Jump to content

PC is infected & can't run mbam


JK523
 Share

Recommended Posts

Hello possible hero of my PC :unsure:

I had this nasty program called Security Center ( Not Windows Security Center ) which I'm pretty sure is another version of

Advanced Virus Remover. I may have removed it as it doesn't pop up anymore. But I know for sure my PC is still infected

with something as I can't open my anti virus programs and I get invisible pop ups ( I'm watching a DVD movie in full screen

and suddenly it goes to my desktop screen. ) I would like some help in getting rid of this unwanted guest once and for all.

Link to post
Share on other sites

Wow. I just downloaded Hijackthis and I had to change the name to install it. Then I chose to scan and keep a log and it

immediately closed. I tried to re open it and I get a message saying:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

This actually happened before as I was trying to scan my PC with other programs. This virus doesn't let you get very far.

Link to post
Share on other sites

Well I used RSIT and got a log file:

Logfile of random's system information tool 1.06 (written by random/random)

Run by Compaq_Owner at 2009-09-11 16:12:35

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 71 GB (80%) free of 88 GB

Total RAM: 1470 MB (65% free)

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\At1.job

C:\WINDOWS\tasks\At10.job

C:\WINDOWS\tasks\At11.job

C:\WINDOWS\tasks\At12.job

C:\WINDOWS\tasks\At13.job

C:\WINDOWS\tasks\At14.job

C:\WINDOWS\tasks\At15.job

C:\WINDOWS\tasks\At16.job

C:\WINDOWS\tasks\At17.job

C:\WINDOWS\tasks\At18.job

C:\WINDOWS\tasks\At19.job

C:\WINDOWS\tasks\At2.job

C:\WINDOWS\tasks\At20.job

C:\WINDOWS\tasks\At21.job

C:\WINDOWS\tasks\At22.job

C:\WINDOWS\tasks\At23.job

C:\WINDOWS\tasks\At24.job

C:\WINDOWS\tasks\At3.job

C:\WINDOWS\tasks\At4.job

C:\WINDOWS\tasks\At5.job

C:\WINDOWS\tasks\At6.job

C:\WINDOWS\tasks\At7.job

C:\WINDOWS\tasks\At8.job

C:\WINDOWS\tasks\At9.job

C:\WINDOWS\tasks\ParetoLogic Registration.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-09-10 1111320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

AVG Security Toolbar BHO - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1062144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - []

{32099AAC-C132-4136-9E9A-4E364A424E17} - []

{D0943516-5076-4020-A3B5-AEFAF26AB263} - []

{A057A204-BACC-4D26-9990-79A187E2698E}

{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-07-01 259696]

{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll [2009-07-24 1062144]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"HPBootOp"=C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe [2005-09-21 1605740]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]

"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2008-12-08 54576]

""= []

"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-08-11 249856]

"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-03-25 185896]

"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-08-11 81920]

"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-09-10 2007832]

"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-08-17 81000]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-03-11 39408]

"BitTorrent DNA"=C:\Program Files\DNA\btdna.exe [2009-03-30 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

C:\WINDOWS\system32\Ati2evxx.dll [2008-12-01 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]

C:\WINDOWS\system32\avgrsstx.dll [2009-09-10 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

dederifor - {b507b37b-4b56-4635-9ebe-c58420add4f9}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]

ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53}

mujuzedij - {b507b37b-4b56-4635-9ebe-c58420add4f9}

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"notification packages"=scecli

C:\WINDOWS\system32\pipiwuhi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

"NoSetActiveDesktop"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

"C:\Program Files\DNA\btdna.exe"="C:\Program Files\DNA\btdna.exe:*:Enabled:DNA"

"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"

"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Warcraft III\Frozen Throne.exe"="C:\Program Files\Warcraft III\Frozen Throne.exe:*:Enabled:Warcraft III - The Frozen Throne"

"C:\Program Files\Warcraft III\Warcraft III.exe"="C:\Program Files\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"

"C:\Program Files\EA Games\Ultima Online 2D Client\client.exe"="C:\Program Files\EA Games\Ultima Online 2D Client\client.exe:*:Enabled:Ultima Online Client"

"C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe"="C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Enabled:LaunchPad"

"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"

"C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Kamuse\KCSTrayDownloader\KCSTrayDownloaderEngine.exe"="C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Kamuse\KCSTrayDownloader\KCSTrayDownloaderEngine.exe:*:Enabled:KCSDownloaderEngine"

"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

"C:\WINDOWS\system32\winupdate.exe"="C:\WINDOWS\system32\winupdate.exe:*:Enabled:winupdate"

"C:\WINDOWS\system32\sorihade.exe"="C:\WINDOWS\system32\sorihade.exe:*:Enabled:sorihade"

"C:\WINDOWS\Temp\lsass.exe"="C:\WINDOWS\Temp\lsass.exe:*:Enabled:lsass"

"C:\WINDOWS\Temp\install.exe"="C:\WINDOWS\Temp\install.exe:*:Enabled:install"

"C:\WINDOWS\system32\ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe:*:Enabled:ctfmon"

"C:\Program Files\Mozilla Firefox\crashreporter.exe"="C:\Program Files\Mozilla Firefox\crashreporter.exe:*:Enabled:crashreporter"

"C:\WINDOWS\Temp\svchost.exe"="C:\WINDOWS\Temp\svchost.exe:*:Enabled:svchost"

"C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"="C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE:*:Enabled:SUPERAntiSpyware"

"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:firefox"

"C:\Program Files\AVG\AVG8\avgam.exe"="C:\Program Files\AVG\AVG8\avgam.exe:*:Enabled:avgam.exe"

"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"

"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"

"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

shell\AutoRun\command - E:\autoplay.exe

======List of files/folders created in the last 1 months======

2009-09-11 16:12:35 ----D---- C:\rsit

2009-09-11 16:04:35 ----D---- C:\Program Files\Trend Micro

2009-09-11 14:51:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2009-09-11 14:32:10 ----HD---- C:\WINDOWS\PIF

2009-09-11 01:17:53 ----D---- C:\Program Files\Sophos

2009-09-10 23:10:54 ----A---- C:\WINDOWS\system32\aswBoot.exe

2009-09-10 23:10:52 ----D---- C:\Program Files\Alwil Software

2009-09-10 23:07:01 ----SHD---- C:\Config.Msi

2009-09-10 23:05:45 ----HD---- C:\$AVG8.VAULT$

2009-09-10 23:03:33 ----A---- C:\WINDOWS\system32\avgrsstx.dll

2009-09-10 23:03:01 ----D---- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

2009-09-10 23:02:34 ----D---- C:\Program Files\AVG

2009-09-10 23:02:33 ----D---- C:\Documents and Settings\All Users\Application Data\avg8

2009-09-10 22:56:51 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\AVG8

2009-09-10 21:53:54 ----D---- C:\Program Files\Common Files\ParetoLogic

2009-09-10 21:53:54 ----D---- C:\Documents and Settings\All Users\Application Data\ParetoLogic

2009-09-10 21:53:49 ----D---- C:\Documents and Settings\All Users\Application Data\XoftSpySE

2009-09-10 21:49:04 ----A---- C:\WINDOWS\SchedLgU.Txt

2009-09-10 21:37:04 ----A---- C:\WINDOWS\ntbtlog.txt

2009-09-10 21:27:55 ----N---- C:\WINDOWS\system32\SKYNETfjwxfyab.dll

2009-09-09 17:37:27 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\Simply Super Software

2009-09-09 17:09:18 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP

2009-09-09 17:08:56 ----A---- C:\WINDOWS\system32\ztvunrar36.dll

2009-09-09 17:08:56 ----A---- C:\WINDOWS\system32\ztvunace26.dll

2009-09-09 17:08:56 ----A---- C:\WINDOWS\system32\ztvcabinet.dll

2009-09-09 17:08:56 ----A---- C:\WINDOWS\system32\UNRAR3.dll

2009-09-09 17:08:56 ----A---- C:\WINDOWS\system32\unacev2.dll

2009-09-09 17:08:55 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software

2009-09-09 16:39:59 ----D---- C:\WINDOWS\system32\1033

2009-09-09 16:39:59 ----D---- C:\Program Files\xerox

2009-09-09 16:39:59 ----D---- C:\Program Files\windows nt

2009-09-09 16:39:58 ----D---- C:\Program Files\msn gaming zone

2009-09-09 13:04:39 ----A---- C:\WINDOWS\system32\braviax.exe.vir

2009-09-09 12:20:39 ----A---- C:\WINDOWS\pinor.bat

2009-09-09 12:20:39 ----A---- C:\WINDOWS\nodiwute.exe

2009-09-09 12:20:39 ----A---- C:\WINDOWS\igypisucu.vbs

2009-09-09 11:46:29 ----A---- C:\WINDOWS\system32\wisdstr.exe.vir

2009-09-09 11:18:20 ----A---- C:\WINDOWS\msa.exe.vir

2009-09-09 10:43:27 ----A---- C:\WINDOWS\braviax.exe.vir

2009-09-09 10:33:44 ----D---- C:\Documents and Settings\All Users\Application Data\15631714

2009-09-09 10:32:07 ----A---- C:\WINDOWS\system32\~.exe.vir

2009-08-16 08:22:35 ----DC---- C:\WINDOWS\system32\DRVSTORE

2009-08-16 08:17:05 ----HDC---- C:\Documents and Settings\All Users\Application Data\~0

2009-08-16 08:05:43 ----D---- C:\Program Files\Mozilla Firefox

2009-08-15 21:45:56 ----D---- C:\Documents and Settings\Compaq_Owner\Application Data\HpUpdate

2009-08-15 21:45:53 ----D---- C:\WINDOWS\Hewlett-Packard

======List of files/folders modified in the last 1 months======

2009-09-11 16:07:20 ----D---- C:\WINDOWS\Temp

2009-09-11 16:07:20 ----D---- C:\WINDOWS\system3

Link to post
Share on other sites

Welcome to Malwarebytes!!!!!

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Link to post
Share on other sites

Thank you for replying, sjpritch25!

I followed your instructions and everything was working fine but.. ComboFix just got stuck while it was scanning my PC.

It reached stage 50 and just refused to go any further.. I don't believe it's a case of me not waiting long enough.

It did however let me know that my PC is definitely infected by rootkit :

windows\system32\drivers\UACrrjxfqpppq.sys

windows\system32\drivers\UAChihensvxdq.dll

windows\system32\drivers\pulkapidlk.dll

windows\system32\drivers\UAChltdopejsv.dat

windows\system32\drivers\hafjyyylkt.dll

windows\system32\drivers\lguhtkmbfm.dll

I'll run it again and make sure.

Link to post
Share on other sites

No go on the ComboFix.

However I did get Hijackthis to work :

Logfile of HijackThis v1.99.1

Scan saved at 2:28:18 AM, on 9/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DNA\btdna.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\tcpsvcs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\ALCXMNTR.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

F2 - REG:system.ini: Shell=Explorer.exe tapi.nfo beforeglav

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -

O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207655416281

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {CFD7D0F6-CCAF-4FFA-9D7F-CE9B65F562EC} (AppCaller Control) - http://bombndash.com/common/AppCaller.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: dederifor - {b507b37b-4b56-4635-9ebe-c58420add4f9} - (no file)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)

O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)

O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

Link to post
Share on other sites

Miraculously, I got mbam to work with some help and it detected 12 infected files, which was then removed. But I still believe that some are leftover.

Anyway, here is the log from the scan:

Malwarebytes' Anti-Malware 1.41

Database version: 2794

Windows 5.1.2600 Service Pack 3

9/13/2009 7:46:35 PM

mbam-log-2009-09-13 (19-46-35).txt

Scan type: Quick Scan

Objects scanned: 99171

Time elapsed: 12 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 10

Folders Infected: 1

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{bca9b86c-91bc-11de-b1cd-35c755d89593} (Rogue.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetxtlirsip (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\15631714 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\braviax.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wisdstr.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\_scui.cpl.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\smss.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\braviax.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\15631714\15631714 (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\15631714\pc15631714ins (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\busoguze.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nowuvaku.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SKYNETvakcpbqe.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\SKYNETxpimmrsf.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Did a full scan and sure enough found more.

Malwarebytes' Anti-Malware 1.41

Database version: 2794

Windows 5.1.2600 Service Pack 3

9/13/2009 10:12:01 PM

mbam-log-2009-09-13 (22-12-01).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 170523

Time elapsed: 1 hour(s), 36 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Qoobox\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UAClguhtkmbfm.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACpulkapidlk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP0\A0000003.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP0\A0000005.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G5IRODAN\bqqaob[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GXQVK9E3\qwxhuhvvjw[1].htm (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ODIVK9MN\xdajk[1].htm (Spyware.Banker) -> Quarantined and deleted successfully.

Link to post
Share on other sites

nothing new, just detections from Combofix's quarantine folder and system restore. I would like to do a online scan.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    KasReport.png

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Link to post
Share on other sites

Success.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Tuesday, September 15, 2009

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Tuesday, September 15, 2009 16:38:10

Records in database: 2824043

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

Scan statistics:

Objects scanned: 72911

Threats found: 4

Infected objects found: 6

Suspicious objects found: 0

Scan duration: 04:00:58

File name / Threat / Threats count

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\G5IRODAN\blattodea[1].htm Infected: Trojan-Downloader.JS.LuckySploit.q 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChafjyyylkt.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UAChihensvxdq.dll.vir Infected: Packed.Win32.TDSS.y 1

C:\WINDOWS\system32\~.exe.vir Infected: Packed.Win32.Krap.x 1

D:\I386\Apps\APP32073\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

D:\I386\Apps\APP32073\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 1

Selected area has been scanned.

Link to post
Share on other sites

Note: You may need to unhide hidden files and folders.

Configure Windows XP to show hide hidden files:

Click Start. Open My Computer.

Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".

Uncheck the "Hide protected operating system files (recommended)" option.

Uncheck the "Hide file extensions for known file types" option.

Click Yes to confirm. Click OK.

Please DELETE the following folder(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

Folders:

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 <-- this folder

Please DELETE the following file(s) IF STILL PRESENT. You can use Windows Explorer to navigate or use Windows Search feature to locate them.

Files:

C:\WINDOWS\system32\~.exe.vir <-- this file

Go to Start ---> Run ---> Type Combo-Fix /u and press Enter.

How is everything running??

Link to post
Share on other sites

Okay, couldn't find Content.IE5 but found and deleted ~.exe.vir. I'm not sure about this Combo-Fix /u command as it gives

me an error message... I assume it starts up Combofix which I did manually and it finally fully scanned. Looks like things

are getting clean. As for how the PC runs, it runs seemingly normal now. And here is the log from Combofix:

ComboFix 09-09-14.02 - Compaq_Owner 09/15/2009 21:08.7.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.550 [GMT -7:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\cfix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Trend Micro Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\xuvipigigy.bin

c:\documents and settings\All Users\Application Data\yjufoz.pif

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

c:\windows\igypisucu.vbs

c:\windows\isyxaq.reg

c:\windows\nodiwute.exe

c:\windows\osuxuse._dl

c:\windows\pinor.bat

c:\windows\system32\cyfusedi.ban

c:\windows\system32\ivynalod.ban

c:\windows\system32\jolup.bin

c:\windows\system32\mygig.dl

c:\windows\Tasks\At1.job

c:\windows\Tasks\At10.job

c:\windows\Tasks\At11.job

c:\windows\Tasks\At12.job

c:\windows\Tasks\At13.job

c:\windows\Tasks\At14.job

c:\windows\Tasks\At15.job

c:\windows\Tasks\At16.job

c:\windows\Tasks\At17.job

c:\windows\Tasks\At18.job

c:\windows\Tasks\At19.job

c:\windows\Tasks\At2.job

c:\windows\Tasks\At20.job

c:\windows\Tasks\At21.job

c:\windows\Tasks\At22.job

c:\windows\Tasks\At23.job

c:\windows\Tasks\At24.job

c:\windows\Tasks\At3.job

c:\windows\Tasks\At4.job

c:\windows\Tasks\At5.job

c:\windows\Tasks\At6.job

c:\windows\Tasks\At7.job

c:\windows\Tasks\At8.job

c:\windows\Tasks\At9.job

c:\windows\xynigig._dl

c:\windows\ycafa.pif

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))

.

2009-09-15 05:56 . 2009-09-16 04:13 1971232 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-15 05:56 . 2009-09-16 04:13 12320 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-09-14 08:26 . 2009-09-14 08:27 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-14 02:32 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-14 02:32 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-12 09:04 . 2009-09-14 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 06:17 . 2009-09-14 22:45 -------- d-----w- c:\program files\SpywareBlaster

2009-09-11 21:32 . 2009-09-11 21:42 -------- d--h--w- c:\windows\PIF

2009-09-11 06:05 . 2009-09-11 07:01 -------- d-----w- C:\$AVG8.VAULT$

2009-09-11 06:03 . 2009-09-11 06:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-11 06:03 . 2009-09-11 06:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-11 06:03 . 2009-09-11 06:03 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-11 06:03 . 2009-09-11 06:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-11 06:03 . 2009-09-16 01:09 -------- d-----w- c:\windows\system32\drivers\Avg

2009-09-11 06:03 . 2009-09-11 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-09-11 06:02 . 2009-09-11 06:02 -------- d-----w- c:\program files\AVG

2009-09-11 06:02 . 2009-09-11 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-11 04:53 . 2009-09-11 06:09 -------- d-----w- c:\program files\Common Files\ParetoLogic

2009-09-11 04:53 . 2009-09-11 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-09-11 04:53 . 2009-09-11 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2009-09-10 05:03 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-10 00:12 . 2009-09-10 00:12 28160 ----a-w- c:\windows\system32\drivers\beep.sys.vir

2009-09-10 00:09 . 2009-09-14 22:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-10 00:08 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2009-09-10 00:08 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2009-09-09 18:16 . 2005-11-14 15:24 -------- d-----w- c:\documents and settings\Administrator\WINDOWS

2009-09-09 18:16 . 2009-09-11 06:03 -------- d-----w- c:\documents and settings\Administrator

2009-09-09 17:33 . 2009-09-09 23:50 0 ----a-w- c:\windows\system32\drivers\d0aeb8a3.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-16 04:14 . 2008-01-29 09:35 -------- d-----w- c:\program files\DNA

2009-09-16 04:13 . 2009-09-15 05:56 27476 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-16 04:13 . 2009-09-15 05:56 2228 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-09-15 21:06 . 2006-09-25 00:50 -------- d-----w- c:\program files\Warcraft III

2009-09-14 08:26 . 2006-04-05 22:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-13 09:01 . 2005-11-14 15:02 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-11 06:07 . 2009-08-16 15:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0

2009-09-11 04:40 . 2008-02-14 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-11 04:39 . 2009-07-04 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-10 04:38 . 2009-09-09 18:25 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-10 00:08 . 2009-09-10 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2009-09-09 18:18 . 2009-09-09 18:18 152576 ----a-w- c:\windows\msa.exe.vir

2009-09-09 16:41 . 2005-12-26 21:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec

2009-09-08 04:58 . 2007-04-27 22:29 -------- d-----w- c:\program files\Winamp

2009-08-25 19:57 . 2008-04-09 12:02 78473 ----a-w- c:\windows\War3Unin.dat

2009-08-14 13:58 . 2009-09-10 02:09 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-05 13:07 . 2005-11-14 14:54 -------- d-----w- c:\program files\Java

2009-07-28 08:53 . 2008-09-07 01:30 96 ---ha-w- c:\windows\system32\HsInfo.dat

2009-07-25 12:23 . 2008-12-15 19:18 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-08 17:28 . 2009-08-16 15:21 2920112 -c----w- c:\documents and settings\All Users\Application Data\~0\Ad-AwareAE.exe

2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2007-01-11 17:55 . 2006-02-06 02:11 39908144 --sha-w- c:\windows\system32\srsc.dat

2009-06-09 17:32 . 2009-06-09 17:32 49152 --sha-w- c:\windows\system32\tanovivo.dll.tmp

2009-06-09 17:32 . 2009-06-09 17:32 49152 --sha-w- c:\windows\system32\vajafeti.dll.tmp

2009-06-09 17:32 . 2009-06-09 17:32 49152 --sha-w- c:\windows\system32\zotokohu.dll.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-07-24 16:56 1062144 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-11 39408]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-30 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-25 185896]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-11 2007832]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-11 06:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Kamuse\\KCSTrayDownloader\\KCSTrayDownloaderEngine.exe"=

"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16910:UDP"= 16910:UDP:CrashOnlineSend

"16900:UDP"= 16900:UDP:CrashOnlineRecv

"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

"6112:TCP"= 6112:TCP:WarcraftIII

"9979:TCP"= 9979:TCP:BitCometLite 9979 TCP

"9979:UDP"= 9979:UDP:BitCometLite 9979 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/10/2009 11:03 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/10/2009 11:03 PM 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/10/2009 11:02 PM 297752]

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [3/30/2004 6:35 PM 201984]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/30/2004 6:35 PM 20864]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 11:56 AM 24652]

S1 d0aeb8a3;d0aeb8a3;c:\windows\system32\drivers\d0aeb8a3.sys [9/9/2009 10:33 AM 0]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/10/2009 11:02 PM 908056]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe --> c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [?]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe --> c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [?]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]

S3 XDva005;XDva005;\??\c:\windows\system32\XDva005.sys --> c:\windows\system32\XDva005.sys [?]

S3 XDva052;XDva052;\??\c:\windows\system32\XDva052.sys --> c:\windows\system32\XDva052.sys [?]

S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]

S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

Contents of the 'Scheduled Tasks' folder

2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop

IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

DPF: {CFD7D0F6-CCAF-4FFA-9D7F-CE9B65F562EC} - hxxp://bombndash.com/common/AppCaller.ocx

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ok1f8xs0.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

SharedTaskScheduler-{b507b37b-4b56-4635-9ebe-c58420add4f9} - (no file)

SSODL-dederifor-{b507b37b-4b56-4635-9ebe-c58420add4f9} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-15 21:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset002\services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\B.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3860988392-394202172-423444945-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CB8AFF88-11E7-FF5F-4B34-C54C65D14204}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"abkmfejaedfnleaonmkaaecogflielpgpn"=hex:61,61,00,00

"bbkmfejaedfnleaonmjabhmilneafieoliic"=hex:61,61,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1856)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\windows\system32\tcpsvcs.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\wdfmgr.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-16 21:19 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-16 04:18

Pre-Run: 74,351,169,536 bytes free

Post-Run: 74,360,471,552 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=,1,2,3,4

286 --- E O F --- 2009-07-28 22:18

Link to post
Share on other sites

Download the attached file CFScript.txt to your Desktop

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!

Please navigate to the following file

C:\Qoobox\add-remove programs.txt.

In your next reply, please post the combofix log and add/remove programs log. Thanks

CFScript.txt

Link to post
Share on other sites

Combofix Log

ComboFix 09-09-16.01 - Compaq_Owner 09/16/2009 14:07.8.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.881 [GMT -7:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Trend Micro Internet Security *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

FILE ::

"c:\windows\msa.exe.vir"

"c:\windows\system32\drivers\beep.sys.vir"

"c:\windows\system32\drivers\d0aeb8a3.sys"

"c:\windows\system32\tanovivo.dll.tmp"

"c:\windows\system32\vajafeti.dll.tmp"

"c:\windows\system32\zotokohu.dll.tmp"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Compaq_Owner\Cookies\dasyhoqa.dat

c:\documents and settings\Compaq_Owner\Cookies\eduwily.bat

c:\documents and settings\Compaq_Owner\Cookies\ezuhadymem.pif

c:\documents and settings\Compaq_Owner\Cookies\imamonasy.bat

c:\documents and settings\Compaq_Owner\Cookies\pobosijis._dl

c:\documents and settings\Compaq_Owner\Local Settings\Application Data\tawu.vbs

c:\windows\msa.exe.vir

c:\windows\system32\drivers\beep.sys.vir

c:\windows\system32\drivers\d0aeb8a3.sys

c:\windows\system32\tanovivo.dll.tmp

c:\windows\system32\vajafeti.dll.tmp

c:\windows\system32\zotokohu.dll.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_d0aeb8a3

((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))

.

2009-09-16 04:20 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

2009-09-16 04:20 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-09-15 05:56 . 2009-09-16 04:13 1971232 --sha-w- c:\windows\system32\drivers\fidbox.dat

2009-09-15 05:56 . 2009-09-16 04:13 12320 --sha-w- c:\windows\system32\drivers\fidbox2.dat

2009-09-14 08:26 . 2009-09-14 08:27 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-14 02:32 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-14 02:32 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-12 09:04 . 2009-09-14 02:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-12 06:17 . 2009-09-14 22:45 -------- d-----w- c:\program files\SpywareBlaster

2009-09-11 21:32 . 2009-09-11 21:42 -------- d--h--w- c:\windows\PIF

2009-09-11 06:05 . 2009-09-11 07:01 -------- d-----w- C:\$AVG8.VAULT$

2009-09-11 06:03 . 2009-09-11 06:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-11 06:03 . 2009-09-11 06:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-09-11 06:03 . 2009-09-11 06:03 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-11 06:03 . 2009-09-11 06:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-11 06:03 . 2009-09-16 19:36 -------- d-----w- c:\windows\system32\drivers\Avg

2009-09-11 06:03 . 2009-09-11 06:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-09-11 06:02 . 2009-09-11 06:02 -------- d-----w- c:\program files\AVG

2009-09-11 06:02 . 2009-09-11 06:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-11 05:56 . 2009-09-11 05:56 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVG8

2009-09-11 05:27 . 2009-09-11 05:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations

2009-09-11 04:53 . 2009-09-11 06:09 -------- d-----w- c:\program files\Common Files\ParetoLogic

2009-09-11 04:53 . 2009-09-11 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic

2009-09-11 04:53 . 2009-09-11 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2009-09-10 05:03 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-10 00:37 . 2009-09-10 00:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Simply Super Software

2009-09-10 00:28 . 2009-09-10 00:28 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\AVG Security Toolbar

2009-09-10 00:09 . 2009-09-14 22:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-10 00:08 . 2006-06-19 20:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll

2009-09-10 00:08 . 2006-05-25 22:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll

2009-09-10 00:08 . 2005-08-26 08:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll

2009-09-10 00:08 . 2003-02-03 03:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll

2009-09-10 00:08 . 2002-03-06 08:00 75264 ----a-w- c:\windows\system32\unacev2.dll

2009-09-10 00:08 . 2009-09-10 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software

2009-09-10 00:08 . 2009-09-10 00:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Simply Super Software

2009-09-09 23:39 . 2009-09-09 23:40 -------- d-----w- c:\windows\system32\1033

2009-09-09 19:54 . 2009-09-09 19:54 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-09-09 19:20 . 2009-09-09 19:20 16077 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\dacaziw.dat

2009-09-09 18:26 . 2009-09-09 18:26 -------- d-----w- c:\documents and settings\Administrator\Application Data\AdobeUM

2009-09-09 18:25 . 2009-09-09 18:26 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-09-09 18:25 . 2009-09-10 04:38 664 ----a-w- c:\windows\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-16 21:12 . 2008-01-29 09:35 -------- d-----w- c:\program files\DNA

2009-09-16 21:12 . 2008-01-29 09:35 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DNA

2009-09-16 04:13 . 2009-09-15 05:56 27476 --sha-w- c:\windows\system32\drivers\fidbox.idx

2009-09-16 04:13 . 2009-09-15 05:56 2228 --sha-w- c:\windows\system32\drivers\fidbox2.idx

2009-09-15 21:06 . 2006-09-25 00:50 -------- d-----w- c:\program files\Warcraft III

2009-09-14 08:26 . 2006-04-05 22:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-09-13 09:01 . 2005-11-14 15:02 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-09-11 06:07 . 2009-08-16 15:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0

2009-09-11 04:40 . 2008-02-14 11:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-11 04:39 . 2009-07-04 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-09 16:41 . 2005-12-26 21:46 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec

2009-09-08 04:58 . 2007-04-27 22:29 -------- d-----w- c:\program files\Winamp

2009-08-25 19:57 . 2008-04-09 12:02 78473 ----a-w- c:\windows\War3Unin.dat

2009-08-23 04:32 . 2009-08-16 04:45 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\HpUpdate

2009-08-14 13:58 . 2009-09-10 02:09 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-05 13:07 . 2005-11-14 14:54 -------- d-----w- c:\program files\Java

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-28 08:53 . 2008-09-07 01:30 96 ---ha-w- c:\windows\system32\HsInfo.dat

2009-07-25 12:23 . 2008-12-15 19:18 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 17:08 . 2004-08-04 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-04 12:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll

2007-01-11 17:55 . 2006-02-06 02:11 39908144 --sha-w- c:\windows\system32\srsc.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-09-16_04.15.10 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-16 21:12 . 2009-09-16 21:12 16384 c:\windows\temp\Perflib_Perfdata_284.dat

+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe

+ 2004-08-04 19:00 . 2009-06-12 12:31 76288 c:\windows\system32\telnet.exe

- 2005-11-14 14:58 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe

+ 2005-11-14 14:58 . 2007-07-27 17:41 26488 c:\windows\system32\spupdsvc.exe

+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe

+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll

+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll

+ 2004-08-04 12:00 . 2009-06-10 14:13 84992 c:\windows\system32\avifil32.dll

- 2004-08-04 12:00 . 2008-04-14 00:11 84992 c:\windows\system32\avifil32.dll

+ 2009-07-12 07:02 . 2009-07-12 07:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll

- 2004-08-04 12:00 . 2008-04-14 00:12 132096 c:\windows\system32\wkssvc.dll

+ 2004-08-04 12:00 . 2009-06-10 06:14 132096 c:\windows\system32\wkssvc.dll

- 2004-08-04 12:00 . 2008-05-09 10:53 512000 c:\windows\system32\jscript.dll

+ 2004-08-04 12:00 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll

+ 2004-08-04 12:00 . 2009-07-13 17:08 286720 c:\windows\system32\dllcache\wmpdxm.dll

+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll

+ 2009-07-29 10:42 . 2009-08-05 09:01 204800 c:\windows\system32\dllcache\mswebdvd.dll

+ 2008-05-09 10:53 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll

- 2008-05-09 10:53 . 2008-05-09 10:53 512000 c:\windows\system32\dllcache\jscript.dll

+ 2009-09-16 07:02 . 2009-09-16 07:02 195584 c:\windows\Installer\9a1d63.msi

+ 2004-08-04 12:00 . 2009-05-20 19:44 2355200 c:\windows\system32\WMVCore.dll

- 2004-08-04 12:00 . 2007-04-30 15:20 5537792 c:\windows\system32\wmp.dll

+ 2004-08-04 12:00 . 2009-07-13 17:08 5537792 c:\windows\system32\wmp.dll

+ 2004-08-04 12:00 . 2009-06-10 16:19 2066432 c:\windows\system32\mstscax.dll

+ 2004-08-04 12:00 . 2009-05-20 19:44 2355200 c:\windows\system32\dllcache\WMVCore.dll

- 2004-08-04 12:00 . 2007-04-30 15:20 5537792 c:\windows\system32\dllcache\wmp.dll

+ 2004-08-04 12:00 . 2009-07-13 17:08 5537792 c:\windows\system32\dllcache\wmp.dll

+ 2004-08-04 12:00 . 2009-06-10 16:19 2066432 c:\windows\system32\dllcache\mstscax.dll

+ 2009-09-16 07:05 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-07-24 16:56 1062144 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1062144]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-11 39408]

"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-03-30 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 1605740]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-25 185896]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-11 2007832]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-14 27136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-11 06:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\DNA\\btdna.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=

"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=

"c:\\Program Files\\EA Games\\Ultima Online 2D Client\\client.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Documents and Settings\\Compaq_Owner\\Local Settings\\Application Data\\Kamuse\\KCSTrayDownloader\\KCSTrayDownloaderEngine.exe"=

"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=

"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"16910:UDP"= 16910:UDP:CrashOnlineSend

"16900:UDP"= 16900:UDP:CrashOnlineRecv

"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager

"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

"6112:TCP"= 6112:TCP:WarcraftIII

"9979:TCP"= 9979:TCP:BitCometLite 9979 TCP

"9979:UDP"= 9979:UDP:BitCometLite 9979 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/10/2009 11:03 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/10/2009 11:03 PM 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/4/2009 2:50 PM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/10/2009 11:02 PM 297752]

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\tmxpflt.sys [3/30/2004 6:35 PM 201984]

R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/30/2004 6:35 PM 20864]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 11:56 AM 24652]

S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/10/2009 11:02 PM 908056]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

S2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe --> c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [?]

S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]

S2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe --> c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [?]

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]

S3 XDva005;XDva005;\??\c:\windows\system32\XDva005.sys --> c:\windows\system32\XDva005.sys [?]

S3 XDva052;XDva052;\??\c:\windows\system32\XDva052.sys --> c:\windows\system32\XDva052.sys [?]

S3 XDva189;XDva189;\??\c:\windows\system32\XDva189.sys --> c:\windows\system32\XDva189.sys [?]

S3 XoftSpyService;XoftSpyService;"c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe" --> c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

Contents of the 'Scheduled Tasks' folder

2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop

IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

DPF: {CFD7D0F6-CCAF-4FFA-9D7F-CE9B65F562EC} - hxxp://bombndash.com/common/AppCaller.ocx

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\ok1f8xs0.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-16 14:12

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset002\services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\B.tmp"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3860988392-394202172-423444945-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CB8AFF88-11E7-FF5F-4B34-C54C65D14204}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"abkmfejaedfnleaonmkaaecogflielpgpn"=hex:61,61,00,00

"bbkmfejaedfnleaonmjabhmilneafieoliic"=hex:61,61,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(792)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(920)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\windows\system32\tcpsvcs.exe

c:\windows\system32\wdfmgr.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\wscntfy.exe

c:\program files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

.

**************************************************************************

.

Completion time: 2009-09-16 14:16 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-16 21:16

Pre-Run: 74,376,105,984 bytes free

Post-Run: 74,484,834,304 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=,1,2,3,4

308 --- E O F --- 2009-09-16 07:12

Add/Remove Log:

Adobe Flash Player 10 Plugin

Adobe Flash Player ActiveX

Adobe Reader 7.0

Adobe Shockwave Player

AIM 6

Apple Software Update

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Display Driver

AVG 8.5

BitTorrent

BufferChm

Catalyst Control Center - Branding

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

Catalyst Control Center HydraVision Full

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help English

CCleaner (remove only)

Compaq Organize

CP_AtenaShokunin1Config

CP_CalendarTemplates1

cp_LightScribeConfig

cp_LightScribePlugin

CP_Package_Basic1

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

CP_Panorama1Config

CueTour

Destinations

DeviceManagementQFolder

DivX Web Player

DNA

Full Tilt Poker

FullDPAppQFolder

Google Toolbar for Internet Explorer

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

HP Boot Optimizer

HP Image Zone 5.3

HP Imaging Device Functions 5.3

HP Update

HpSdpAppCoreApp

InstantShareDevices

Java 6 Update 15

Java 6 Update 7

LimeWire 4.16.7

Malwarebytes' Anti-Malware

Managed DirectX (0901)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework SDK (English) 1.1

Microsoft ActiveX Control Pad

Microsoft AppLocale

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Windows Application Compatibility Database

Microsoft Works

Mozilla Firefox (3.5.3)

PhotoGallery

QuickTime

RandMap

RealPlayer

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Skins

SkinsHP1

Sonic_PrimoSDK

SpywareBlaster 4.2

SUPERAntiSpyware Free Edition

Ultima Online 2D Client

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB953356)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.762

VideoLAN VLC media player 0.8.6b

Viewpoint Media Player

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

Warcraft III: All Products

WebFldrs XP

Winamp

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:22:47 PM, on 9/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\tcpsvcs.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DNA\btdna.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\ALCXMNTR.EXE

c:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - (no file)

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - (no file)

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - (no file)

O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -

O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownlo...Plugin11USA.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1207655416281

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab

O16 - DPF: {CFD7D0F6-CCAF-4FFA-9D7F-CE9B65F562EC} (AppCaller Control) - http://bombndash.com/common/AppCaller.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)

O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)

O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--

End of file - 8831 bytes

Link to post
Share on other sites

I was under attack once again. System Security 2009 among other nasties were on my PC again. I barely managed to

remove them with mbam and sas .. I say barely because it wouldn't let me do anything but I finally tried logging onto

another user name and it surprisingly worked. My PC is still infected because I'm running sas at the moment and I still see

the nasties I just removed with mbam :

Adware.Vundo/Variant-EC

Adware.Tracking Cookie

Rogue.SystemSecurity

Rogue.Agent/Gen

So either these nasties were not completely removed in the first place and/or my anti virus completely sucks :[

I use AVG Free and I think it's completely useless.. it doesn't even scan.. I press Scan Whole Computer and it doesn't

do anything. I just keep it because it supposedly has a working anti-virus and anti-spyware...

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.