Please review my Malware and HJT logs

[lowen0816]

Thanks for your help!!

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:19:48 PM, on 8/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\CSHelper.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Registry Mechanic\RegMech.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKCU\..\Run: [A00F403B5.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F403B5.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: delrb.bat

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://cdgtrain.duhs.duke.edu:8081/clinapp...intdll/smsx.cab

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - https://vserver01/VirtualServer/activex/VMR...tiveXClient.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: 60e7fa28654 - C:\WINDOWS\System32\dneinobj32.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: __c00B7E80 - C:\WINDOWS\system32\__c00B7E80.dat

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O24 - Desktop Component 0: (no name) - http://car-racing-games.freeonlinegames.com/images/fogbg.gif

--

End of file - 9511 bytes

MALWARE LOG:

Malwarebytes' Anti-Malware 1.40

Database version: 2583

Windows 5.1.2600 Service Pack 3 (Safe Mode)

8/12/2009 8:43:55 PM

mbam-log-2009-08-12 (20-43-55).txt

Scan type: Quick Scan

Objects scanned: 95276

Time elapsed: 11 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\__c00C2A5D.dat (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00c2a5d (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f5b9e1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00fe6378.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f1e52b.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f36216.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f5492ebb.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\__c00C2A5D.dat (Trojan.Downloader) -> Delete on reboot.

C:\temp\__c009835B.dat (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\85.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\A.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

[miekiemoes]

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a quick scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[lowen0816]

OK - first is the MalwareBytes log followed by the HJT log. I keep getting inundated with pop-ups. Thanks for your help.

-Lori

**************************************

Malwarebytes' Anti-Malware 1.40

Database version: 2615

Windows 5.1.2600 Service Pack 3

8/13/2009 11:24:57 AM

mbam-log-2009-08-13 (11-24-57).txt

Scan type: Quick Scan

Objects scanned: 97627

Time elapsed: 18 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 1

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 25

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\__c00B7E80.dat (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\__c00F3500.dat (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00b7e80 (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f403b5.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f19e83d8.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f7d436.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\WINDOWS\system32\SystemX86 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\__c00B7E80.dat (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\_A00F403B5.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\_A00F19E83D8.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\_A00F7D436.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c0016100.dat (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\__c00F3500.dat (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\10.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\11.tmp (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\253.crack.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\253.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\254.keygen.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\254.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\255.serial.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\255.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\256.setup.zip (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\256.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\257.music.au (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\257.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\258.music2.au (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\258.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\259.music3.au (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\259.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\260.music.snd (Worm.Archive) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SystemX86\260.music.snd.kwd (Worm.Archive) -> Quarantined and deleted successfully.

********************************************************************************

*****************

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:34:14 AM, on 8/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\CSHelper.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;<local>

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H

O4 - HKCU\..\Run: [A00F1F509.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F1F509.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://cdgtrain.duhs.duke.edu:8081/clinapp...intdll/smsx.cab

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} (Microsoft Virtual Server VMRC Control) - https://vserver01/VirtualServer/activex/VMR...tiveXClient.cab

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: 60e7fa28654 - C:\WINDOWS\System32\dneinobj32.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: __c00E12BA - C:\WINDOWS\system32\__c00E12BA.dat

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O24 - Desktop Component 0: (no name) - http://car-racing-games.freeonlinegames.com/images/fogbg.gif

--

End of file - 9558 bytes

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a quick scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[miekiemoes]

Hi,

Looks like it's getting reinstalled immediately again. The smallest leftover may cause this....

Anyway, let's have a look...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[lowen0816]

Here is the combofix log:

ComboFix 09-08-10.06 - Owner 08/13/2009 12:09.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.235 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Owner\APPLIC~1\02000000522750ff654C.manifest

c:\docume~1\Owner\APPLIC~1\02000000522750ff654O.manifest

c:\docume~1\Owner\APPLIC~1\02000000522750ff654P.manifest

c:\docume~1\Owner\APPLIC~1\02000000522750ff654S.manifest

c:\docume~1\Owner\LOCALS~1\Temp\12.tmp

c:\documents and settings\Owner\Application Data\02000000522750ff654C.manifest

c:\documents and settings\Owner\Application Data\02000000522750ff654O.manifest

c:\documents and settings\Owner\Application Data\02000000522750ff654P.manifest

c:\documents and settings\Owner\Application Data\02000000522750ff654S.manifest

c:\documents and settings\Owner\Local Settings\Temp\12.tmp

c:\recycler\S-1-5-21-3683029557-3838375364-467069692-1003

c:\recycler\S-1-5-21-3991424399-1867458613-948240738-1003

c:\windows\GnuHashes.ini

c:\windows\Installer\25645904.msi

c:\windows\Installer\2564590b.msi

c:\windows\Installer\25645912.msi

c:\windows\Installer\259be.msi

c:\windows\system32\__c00E12BA.dat

c:\windows\system32\BSTIEPrintCtl1.dll

c:\windows\system32\ehgeTbD.vbs

c:\windows\system32\GroupPolicy000.dat

c:\windows\system32\Zuyb94X.vbs

C:\xcrashdump.dat

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))

.

2009-08-13 02:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-13 01:01 . 2009-08-13 01:01 -------- d-----w- c:\program files\Trend Micro

2009-08-12 01:00 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-08-12 01:00 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-12 01:00 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-12 00:59 . 2009-08-13 16:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-12 00:59 . 2009-08-12 01:03 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-12 00:59 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-08-12 00:59 . 2009-08-12 01:04 -------- d-----w- c:\program files\Spyware Doctor

2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools

2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\PC Tools

2009-08-11 01:57 . 1980-08-17 00:00 27648 ----a-w- c:\temp\__c00A82C4.dat

2009-08-09 16:36 . 2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-09 16:36 . 2009-08-10 12:53 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-09 16:36 . 2009-08-10 12:53 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-09 16:36 . 2009-08-10 12:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-09 16:35 . 2009-08-13 12:49 -------- d-----w- c:\windows\system32\drivers\Avg

2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\program files\MSBuild

2009-08-09 07:02 . 2009-08-09 07:02 -------- d-----w- c:\program files\Reference Assemblies

2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes

2009-08-09 03:28 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-09 03:28 . 2009-08-09 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-09 03:28 . 2009-08-09 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-09 03:28 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-09 02:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-09 02:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-09 02:44 . 2009-08-09 02:44 -------- d-----w- C:\3b76648fd05db8de4f0df1e7

2009-08-09 02:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\d7fc1a37c58d226bb7b6152bb397daf3

2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\e7fe6792882ba60ea68825b7a2d0dd93

2009-08-08 00:01 . 2009-08-08 00:01 122368 ----a-w- c:\windows\system32\dneinobj32.dll

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

2009-07-26 03:12 . 2009-07-26 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\windows\system32\drivers\NSS

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\Norton Security Scan

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\NortonInstaller

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-13 16:24 . 2009-08-13 16:24 590 --sha-w- c:\windows\system32\GroupPolicy000.dat

2009-08-13 16:24 . 2009-08-13 16:24 518144 --sha-w- c:\windows\system32\4.tmp

2009-08-13 02:30 . 2007-05-09 23:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-12 23:18 . 2009-04-30 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-12 22:01 . 2005-05-20 18:29 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-12 15:21 . 2009-08-12 15:21 0 ----a-w- c:\windows\system32\25A.tmp

2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire

2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\docume~1\Owner\APPLIC~1\LimeWire

2009-08-10 01:25 . 2009-04-30 01:46 -------- d-----w- c:\program files\MSECACHE

2009-08-09 16:35 . 2009-03-06 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-09 03:48 . 2009-08-08 22:35 2857 ----a-w- c:\windows\system32\nodes.txt.tmp

2009-08-05 09:01 . 2005-03-23 16:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-26 03:12 . 2005-05-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-07-17 19:01 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2005-03-23 16:53 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 14:59 . 2005-05-20 18:45 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-29 16:12 . 2005-03-23 16:53 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2005-03-23 16:52 17408 ------w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2005-03-23 16:52 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2005-03-23 16:52 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2005-03-23 16:52 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2005-03-23 16:52 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2005-03-23 18:08 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2005-03-23 16:53 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2005-03-23 16:52 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-23 13:59 . 2009-01-24 02:22 202240 ----a-w- c:\windows\system32\Hotel For Dogs - Friday.scr

2007-07-20 15:13 . 2007-07-20 15:13 774144 ----a-w- c:\program files\RngInterstitial.dll

2008-06-27 18:59 . 2008-08-26 03:04 163840 ----a-w- c:\program files\mozilla firefox\components\nsgkff20_meter2.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 68856]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-03 180269]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-10 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\60e7fa28654]

2009-08-08 00:01 122368 ----a-w- c:\windows\system32\dneinobj32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

Domestic Security Version 4.87

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk

backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\ValuSoft\\Beyond Pearl Harbor Pacific Warriors\\Pacific Warriors.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/11/2009 9:00 PM 130936]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/9/2009 12:36 PM 335752]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/9/2009 12:36 PM 108552]

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [7/7/2006 8:59 PM 1984]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/10/2009 8:53 AM 298776]

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/18/2009 11:17 PM 266240]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/11/2009 8:59 PM 348752]

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 01:31]

2009-08-13 c:\windows\Tasks\Norton Security Scan for Owner.job

- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-26 03:12]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080

uInternet Settings,ProxyOverride = ams-server*;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxps://vserver01/VirtualServer/activex/VMRCActiveXClient.cab

FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\4bi9ibcy.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-13 12:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\GroupPolicy000.dat 590 bytes

c:\windows\system32\SystemX86

scan completed successfully

hidden files: 2

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3067963684-463181519-798121359-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)

c:\windows\System32\dneinobj32.dll

- - - - - - - > 'explorer.exe'(2896)

c:\windows\system32\WININET.dll

c:\windows\System32\dneinobj32.dll

c:\windows\system32\4.tmp

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2009-08-13 12:29 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-13 16:29

Pre-Run: 61,369,217,024 bytes free

Post-Run: 61,984,526,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

260 --- E O F --- 2009-08-13 07:12

Hi,

Looks like it's getting reinstalled immediately again. The smallest leftover may cause this....

Anyway, let's have a look...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[miekiemoes]

Hi,

To be on the safe side, I suggest you backup your important data you don't want to loose, because the malware you are dealing with is capable of causing an unbootable PC because of the damage it may have caused.

Also, did you set these as a proxyserver?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;<local>

In case you didn't, check above entries in HijackThis and click the Fix checked button below. In case you did set these, leave them alone

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\4.tmp

c:\windows\System32\dneinobj32.dll

c:\windows\system32\25A.tmp

c:\windows\system32\GroupPolicy000.dat

c:\temp\__c00A82C4.dat

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\60e7fa28654]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[lowen0816]

Hi,

To be on the safe side, I suggest you backup your important data you don't want to loose, because the malware you are dealing with is capable of causing an unbootable PC because of the damage it may have caused.

Also, did you set these as a proxyserver?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ams-server*;<local>

In case you didn't, check above entries in HijackThis and click the Fix checked button below. In case you did set these, leave them alone

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Here is the new combofix log - thanks!

ComboFix 09-08-10.06 - Owner 08/13/2009 13:07.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.234 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\temp\__c00A82C4.dat"

"c:\windows\system32\25A.tmp"

"c:\windows\system32\4.tmp"

"c:\windows\System32\dneinobj32.dll"

"c:\windows\system32\GroupPolicy000.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\Owner\APPLIC~1\02000000522750ff654C.manifest

c:\docume~1\Owner\APPLIC~1\02000000522750ff654O.manifest

c:\docume~1\Owner\APPLIC~1\02000000522750ff654P.manifest

c:\docume~1\Owner\APPLIC~1\02000000522750ff654S.manifest

c:\docume~1\Owner\LOCALS~1\Temp\17.tmp

c:\documents and settings\Owner\Application Data\02000000522750ff654C.manifest

c:\documents and settings\Owner\Application Data\02000000522750ff654O.manifest

c:\documents and settings\Owner\Application Data\02000000522750ff654P.manifest

c:\documents and settings\Owner\Application Data\02000000522750ff654S.manifest

c:\documents and settings\Owner\Local Settings\Temp\17.tmp

c:\temp\__c00A82C4.dat

c:\windows\GnuHashes.ini

c:\windows\system32\__c00E1D0.dat

c:\windows\system32\25A.tmp

c:\windows\system32\4.tmp

c:\windows\System32\dneinobj32.dll

c:\windows\system32\GroupPolicy000.dat

c:\windows\system32\SystemX86

c:\windows\system32\SystemX86\253.crack.zip

c:\windows\system32\SystemX86\253.crack.zip.kwd

c:\windows\system32\SystemX86\254.keygen.zip

c:\windows\system32\SystemX86\254.keygen.zip.kwd

c:\windows\system32\SystemX86\255.serial.zip

c:\windows\system32\SystemX86\255.serial.zip.kwd

c:\windows\system32\SystemX86\256.setup.zip

c:\windows\system32\SystemX86\256.setup.zip.kwd

c:\windows\system32\SystemX86\257.music.au

c:\windows\system32\SystemX86\257.music.au.kwd

c:\windows\system32\SystemX86\258.music2.au

c:\windows\system32\SystemX86\258.music2.au.kwd

c:\windows\system32\SystemX86\259.music3.au

c:\windows\system32\SystemX86\259.music3.au.kwd

c:\windows\system32\SystemX86\260.music.snd

c:\windows\system32\SystemX86\260.music.snd.kwd

.

((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))

.

2009-08-13 02:43 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll

2009-08-13 01:01 . 2009-08-13 01:01 -------- d-----w- c:\program files\Trend Micro

2009-08-12 01:00 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-08-12 01:00 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-08-12 01:00 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-08-12 00:59 . 2009-08-13 16:25 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-12 00:59 . 2009-08-12 01:03 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-12 00:59 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-08-12 00:59 . 2009-08-12 01:04 -------- d-----w- c:\program files\Spyware Doctor

2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools

2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-08-12 00:59 . 2009-08-12 00:59 -------- d-----w- c:\docume~1\Owner\APPLIC~1\PC Tools

2009-08-09 16:36 . 2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-09 16:36 . 2009-08-10 12:53 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-08-09 16:36 . 2009-08-10 12:53 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-09 16:36 . 2009-08-10 12:53 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-09 16:35 . 2009-08-13 12:49 -------- d-----w- c:\windows\system32\drivers\Avg

2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-09 07:03 . 2009-08-09 07:03 -------- d-----w- c:\program files\MSBuild

2009-08-09 07:02 . 2009-08-09 07:02 -------- d-----w- c:\program files\Reference Assemblies

2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-08-09 03:29 . 2009-08-09 03:29 -------- d-----w- c:\docume~1\Owner\APPLIC~1\Malwarebytes

2009-08-09 03:28 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-09 03:28 . 2009-08-09 03:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-09 03:28 . 2009-08-09 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-09 03:28 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-09 02:44 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-09 02:44 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-09 02:44 . 2009-08-09 02:44 -------- d-----w- C:\3b76648fd05db8de4f0df1e7

2009-08-09 02:44 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\d7fc1a37c58d226bb7b6152bb397daf3

2009-08-09 02:37 . 2009-08-09 02:37 -------- d-----w- C:\e7fe6792882ba60ea68825b7a2d0dd93

2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

2009-07-26 03:12 . 2009-07-26 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\windows\system32\drivers\NSS

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\Norton Security Scan

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\program files\NortonInstaller

2009-07-26 03:12 . 2009-07-26 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-13 16:30 . 2005-08-16 00:33 59640 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-13 02:30 . 2007-05-09 23:24 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-12 23:18 . 2009-04-30 01:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-08-12 22:01 . 2005-05-20 18:29 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire

2009-08-10 20:11 . 2009-03-12 03:27 -------- d-----w- c:\docume~1\Owner\APPLIC~1\LimeWire

2009-08-10 01:25 . 2009-04-30 01:46 -------- d-----w- c:\program files\MSECACHE

2009-08-09 16:35 . 2009-03-06 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-09 03:48 . 2009-08-08 22:35 2857 ----a-w- c:\windows\system32\nodes.txt.tmp

2009-08-05 09:01 . 2005-03-23 16:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-26 03:12 . 2005-05-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-07-17 19:01 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2005-03-23 16:53 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 14:59 . 2005-05-20 18:45 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-29 16:12 . 2005-03-23 16:53 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2005-03-23 16:52 17408 ------w- c:\windows\system32\corpol.dll

2009-06-16 14:36 . 2005-03-23 16:52 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2005-03-23 16:52 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2005-03-23 16:52 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2005-03-23 16:52 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2005-03-23 18:08 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 06:14 . 2005-03-23 16:53 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2005-03-23 16:52 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-23 13:59 . 2009-01-24 02:22 202240 ----a-w- c:\windows\system32\Hotel For Dogs - Friday.scr

2007-07-20 15:13 . 2007-07-20 15:13 774144 ----a-w- c:\program files\RngInterstitial.dll

2008-06-27 18:59 . 2008-08-26 03:04 163840 ----a-w- c:\program files\mozilla firefox\components\nsgkff20_meter2.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_16.24.06 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-08-13 17:17 . 2009-08-13 17:17 16384 c:\windows\Temp\Perflib_Perfdata_1f8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-02 68856]

"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]

"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-12 136600]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-03 180269]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-10 1948440]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-10 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

Domestic Security Version 4.87

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk

backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk

backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\ValuSoft\\Beyond Pearl Harbor Pacific Warriors\\Pacific Warriors.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/11/2009 9:00 PM 130936]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/9/2009 12:36 PM 335752]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/9/2009 12:36 PM 108552]

R1 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [7/7/2006 8:59 PM 1984]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/10/2009 8:53 AM 298776]

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/18/2009 11:17 PM 266240]

S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/11/2009 8:59 PM 348752]

.

Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-26 01:31]

2009-08-13 c:\windows\Tasks\Norton Security Scan for Owner.job

- c:\program files\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-26 03:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = http=proxy-server:8080;https=proxy-server:8080

uInternet Settings,ProxyOverride = ams-server*;<local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxps://vserver01/VirtualServer/activex/VMRCActiveXClient.cab

FF - ProfilePath - c:\docume~1\Owner\APPLIC~1\Mozilla\Firefox\Profiles\4bi9ibcy.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-13 13:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3067963684-463181519-798121359-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]

@Denied: (2) (Administrators)

@Allowed: (2) (Administrators)

"Policy"=hex:00,00,00,00

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3460)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2009-08-13 13:23 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-13 17:23

ComboFix2.txt 2009-08-13 16:29

Pre-Run: 61,994,651,648 bytes free

Post-Run: 61,963,833,344 bytes free

257 --- E O F --- 2009-08-13 07:12

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[lowen0816]

So far so good. Thanks so much for your help. I hope you are paid very well :-). Besides AVG 8.5 (AV and AS) is there anything else that you would recommend installing on my machine for future protection?

Thanks,

Lori

quote name='miekiemoes' date='Aug 13 2009, 03:29 PM' post='109677']

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.