16 20:38 27648 c:\windows\ie7updates\KB969897-IE7\jsproxy.dll + 2009-07-27 21:00 . 2008-10-16 13:11 13824 c:\windows\ie7updates\KB969897-IE7\ieudinit.exe + 2009-07-27 21:00 . 2008-10-16 20:38 44544 c:\windows\ie7updates\KB969897-IE7\iernonce.dll + 2009-07-27 21:00 . 2008-04-14 00:11 81920 c:\windows\ie7updates\KB969897-IE7\ieencode.dll + 2009-07-27 21:00 . 2008-10-16 13:11 70656 c:\windows\ie7updates\KB969897-IE7\ie4uinit.exe + 2009-07-27 21:00 . 2008-10-16 20:38 63488 c:\windows\ie7updates\KB969897-IE7\icardie.dll + 2006-04-28 14:58 . 2009-04-29 04:56 827392 c:\windows\system32\wininet.dll + 2003-07-16 20:51 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll - 2003-07-16 20:51 . 2008-10-16 20:38 233472 c:\windows\system32\webcheck.dll + 2003-07-16 20:49 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll - 2003-07-16 20:49 . 2008-10-16 20:38 105984 c:\windows\system32\url.dll - 2003-07-16 20:40 . 2008-10-16 20:38 102912 c:\windows\system32\occache.dll + 2003-07-16 20:40 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll - 2003-07-16 20:36 . 2008-10-16 20:38 671232 c:\windows\system32\mstime.dll + 2003-07-16 20:36 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll - 2005-02-24 16:54 . 2008-10-16 20:38 193024 c:\windows\system32\msrating.dll + 2005-02-24 16:54 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll + 2003-07-16 20:35 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll - 2003-07-16 20:35 . 2008-10-16 20:38 477696 c:\windows\system32\mshtmled.dll + 2006-11-08 02:03 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll - 2006-11-08 02:03 . 2008-10-16 20:38 459264 c:\windows\system32\msfeeds.dll + 2006-10-17 16:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll + 2003-07-16 20:30 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll - 2006-10-17 16:27 . 2008-10-16 20:38 383488 c:\windows\system32\ieapfltr.dll + 2006-10-17 16:27 . 2009-04-29 04:55 383488 c:\windows\system32\ieapfltr.dll - 2003-07-16 20:30 . 2008-10-15 07:04 161792 c:\windows\system32\ieakui.dll + 2003-07-16 20:30 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll + 2003-07-16 20:30 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll - 2003-07-16 20:30 . 2008-10-16 20:38 230400 c:\windows\system32\ieaksie.dll - 2003-07-16 20:30 . 2008-10-16 20:38 153088 c:\windows\system32\ieakeng.dll + 2003-07-16 20:30 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll + 2004-08-04 07:56 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll - 2004-08-04 07:56 . 2008-10-16 20:38 133120 c:\windows\system32\extmgr.dll + 2006-02-24 19:24 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll - 2006-02-24 19:24 . 2008-10-16 20:38 214528 c:\windows\system32\dxtrans.dll - 2006-04-28 14:57 . 2008-10-16 20:38 347136 c:\windows\system32\dxtmsft.dll + 2006-04-28 14:57 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll + 2006-05-10 05:23 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll + 2006-11-08 02:03 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll - 2006-11-08 02:03 . 2008-10-16 20:38 233472 c:\windows\system32\dllcache\webcheck.dll - 2006-10-17 17:05 . 2008-10-16 20:38 105984 c:\windows\system32\dllcache\url.dll + 2006-10-17 17:05 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll + 2006-10-17 17:04 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll - 2006-10-17 17:04 . 2008-10-16 20:38 102912 c:\windows\system32\dllcache\occache.dll - 2006-05-10 05:23 . 2008-10-16 20:38 671232 c:\windows\system32\dllcache\mstime.dll + 2006-05-10 05:23 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll - 2006-05-10 05:23 . 2008-10-16 20:38 193024 c:\windows\system32\dllcache\msrating.dll + 2006-05-10 05:23 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll - 2006-05-10 05:23 . 2008-10-16 20:38 477696 c:\windows\system32\dllcache\mshtmled.dll + 2006-05-10 05:23 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll - 2007-05-08 20:59 . 2008-10-16 20:38 459264 c:\windows\system32\dllcache\msfeeds.dll + 2007-05-08 20:59 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll + 2006-10-17 17:04 . 2009-04-25 05:27 636088 c:\windows\system32\dllcache\iexplore.exe + 2007-05-08 20:59 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll + 2006-11-07 08:27 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll + 2007-05-08 20:59 . 2009-04-29 04:55 383488 c:\windows\system32\dllcache\ieapfltr.dll - 2007-05-08 20:59 . 2008-10-16 20:38 383488 c:\windows\system32\dllcache\ieapfltr.dll + 2003-07-16 20:30 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll - 2003-07-16 20:30 . 2008-10-15 07:04 161792 c:\windows\system32\dllcache\ieakui.dll + 2006-11-07 08:27 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll - 2006-11-07 08:27 . 2008-10-16 20:38 230400 c:\windows\system32\dllcache\ieaksie.dll + 2006-11-07 08:26 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll - 2006-11-07 08:26 . 2008-10-16 20:38 153088 c:\windows\system32\dllcache\ieakeng.dll + 2006-05-10 05:22 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll - 2006-05-10 05:22 . 2008-10-16 20:38 133120 c:\windows\system32\dllcache\extmgr.dll + 2006-05-10 05:22 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll - 2006-05-10 05:22 . 2008-10-16 20:38 214528 c:\windows\system32\dllcache\dxtrans.dll + 2006-05-10 05:22 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll - 2006-05-10 05:22 . 2008-10-16 20:38 347136 c:\windows\system32\dllcache\dxtmsft.dll + 2006-11-07 08:26 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll - 2006-11-07 08:26 . 2008-10-16 20:38 124928 c:\windows\system32\dllcache\advpack.dll - 2003-07-16 20:23 . 2008-10-16 20:38 124928 c:\windows\system32\advpack.dll + 2003-07-16 20:23 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll + 2009-07-27 21:00 . 2008-10-16 20:38 826368 c:\windows\ie7updates\KB969897-IE7\wininet.dll + 2009-07-27 21:00 . 2008-10-16 20:38 233472 c:\windows\ie7updates\KB969897-IE7\webcheck.dll + 2009-07-27 21:00 . 2008-10-16 20:38 105984 c:\windows\ie7updates\KB969897-IE7\url.dll + 2009-07-27 21:00 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB969897-IE7\spuninst\updspapi.dll + 2009-07-27 21:00 . 2008-07-09 07:38 231288 c:\windows\ie7updates\KB969897-IE7\spuninst\spuninst.exe + 2009-07-27 21:00 . 2008-10-16 20:38 102912 c:\windows\ie7updates\KB969897-IE7\occache.dll + 2009-07-27 21:00 . 2008-10-16 20:38 671232 c:\windows\ie7updates\KB969897-IE7\mstime.dll + 2009-07-27 21:00 . 2008-10-16 20:38 193024 c:\windows\ie7updates\KB969897-IE7\msrating.dll + 2009-07-27 21:00 . 2008-10-16 20:38 477696 c:\windows\ie7updates\KB969897-IE7\mshtmled.dll + 2009-07-27 21:00 . 2008-10-16 20:38 459264 c:\windows\ie7updates\KB969897-IE7\msfeeds.dll + 2009-07-27 21:00 . 2008-10-15 07:06 633632 c:\windows\ie7updates\KB969897-IE7\iexplore.exe + 2009-07-27 21:00 . 2008-10-16 20:38 267776 c:\windows\ie7updates\KB969897-IE7\iertutil.dll + 2009-07-27 21:00 . 2008-10-16 20:38 384512 c:\windows\ie7updates\KB969897-IE7\iedkcs32.dll + 2009-07-27 21:00 . 2008-10-16 20:38 383488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dll + 2009-07-27 21:00 . 2008-10-15 07:04 161792 c:\windows\ie7updates\KB969897-IE7\ieakui.dll + 2009-07-27 21:00 . 2008-10-16 20:38 230400 c:\windows\ie7updates\KB969897-IE7\ieaksie.dll + 2009-07-27 21:00 . 2008-10-16 20:38 153088 c:\windows\ie7updates\KB969897-IE7\ieakeng.dll + 2009-07-27 21:00 . 2008-10-16 20:38 133120 c:\windows\ie7updates\KB969897-IE7\extmgr.dll + 2009-07-27 21:00 . 2008-10-16 20:38 214528 c:\windows\ie7updates\KB969897-IE7\dxtrans.dll + 2009-07-27 21:00 . 2008-10-16 20:38 347136 c:\windows\ie7updates\KB969897-IE7\dxtmsft.dll + 2009-07-27 21:00 . 2008-10-16 20:38 124928 c:\windows\ie7updates\KB969897-IE7\advpack.dll + 2006-05-08 14:50 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll + 2006-05-19 19:52 . 2009-04-29 04:56 3596288 c:\windows\system32\mshtml.dll + 2006-11-08 02:03 . 2009-04-29 04:55 6066176 c:\windows\system32\ieframe.dll - 2006-11-08 02:03 . 2008-10-16 20:38 6066176 c:\windows\system32\ieframe.dll + 2006-09-06 04:01 . 2008-07-09 14:25 2455488 c:\windows\system32\ieapfltr.dat - 2006-09-06 04:01 . 2007-04-17 09:28 2455488 c:\windows\system32\ieapfltr.dat + 2006-05-10 05:23 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll + 2006-05-19 15:08 . 2009-04-29 04:56 3596288 c:\windows\system32\dllcache\mshtml.dll + 2007-05-08 20:58 . 2009-04-29 04:55 6066176 c:\windows\system32\dllcache\ieframe.dll - 2007-05-08 20:58 . 2008-10-16 20:38 6066176 c:\windows\system32\dllcache\ieframe.dll + 2007-05-08 20:59 . 2008-07-09 14:25 2455488 c:\windows\system32\dllcache\ieapfltr.dat - 2007-05-08 20:59 . 2007-04-17 09:28 2455488 c:\windows\system32\dllcache\ieapfltr.dat + 2009-07-27 21:00 . 2008-10-16 20:38 1160192 c:\windows\ie7updates\KB969897-IE7\urlmon.dll + 2009-07-27 21:00 . 2008-12-13 06:40 3593216 c:\windows\ie7updates\KB969897-IE7\mshtml.dll + 2009-07-27 21:00 . 2008-10-16 20:38 6066176 c:\windows\ie7updates\KB969897-IE7\ieframe.dll + 2009-07-27 21:00 . 2007-04-17 09:28 2455488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dat . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PopUpKiller"="c:\program files\PopUp Killer\PopUpKiller.EXE" [2001-08-27 95232] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-24 1948440] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-06-24 17:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dave Huynh^Start Menu^Programs^Startup^Kremlin Sentry.lnk] path=c:\documents and settings\Dave Huynh\Start Menu\Programs\Startup\Kremlin Sentry.lnk backup=c:\windows\pss\Kremlin Sentry.lnkStartup [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\eMule\\emule.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "21142:TCP"= 21142:TCP:BitComet 21142 TCP "21142:UDP"= 21142:UDP:BitComet 21142 UDP R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/6/2009 5:03 PM 335752] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/6/2009 5:03 PM 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/6/2009 5:03 PM 298776] R2 freenet-darknet-8888;Freenet 0.7 darknet-8888;c:\program files\Freenet\bin\wrapper-windows-x86-32.exe [4/18/2007 7:42 PM 204800] . Contents of the 'Scheduled Tasks' folder 2009-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-790525478-725345543-1004Core.job - c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-15 19:53] 2009-07-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-790525478-725345543-1004UA.job - c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-15 19:53] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com mStart Page = hxxp://www.google.com uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com FF - ProfilePath - c:\documents and settings\Dave Huynh\Application Data\Mozilla\Firefox\Profiles\utysktab.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\Dave Huynh\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - HiddenExtension: XUL Cache: {14BD558B-3D27-4598-936D-F229A5652DD0} - c:\documents and settings\Dave Huynh\Local Settings\Application Data\{14BD558B-3D27-4598-936D-F229A5652DD0} . ************************************************************************** catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-28 12:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3076) c:\progra~1\WINDOW~2\wmpband.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe c:\windows\system32\java.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-07-28 12:56 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-28 16:56 ComboFix2.txt 2009-07-27 19:49 ComboFix3.txt 2009-01-23 23:35 Pre-Run: 44,302,725,120 bytes free Post-Run: 44,286,095,360 bytes free 310 --- E O F --- 2009-07-27 21:00
  22. Before running ComboFix, I was unable to update Malwarebytes' Anti-Malware. I could only run it. After ComboFix completed, I was able to update it. After the update, I ran a scan and it found 2 other files. It cleaned it and I restarted the computer. I ran the scan again after it restarted and nothing else was found. I think it is clean now. Here are the two log files. First one is with the infections. Second is the cleaned log. Please let me know if I need to do anything else further. Malwarebytes' Anti-Malware 1.39 Database version: 2513 Windows 5.1.2600 Service Pack 3 7/27/2009 4:15:08 PM mbam-log-2009-07-27 (16-15-00).txt Scan type: Quick Scan Objects scanned: 86364 Time elapsed: 4 minute(s), 55 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken. ------------------------------ Malwarebytes' Anti-Malware 1.39 Database version: 2513 Windows 5.1.2600 Service Pack 3 7/27/2009 4:25:08 PM mbam-log-2009-07-27 (16-25-08).txt Scan type: Quick Scan Objects scanned: 86373 Time elapsed: 4 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.