fakealert.mn

Woodville Deb · September 28, 2009

Please help me in removing fakealert.mn, Malware Remover will not load, neither will sever others i have tried. I have tried to run AVG in safe mode but it will not remove it either. I have seen where someone has helped removing a malware that had the same symptoms. Is there any one who can help me with this. Thanks in advance. Debbie

Woodville Deb · September 28, 2009

I have an XP Home machine, I have seen where other people have run Combofix. Does anyone think that this is the way to start? Thanks to all in advance, Debbie

screen317 · September 28, 2009

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

If ComboFix will not run, do this instead:

Download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply.

-screen317

Woodville Deb · September 28, 2009

Avira finished running and got rid of the popups. I was able to run Combofix it ran and here is the log that it printed out. Thank you so much! If I could only send chocloate chip cokies over the internet. Here is the log Combfix printed out. Please let me know what else i need to do. Thanks again. Debbie

ComboFix 09-09-27.05 - Owner 09/28/2009 16:29.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.471 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\INSTALL.LOG

c:\program files\Protection System

c:\program files\Protection System\core.cga

c:\program files\Protection System\coreext.dll

c:\program files\Protection System\firewall.dll

c:\program files\Protection System\help.ico

c:\program files\Protection System\uninstall.exe

c:\program files\WinBudget

c:\program files\WinBudget\bin\matrix.dat

c:\windows\Installer\355746.msi

c:\windows\Installer\584c5e.msi

c:\windows\Installer\680a85.msi

c:\windows\Installer\680a9a.msi

c:\windows\Installer\7f04f.msi

c:\windows\Installer\80edc1.msi

c:\windows\Installer\d2367.msi

c:\windows\Installer\f1a07.msi

c:\windows\system32\_004481_.tmp.dll

c:\windows\system32\_004482_.tmp.dll

c:\windows\system32\_004483_.tmp.dll

c:\windows\system32\_004484_.tmp.dll

c:\windows\system32\_004491_.tmp.dll

c:\windows\system32\_004492_.tmp.dll

c:\windows\system32\_004493_.tmp.dll

c:\windows\system32\_004495_.tmp.dll

c:\windows\system32\_004496_.tmp.dll

c:\windows\system32\_004497_.tmp.dll

c:\windows\system32\_004499_.tmp.dll

c:\windows\system32\_004500_.tmp.dll

c:\windows\system32\_004502_.tmp.dll

c:\windows\system32\_004503_.tmp.dll

c:\windows\system32\_004504_.tmp.dll

c:\windows\system32\_004506_.tmp.dll

c:\windows\system32\_004509_.tmp.dll

c:\windows\system32\_004510_.tmp.dll

c:\windows\system32\_004514_.tmp.dll

c:\windows\system32\_004515_.tmp.dll

c:\windows\system32\_004517_.tmp.dll

c:\windows\system32\_004520_.tmp.dll

c:\windows\system32\_004522_.tmp.dll

c:\windows\system32\_004523_.tmp.dll

c:\windows\system32\_004524_.tmp.dll

c:\windows\system32\_004525_.tmp.dll

c:\windows\system32\_004528_.tmp.dll

c:\windows\system32\_004529_.tmp.dll

c:\windows\system32\_004530_.tmp.dll

c:\windows\system32\_004531_.tmp.dll

c:\windows\system32\_004532_.tmp.dll

c:\windows\system32\_004537_.tmp.dll

c:\windows\system32\_004539_.tmp.dll

c:\windows\system32\adeeg.bak1

c:\windows\system32\adeeg.bak2

c:\windows\system32\adeeg.tmp

c:\windows\system32\drivers\UACpeyksxcujn.sys

c:\windows\system32\huucjpmv.ini

c:\windows\system32\superiorads-uninst.exe

c:\windows\system32\SYSInfo.ocx

c:\windows\system32\tmp39.tmp

c:\windows\system32\UACbeukuptiej.dll

c:\windows\system32\UACcfmpuwylkr.log

c:\windows\system32\UACgvjlgrmmgn.dll

c:\windows\system32\UAChcnvddiugi.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACkodwqquxsl.dat

c:\windows\system32\UACyrnwcokvuw.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))

.

2009-09-28 20:49 . 2009-09-28 20:49 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-09-28 20:45 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-28 20:45 . 2009-09-28 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-28 20:45 . 2009-09-28 20:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 20:45 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-28 18:43 . 2009-09-28 18:43 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-09-28 18:39 . 2009-07-28 21:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-09-28 18:39 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-09-28 18:39 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-09-28 18:39 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-09-28 18:39 . 2009-09-28 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-09-28 18:39 . 2009-09-28 18:39 -------- d-----w- c:\program files\Avira

2009-09-26 00:51 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys

2009-09-26 00:51 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys

2009-09-26 00:51 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys

2009-09-26 00:51 . 2009-09-26 00:51 -------- d-----w- c:\program files\Common Files\PC Tools

2009-09-26 00:51 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys

2009-09-26 00:51 . 2009-09-28 18:12 -------- d-----w- c:\program files\Spyware Doctor

2009-09-26 00:51 . 2009-09-26 00:51 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools

2009-09-26 00:51 . 2009-09-26 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

2009-09-25 17:07 . 2009-08-28 01:14 81920 ----a-w- c:\windows\eSellerateControl350.dll

2009-09-25 17:07 . 2009-08-28 01:14 356352 ----a-w- c:\windows\eSellerateEngine.dll

2009-09-25 17:06 . 2009-09-25 17:08 -------- d-----w- c:\program files\FakeAlert Removal Tool

2009-09-25 12:28 . 2009-09-25 12:28 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-25 12:28 . 2009-09-25 12:28 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-17 04:20 . 2009-09-18 00:40 -------- d-----w- c:\documents and settings\Owner\Application Data\IObit

2009-09-17 04:20 . 2009-09-17 04:20 -------- d-----w- c:\program files\IObit

2009-09-13 19:24 . 2009-09-15 21:07 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll

2009-09-10 17:01 . 2009-09-10 17:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache

2009-09-09 22:28 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-09-04 14:59 . 2009-09-04 14:59 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8

2009-09-04 02:00 . 2009-09-04 02:00 -------- d-----w- c:\program files\My Downloaded Games

2009-09-04 02:00 . 2009-09-04 02:00 -------- d-----w- c:\program files\BoontyGames

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-28 18:50 . 2007-03-11 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-28 18:45 . 2007-05-22 22:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-09-28 18:08 . 2007-03-11 11:38 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-25 00:05 . 2008-08-30 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-09-23 03:40 . 2007-03-29 02:10 -------- d-----w- c:\program files\TestWorks

2009-09-10 17:02 . 2007-09-08 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-28 15:48 . 2007-03-16 04:21 244056 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-24 01:03 . 2009-08-24 01:03 -------- d-----w- c:\program files\MAXA Cookie Manager

2009-08-14 11:58 . 2009-09-26 00:51 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat

2009-08-05 09:01 . 2004-08-12 13:01 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-30 14:11 . 2008-08-30 22:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-07-30 14:11 . 2008-08-30 22:41 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-07-30 14:11 . 2008-08-30 22:41 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-07-17 19:01 . 2004-08-12 12:55 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-12 13:10 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2007-02-19 15:15 915456 ----a-w- c:\windows\system32\wininet.dll

2003-12-18 16:33 . 2009-09-13 19:23 20102 ----a-w- c:\program files\Readme.txt

2003-09-03 12:46 . 2009-09-13 19:23 10960 ----a-w- c:\program files\EULA.txt

2004-08-12 13:07 . 2004-08-12 13:07 94784 --sh--w- c:\windows\twain.dll

2008-04-14 00:12 . 2008-10-29 00:46 413696 --sha-w- c:\windows\system32\SET29B.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Blue]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Red]

@="{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}"

[HKEY_CLASSES_ROOT\CLSID\{01CCCC8C-1D50-4b13-B96D-4B922DD3128B}]

2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2009-01-09 21:13 583312 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Coast to Coast AM"="c:\program files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe" [2005-06-08 983040]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-06-30 2329224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-17 2022680]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-07-30 14:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]

backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk.disabled]

backup=c:\windows\pss\InterVideo WinCinema Manager.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk.disabled]

backup=c:\windows\pss\QuickBooks 2002 Delivery Agent.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Yahoo! Autosync.lnk]

backup=c:\windows\pss\Yahoo! Autosync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk]

backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^ID Vault.lnk]

backup=c:\windows\pss\ID Vault.lnkStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Size grid

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"KodakDigitalDisplayService"=2 (0x2)

"iPod Service"=3 (0x3)

"IntuitUpdateService"=2 (0x2)

"gusvc"=2 (0x2)

"Fax"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"MMTray"=c:\program files\MusicMatch\MusicMatch Jukebox\mm_tray.exe

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe"

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"nwiz"=nwiz.exe /install

"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

"NeroCheck"=c:\windows\system32\NeroCheck.exe

"EM_EXEC"=c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=

"c:\\Program Files\\Sierra\\Homeworld2\\Bin\\Release\\Homeworld2.exe"=

"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=

"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=

"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/30/2008 5:41 PM 12552]

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/25/2009 7:51 PM 206256]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/30/2008 5:41 PM 335240]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/30/2008 5:41 PM 108552]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/28/2009 1:39 PM 108289]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/8/2009 9:52 AM 297752]

R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/26/2009 9:28 PM 1370488]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]

R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/25/2009 7:51 PM 348752]

R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [8/30/2008 5:41 PM 29208]

R3 SMCSTUB;SMCSTUB;c:\windows\system32\drivers\smcstub.sys [10/15/2007 10:21 AM 55680]

S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [8/30/2008 5:41 PM 29208]

S3 cdiskdun;cdiskdun;\??\c:\docume~1\Owner\LOCALS~1\Temp\cdiskdun.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cdiskdun.sys [?]

S3 EGEARAspiWD;EGEARAspiWD;\??\c:\docume~1\Owner\LOCALS~1\Temp\EGEARAspiWD.sys --> c:\docume~1\Owner\LOCALS~1\Temp\EGEARAspiWD.sys [?]

S3 mtsftkey;mtsftkey;c:\windows\system32\drivers\mtsftkey.sys [10/15/2007 10:21 AM 60032]

S3 pafd;pafd;\??\c:\docume~1\Owner\LOCALS~1\Temp\pafd.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pafd.sys [?]

S4 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [8/14/2008 1:10 PM 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-20 c:\windows\Tasks\Registry Medic Schedule.job

- c:\program files\Registry Medic\RegMedic.exe [2007-05-28 23:11]

2007-05-26 c:\windows\Tasks\RegistryMedicAuotScan.job

- c:\program files\Registry Medic\RegMedical.exe [2007-05-25 00:14]

2009-09-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2007-03-11 20:31]

2009-08-27 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-10-12 20:31]

2009-09-28 c:\windows\Tasks\User_Feed_Synchronization-{D8F08181-DAC3-43EA-A58F-2C9409863ECB}.job

- c:\windows\system32\msfeedssync.exe [2007-02-19 09:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://coasttocoastam.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: {0F06A1AD-90E2-4052-ACE0-BF85E8313AD1} = 205.152.132.32,205.152.37.23

DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2dkbw6yd.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=

FF - prefs.js: browser.search.selectedEngine - Ixquick

FF - prefs.js: browser.startup.homepage - hxxp://www.coasttocoastam.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 16000

FF - user.js: browser.chrome.favicons - fales

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.max.tokenizing.time - 3000000

FF - user.js: content.maxtextrun - 4095

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 1000000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 1000000

FF - user.js: dom.disable_window_status_change - true

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 1000

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

.

- - - - ORPHANS REMOVED - - - -

BHO-{9C4DE643-2FDA-469F-8881-4EB3C137F1D4} - (no file)

Notify-geeda - (no file)

Notify-WgaLogon - (no file)

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

AddRemove-Protection System - c:\program files\Protection System\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-28 16:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.bcp\PersistentHandler]

@DACL=(02 0000)

@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Classes\.pot\PersistentHandler]

@DACL=(02 0000)

@="{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKEY_LOCAL_MACHINE\software\Classes\.pps\PersistentHandler]

@DACL=(02 0000)

@="{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKEY_LOCAL_MACHINE\software\Classes\.ppt\PersistentHandler]

@DACL=(02 0000)

@="{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKEY_LOCAL_MACHINE\software\Classes\.prc\PersistentHandler]

@DACL=(02 0000)

@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Classes\.rtf\PersistentHandler]

@DACL=(02 0000)

@="{2e2294a9-50d7-4fe7-a09f-e6492e185884}"

[HKEY_LOCAL_MACHINE\software\Classes\.srf\PersistentHandler]

@DACL=(02 0000)

@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\software\Classes\.trg\PersistentHandler]

@DACL=(02 0000)

@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Classes\.user\PersistentHandler]

@DACL=(02 0000)

@="{eec97550-47a9-11cf-b952-00aa0051fe20}"

[HKEY_LOCAL_MACHINE\software\Classes\.xls\PersistentHandler]

@DACL=(02 0000)

@="{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKEY_LOCAL_MACHINE\software\Classes\.xlt\PersistentHandler]

@DACL=(02 0000)

@="{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKEY_LOCAL_MACHINE\software\Classes\.xslt\PersistentHandler]

@DACL=(02 0000)

@="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}"

[HKEY_LOCAL_MACHINE\software\Classes\mapi\Shell]

@DACL=(02 0000)

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2856)

c:\windows\system32\WININET.dll

c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\scardsvr.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe

c:\progra~1\AVG\AVG8\avgam.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\tcpsvcs.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\windows\system32\searchindexer.exe

.

**************************************************************************

.

Completion time: 2009-09-28 17:04 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-28 22:04

Pre-Run: 106,685,128,704 bytes free

Post-Run: 106,610,241,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

447 --- E O F --- 2009-09-10 17:07

Woodville Deb · September 29, 2009

Ran Malwarebyte and HJT here are there print outs....

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:43:00 PM, on 9/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgfws8.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\IObit\Advanced SystemCare 3\IObitUpdate.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://coasttocoastam.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {9C4DE643-2FDA-469F-8881-4EB3C137F1D4} - (no file)

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Documents and Settings\Owner\Desktop\Malwarebytes' Anti-Malware\try this.exe" /runcleanupscript

O4 - HKCU\..\Run: [Coast to Coast AM] C:\Program Files\Coast to Coast AM Media Center\Coast to Coast AM Media Center.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F06A1AD-90E2-4052-ACE0-BF85E8313AD1}: NameServer = 205.152.132.32,205.152.37.23

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: geeda - C:\WINDOWS\

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--

End of file - 10345 bytes

*********************

Malwarebytes' Anti-Malware 1.41

Database version: 2869

Windows 5.1.2600 Service Pack 3

9/28/2009 9:38:34 PM

mbam-log-2009-09-28 (21-38-34).txt

Scan type: Full Scan (C:\|)

Objects scanned: 313195

Time elapsed: 1 hour(s), 36 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 9

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 2

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.host-domain-lookup.com (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.SearchPage) -> Bad: (http://www.iesearch.com/) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\Owner\Start Menu\Programs\BitDownload (Trojan.Swizzor) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\superiorads-uninst.exe.vir (Adware.AdRotator) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACgvjlgrmmgn.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACyrnwcokvuw.dll.vir (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1CBF298F-19C3-426B-8501-5E6F25609C70}\RP0\A0000003.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1CBF298F-19C3-426B-8501-5E6F25609C70}\RP0\A0000005.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{1CBF298F-19C3-426B-8501-5E6F25609C70}\RP1\A0000092.exe (Adware.AdRotator) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\BitDownload\BitDownload Downloads.lnk (Trojan.Swizzor) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

screen317 · September 30, 2009

Hello,

My apologies for the delay.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

Driver::
cdiskdun
EGEARAspiWD
pafd

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also update MBAM. run a Quick Scan, and post its log.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

Click Start Scanning.
You should get a notification bar (on top) to install the ActiveX control.
Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here.
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan has finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

screen317 · October 1, 2009

Hi,

There is no need to send me PMs...

Post everything in this thead.

Get a fresh copy of ComboFix and run this script instead:

Driver::
cdiskdun
EGEARAspiWD
pafd
KILLALL::

Woodville Deb · October 1, 2009

Thanks for replying, I am trying to run combofix but combofix has stopped at stage 5 for an hour now. What do I do?

Woodville Deb · October 1, 2009

Should I reboot? I tried to X it but it will not stop running.

screen317 · October 1, 2009

Press CTRL + ALT + DEL, then end any Processes that end in .cfexe

Woodville Deb · October 1, 2009

I did not reboot and could not stop the other one from running. I ran the new one and it removed the old one and seems to working fine now.

Thanks,

I will keep you posted.

Woodville Deb · October 1, 2009

Here is Combo Fix log, HJD Log and MBAM log .... Running the F- Secure online scanner and security Next .... will post them next...

Combo Fix Log...............................

ComboFix 09-09-30.05 - Owner 09/30/2009 23:20.3.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.990.440 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CDISKDUN

-------\Legacy_EGEARASPIWD

-------\Legacy_PAFD

-------\Service_cdiskdun

-------\Service_EGEARAspiWD

-------\Service_pafd

((((((((((((((((((((((((( Files Created from 2009-09-01 to 2009-10-01 )))))))))))))))))))))))))))))))

.

2009-10-01 02:40 . 2009-10-01 04:17 -------- d-----w- C:\Combo-Fix

2009-09-30 19:43 . 2009-09-30 19:43 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\WMTools Downloaded Files

2009-09-30 19:07 . 2009-09-30 19:07 -------- d-----w- c:\program files\Common Files\xing shared

2009-09-29 03:26 . 2009-09-29 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-09-29 03:26 . 2009-09-29 03:26 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-09-29 03:26 . 2009-09-29 03:26 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2009-09-29 02:42 . 2009-09-29 02:42 -------- d-----w- c:\program files\Trend Micro