Jump to content

removed trojans


Recommended Posts

Hello. New here. I can't take the hours of trying to figure out these problems.

What happened.... I turned on my rig one day and my got the message..."your avg has been infected, would you like to run a scan?" I have seen this before and knew it was a virus. I close out and restarted in safe mode, ran your Malwarebytes program and removed the following. Trjan.fakeAV and trojan.fakeAlert.

After this all seemed fine until my boy got on steam. It seemed my internet explorer would not connect. Not a big deal to me because I use firefox, but I learned many programs still use it (such as steam and gpg.net). After hours of reading and trying things, I found that the proxy was turned on in IE. Turned it off and everything was well.

It still seems to be buggy. My daughter can no longer use happy pets on face book (firefox will crash) and one of my boys game(garys mod) keeps crashing. this did not happen before the invasion.

I ran combo fix.

And Hijack this.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:32:44 PM, on 2/20/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\ASUS\TurboV\TurboV.exe

C:\Program Files\ASUS\EPU\EPU.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\ASUS\Ai Suite\Q-Button\QButton.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Secunia\PSI\psi.exe

C:\Program Files\Philips\VOIP080\VOIP080.exe

C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PSIService.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

c:\program files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe"

O4 - HKLM\..\Run: [six Engine] "C:\Program Files\ASUS\EPU\EPU.exe" -r

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\Q-Button\QButton.exe"

O4 - HKLM\..\Run: [QFan Help] "C:\Program Files\ASUS\Ai Suite\QFan3\QFanHelp.exe"

O4 - HKLM\..\Run: [Cpu Level Up help] "C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe"

O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe

O4 - Startup: VOIP080.lnk = C:\Program Files\Philips\VOIP080\VOIP080.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm

O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O22 - SharedTaskScheduler: RsradiciDfs - {35C11871-DC11-4B60-9943-7C712A2CA0BA} - C:\WINDOWS\system32\rsradici.dll

O23 - Service: AODService - Unknown owner - C:\Program.exe (file missing)

O23 - Service: ASUS System Control Service (AsSysCtrlService) - Unknown owner - C:\Program Files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--

End of file - 8125 bytes

If your experts see anything wrong or have some suggestion, I would love to hear.

Thanks!!

Link to post
Share on other sites

Hi DangurXtreme And

:lol:

Can you post it please. In your C: or main Drive you'll see "ComboFix.txt"

Things seem to be running better since combo fix. So I hope it is all good now.

ComboFix 10-02-20.03 - Owner 02/20/2010 17:07:53.1.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3327.2541 [GMT -5:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Application Data\cbxxaw

c:\documents and settings\Owner\Local Settings\Application Data\cbxxaw\lbgasftav.exe

c:\program files\Common Files\Uninstall

c:\windows\system32\drivers\ndisrd.sys

c:\windows\system32\ndisapi.dll

c:\windows\system32\SIntf16.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NDISRD

-------\Service_NDISRD

((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))

.

2010-02-20 20:55 . 2010-02-20 20:55 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-20 20:55 . 2010-02-20 20:55 -------- d-----w- c:\program files\TrendMicro

2010-02-18 08:08 . 2004-08-04 12:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll

2010-02-18 08:07 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-02-18 08:06 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2010-02-18 07:49 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-02-18 07:49 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll

2010-02-18 07:49 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-02-18 07:49 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-02-18 07:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-18 07:24 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-18 06:56 . 2010-02-18 07:09 -------- d-----w- c:\program files\Microsoft User Agent String Utility

2010-02-18 06:37 . 2010-02-18 06:37 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2010-02-18 06:36 . 2010-02-18 06:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2010-02-18 06:23 . 2010-02-18 06:23 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2010-02-18 06:20 . 2010-02-18 06:21 -------- dc-h--w- c:\windows\ie8

2010-02-18 05:34 . 2010-02-18 05:34 5566 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\Uninstall_VOIP080_5491307BD2EB442BA420280A3BCF51DF.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\VOIP080.exe1_EE47EBFF21DA457CB2242C05E2C212D4.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\VOIP080.exe_EE47EBFF21DA457CB2242C05E2C212D4.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\NewShortcut1_EE47EBFF21DA457CB2242C05E2C212D4.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\ARPPRODUCTICON.exe

2010-02-18 05:34 . 2010-02-18 05:34 -------- d-----w- c:\program files\Philips

2010-02-18 04:06 . 2010-02-18 04:06 15849560 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\selfextractor_air_1.5.3.exe

2010-02-18 04:05 . 2010-02-18 04:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-02-18 04:00 . 2010-02-18 04:59 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-15 16:27 . 2010-02-15 16:27 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-02-15 16:19 . 2010-02-15 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-02-15 16:19 . 2010-02-15 16:19 1025992 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe

2010-02-15 16:19 . 2010-02-18 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-02-15 06:43 . 2010-02-15 06:43 -------- d-----w- c:\program files\Secunia

2010-02-15 06:33 . 2010-02-15 06:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Move Networks

2010-02-15 06:33 . 2010-02-15 06:33 1794896 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071706000001.exe

2010-02-13 14:38 . 2010-01-06 17:08 4726272 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\cooliris190.dll

2010-02-13 14:38 . 2010-01-06 17:08 103424 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

2010-02-13 14:38 . 2010-01-06 17:08 545280 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2010-02-13 14:38 . 2010-01-06 17:08 4725760 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\cooliris192.dll

2010-02-13 14:38 . 2010-01-06 17:08 57856 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

2010-02-13 14:38 . 2010-01-06 17:08 153600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2010-02-13 14:38 . 2010-01-06 17:08 344064 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2010-02-07 00:48 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-02-07 00:48 . 2008-04-14 10:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-02-07 00:48 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-01-27 03:31 . 2010-01-27 03:31 -------- d-----w- c:\program files\Common Files\Java

2010-01-27 03:31 . 2010-01-27 03:31 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-351646aa-n\msvcp71.dll

2010-01-27 03:31 . 2010-01-27 03:31 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-351646aa-n\jmc.dll

2010-01-27 03:31 . 2010-01-27 03:31 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-351646aa-n\msvcr71.dll

2010-01-27 03:31 . 2010-01-27 03:31 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-53eee55a-n\decora-sse.dll

2010-01-27 03:31 . 2010-01-27 03:31 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-53eee55a-n\decora-d3d.dll

2010-01-24 21:30 . 2010-02-18 04:06 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-01-24 21:30 . 2010-02-18 04:06 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-01-24 21:30 . 2010-02-18 04:06 -------- d-----w- c:\program files\Common Files\Adobe AIR

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-20 22:14 . 2009-02-10 10:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype

2010-02-20 22:13 . 2009-02-10 10:34 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM

2010-02-20 21:51 . 2009-02-10 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-02-20 20:26 . 2009-02-12 00:18 -------- d-----w- c:\program files\Steam

2010-02-18 08:15 . 2009-02-09 06:06 27400 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-18 08:05 . 2009-02-09 05:57 23348 -c--a-w- c:\windows\system32\emptyregdb.dat

2010-02-18 07:24 . 2010-01-06 04:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-18 06:36 . 2009-06-23 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-02-18 04:55 . 2009-02-10 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-17 15:36 . 2010-01-15 06:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-15 06:33 . 2009-05-20 22:45 144162 -c--a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe

2010-02-15 06:33 . 2009-03-04 06:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks

2010-02-15 06:33 . 2009-12-18 03:27 5603776 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll

2010-01-27 03:31 . 2009-10-06 05:59 -------- d-----w- c:\program files\Java

2010-01-25 09:07 . 2009-08-13 07:49 -------- d-----w- c:\program files\JKdefrag

2010-01-24 21:30 . 2009-08-16 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-01-18 07:23 . 2009-08-17 18:42 -------- d-----w- c:\documents and settings\Owner\Application Data\SPORE

2010-01-18 06:50 . 2009-02-09 06:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-15 06:27 . 2010-01-15 06:27 -------- d-----w- c:\program files\Common Files\PC Tools

2009-12-30 02:17 . 2009-12-30 02:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}

2009-12-30 02:03 . 2009-08-16 22:00 -------- d-----w- c:\program files\Electronic Arts

2009-12-30 02:02 . 2009-08-16 22:10 4468 ----a-w- c:\windows\system32\ealregsnapshot1.reg

2009-12-27 15:32 . 2009-12-27 15:32 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat

2009-12-27 09:11 . 2009-12-19 18:36 -------- d-----w- c:\program files\HP Games

2009-12-27 09:11 . 2009-12-19 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent

2009-12-26 20:36 . 2009-12-26 20:36 -------- d-----w- c:\program files\GameSpy

2009-12-26 20:32 . 2009-02-11 06:06 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-12-26 20:32 . 2009-02-11 06:06 22328 -c--a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys

2009-12-26 20:32 . 2009-02-11 06:06 22328 -c--a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys

2009-12-26 20:32 . 2009-02-11 06:06 103736 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-12-26 20:32 . 2009-02-11 06:06 669184 -c--a-w- c:\windows\system32\pbsvc.exe

2009-12-26 20:32 . 2009-02-11 06:06 66872 ----a-w- c:\windows\system32\PnkBstrA.exe

2009-12-25 16:09 . 2009-12-25 16:09 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM

2009-12-25 15:59 . 2009-12-25 15:59 -------- d-----w- c:\program files\2K Games

2009-12-25 15:58 . 2009-12-25 15:58 -------- d-----w- c:\program files\AGEIA Technologies

2009-12-25 15:57 . 2009-02-10 05:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-24 04:16 . 2009-12-03 03:10 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate

2009-12-18 03:27 . 2009-12-18 03:27 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-12-17 22:14 . 2009-10-06 05:59 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-02-11 05:43 . 2009-02-11 05:43 8 --sha-r- c:\windows\system32\CE0B79E20F.sys

2009-11-17 07:21 . 2009-02-11 05:43 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

2001-03-30 16:45 . 2001-03-30 16:45 32768 --sha-r- c:\windows\system32\poswinhe.dll

2001-03-30 16:45 . 2001-03-30 16:45 372736 --sha-r- c:\windows\system32\rsradici.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2008-12-20 5381120]

"Six Engine"="c:\program files\ASUS\EPU\EPU.exe" [2008-12-21 4066816]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]

"Ai Nap"="c:\program files\ASUS\Ai Suite\Q-Button\QButton.exe" [2008-12-22 1953280]

"QFan Help"="c:\program files\ASUS\Ai Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]

"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-15 98304]

"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-16 270336]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 16876032]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

VOIP080.lnk - c:\program files\Philips\VOIP080\VOIP080.exe [2007-4-3 663552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{35C11871-DC11-4B60-9943-7C712A2CA0BA}"= "c:\windows\system32\rsradici.dll" [2001-03-30 372736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 14:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-02-20 04:51 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

"c:\\Program Files\\Steam\\SteamApps\\dangurx\\garrysmod\\hl2.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/10/2009 2:37 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/10/2009 2:37 AM 108552]

R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe [2/10/2009 12:05 AM 86016]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2/10/2009 2:37 AM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/10/2009 2:37 AM 297752]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/15/2010 1:27 AM 583640]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]

R3 UALFDrv2;UALFDrv2;c:\windows\system32\drivers\UALFDrv2.sys [9/12/2006 11:02 AM 46309]

S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist --> c:\program files\AMD\OverDrive\AODAssist [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2008-06-09 15:14 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-02-20 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm

IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-20 17:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AODService]

"ImagePath"="c:\program files\AMD\OverDrive\AODAssist"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-813497703-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:6d,05,44,af,5d,2a,05,d7,ad,4b,a3,89,8a,66,db,d4,28,49,3b,a1,b6,27,f9,

c7,14,a6,13,20,0d,a4,ac,7a,a6,a8,c2,88,cd,f3,ca,2e,75,fa,54,f0,3e,07,ef,ba,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-117609710-813497703-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:08,2e,1e,75,c2,16,39,b1,07,3e,08,d6,a3,3b,7f,9d,8d,cf,01,cc,71,

db,5b,4c,6f,51,f0,7b,04,13,97,ec,ee,f2,83,81,80,d2,0b,33,da,e1,d0,35,6d,b4,\

"rkeysecu"=hex:a0,86,92,20,91,5d,50,64,8f,48,25,61,5f,c4,2b,20

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1664)

c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll

c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

c:\program files\TortoiseSVN\bin\TortoiseStub.dll

c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

c:\program files\TortoiseSVN\bin\intl3_tsvn.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\rsradici.dll

c:\windows\system32\shdoclc.dll

c:\windows\system32\poswinhe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\TortoiseSVN\bin\TSVNCache.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\RTHDCPL.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PSIService.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\Mozilla Firefox\firefox.exe

.

**************************************************************************

.

Completion time: 2010-02-20 17:18:31 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-20 22:18

Pre-Run: 480,742,723,584 bytes free

Post-Run: 480,677,629,952 bytes free

- - End Of File - - 126FF89B1AE4B269911ADEF5AC0CD746

Link to post
Share on other sites

Your PC still has infections DangurXtreme.

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

File::
c:\windows\system32\poswinhe.dll
c:\windows\system32\rsradici.dll

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new MBAM log

Next

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Wow, I sure don't see how you can read these things. :lol:

Did as you said.

ComboFix 10-02-20.03 - Owner 02/21/2010 19:51:30.2.4 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3327.2404 [GMT -5:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::

"c:\windows\system32\poswinhe.dll"

"c:\windows\system32\rsradici.dll"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\poswinhe.dll

c:\windows\system32\rsradici.dll

.

((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))

.

2010-02-20 22:32 . 2010-02-20 22:32 -------- d-----w- c:\program files\Trend Micro

2010-02-20 20:55 . 2010-02-20 20:55 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-02-20 20:55 . 2010-02-20 20:55 -------- d-----w- c:\program files\TrendMicro

2010-02-18 08:08 . 2004-08-04 12:00 13463552 -c--a-w- c:\windows\system32\dllcache\hwxjpn.dll

2010-02-18 08:07 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-02-18 08:06 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe

2010-02-18 07:49 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll

2010-02-18 07:49 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll

2010-02-18 07:49 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll

2010-02-18 07:49 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll

2010-02-18 07:24 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-18 07:24 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-18 06:56 . 2010-02-18 07:09 -------- d-----w- c:\program files\Microsoft User Agent String Utility

2010-02-18 06:37 . 2010-02-18 06:37 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2010-02-18 06:36 . 2010-02-18 06:36 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2010-02-18 06:23 . 2010-02-18 06:23 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2010-02-18 06:20 . 2010-02-18 06:21 -------- dc-h--w- c:\windows\ie8

2010-02-18 05:34 . 2010-02-18 05:34 5566 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\Uninstall_VOIP080_5491307BD2EB442BA420280A3BCF51DF.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\VOIP080.exe1_EE47EBFF21DA457CB2242C05E2C212D4.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\VOIP080.exe_EE47EBFF21DA457CB2242C05E2C212D4.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\NewShortcut1_EE47EBFF21DA457CB2242C05E2C212D4.exe

2010-02-18 05:34 . 2010-02-18 05:34 45056 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{5491307B-D2EB-442B-A420-280A3BCF51DF}\ARPPRODUCTICON.exe

2010-02-18 05:34 . 2010-02-18 05:34 -------- d-----w- c:\program files\Philips

2010-02-18 04:06 . 2010-02-18 04:06 15849560 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\selfextractor_air_1.5.3.exe

2010-02-18 04:05 . 2010-02-18 04:05 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2010-02-18 04:00 . 2010-02-18 04:59 -------- d-----w- c:\program files\Common Files\Adobe

2010-02-15 16:27 . 2010-02-15 16:27 1923768 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe

2010-02-15 16:19 . 2010-02-15 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-02-15 16:19 . 2010-02-15 16:19 1025992 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe

2010-02-15 16:19 . 2010-02-18 04:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-02-15 06:43 . 2010-02-15 06:43 -------- d-----w- c:\program files\Secunia

2010-02-15 06:33 . 2010-02-15 06:33 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Move Networks

2010-02-15 06:33 . 2010-02-15 06:33 1794896 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071706000001.exe

2010-02-13 14:38 . 2010-01-06 17:08 4726272 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\cooliris190.dll

2010-02-13 14:38 . 2010-01-06 17:08 103424 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\pixomatic.dll

2010-02-13 14:38 . 2010-01-06 17:08 545280 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe

2010-02-13 14:38 . 2010-01-06 17:08 4725760 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\cooliris192.dll

2010-02-13 14:38 . 2010-01-06 17:08 57856 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

2010-02-13 14:38 . 2010-01-06 17:08 153600 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

2010-02-13 14:38 . 2010-01-06 17:08 344064 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe

2010-02-07 00:48 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2010-02-07 00:48 . 2008-04-14 10:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2010-02-07 00:48 . 2004-08-04 03:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys

2010-01-27 03:31 . 2010-01-27 03:31 -------- d-----w- c:\program files\Common Files\Java

2010-01-27 03:31 . 2010-01-27 03:31 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-351646aa-n\msvcp71.dll

2010-01-27 03:31 . 2010-01-27 03:31 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-351646aa-n\jmc.dll

2010-01-27 03:31 . 2010-01-27 03:31 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-351646aa-n\msvcr71.dll

2010-01-27 03:31 . 2010-01-27 03:31 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-53eee55a-n\decora-sse.dll

2010-01-27 03:31 . 2010-01-27 03:31 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-53eee55a-n\decora-d3d.dll

2010-01-24 21:30 . 2010-02-18 04:06 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-01-24 21:30 . 2010-02-18 04:06 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2010-01-24 21:30 . 2010-02-18 04:06 -------- d-----w- c:\program files\Common Files\Adobe AIR

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-22 01:01 . 2009-02-10 10:33 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype

2010-02-22 01:00 . 2009-02-10 10:34 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM

2010-02-21 22:33 . 2009-02-12 00:18 -------- d-----w- c:\program files\Steam

2010-02-21 09:44 . 2009-02-10 10:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-20 21:51 . 2009-02-10 07:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-02-18 08:15 . 2009-02-09 06:06 27400 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-18 08:05 . 2009-02-09 05:57 23348 -c--a-w- c:\windows\system32\emptyregdb.dat

2010-02-18 07:24 . 2010-01-06 04:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-18 06:36 . 2009-06-23 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2010-02-17 15:36 . 2010-01-15 06:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-15 06:33 . 2009-05-20 22:45 144162 -c--a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe

2010-02-15 06:33 . 2009-03-04 06:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks

2010-02-15 06:33 . 2009-12-18 03:27 5603776 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll

2010-01-27 03:31 . 2009-10-06 05:59 -------- d-----w- c:\program files\Java

2010-01-25 09:07 . 2009-08-13 07:49 -------- d-----w- c:\program files\JKdefrag

2010-01-24 21:30 . 2009-08-16 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts

2010-01-18 07:23 . 2009-08-17 18:42 -------- d-----w- c:\documents and settings\Owner\Application Data\SPORE

2010-01-18 06:50 . 2009-02-09 06:08 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-01-15 06:27 . 2010-01-15 06:27 -------- d-----w- c:\program files\Common Files\PC Tools

2009-12-30 02:17 . 2009-12-30 02:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}

2009-12-30 02:03 . 2009-08-16 22:00 -------- d-----w- c:\program files\Electronic Arts

2009-12-30 02:02 . 2009-08-16 22:10 4468 ----a-w- c:\windows\system32\ealregsnapshot1.reg

2009-12-27 15:32 . 2009-12-27 15:32 128 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat

2009-12-27 09:11 . 2009-12-19 18:36 -------- d-----w- c:\program files\HP Games

2009-12-27 09:11 . 2009-12-19 18:36 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent

2009-12-26 20:36 . 2009-12-26 20:36 -------- d-----w- c:\program files\GameSpy

2009-12-26 20:32 . 2009-02-11 06:06 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-12-26 20:32 . 2009-02-11 06:06 22328 -c--a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys

2009-12-26 20:32 . 2009-02-11 06:06 22328 -c--a-w- c:\documents and settings\Owner\Application Data\PnkBstrK.sys

2009-12-26 20:32 . 2009-02-11 06:06 103736 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-12-26 20:32 . 2009-02-11 06:06 669184 -c--a-w- c:\windows\system32\pbsvc.exe

2009-12-26 20:32 . 2009-02-11 06:06 66872 ----a-w- c:\windows\system32\PnkBstrA.exe

2009-12-25 16:09 . 2009-12-25 16:09 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SecuROM

2009-12-25 15:59 . 2009-12-25 15:59 -------- d-----w- c:\program files\2K Games

2009-12-25 15:58 . 2009-12-25 15:58 -------- d-----w- c:\program files\AGEIA Technologies

2009-12-25 15:57 . 2009-02-10 05:29 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-24 04:16 . 2009-12-03 03:10 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate

2009-12-18 03:27 . 2009-12-18 03:27 97216 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-12-17 22:14 . 2009-10-06 05:59 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-02-11 05:43 . 2009-02-11 05:43 8 --sha-r- c:\windows\system32\CE0B79E20F.sys

2009-11-17 07:21 . 2009-02-11 05:43 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((( SnapShot@2010-02-20_22.13.00 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-02-22 00:59 . 2010-02-22 00:59 16384 c:\windows\temp\Perflib_Perfdata_66c.dat

+ 2004-08-04 12:00 . 2010-02-21 17:29 70066 c:\windows\system32\perfc009.dat

- 2004-08-04 12:00 . 2010-02-20 20:27 70066 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2010-02-21 17:29 435920 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2010-02-20 20:27 435920 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]

@="{C5994560-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]

@="{C5994561-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]

@="{C5994562-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]

@="{C5994563-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]

@="{C5994564-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]

@="{C5994565-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]

@="{C5994566-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]

@="{C5994567-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]

@="{C5994568-53D9-4125-87C9-F193FC689CB2}"

[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]

2008-11-02 13:26 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2008-12-20 5381120]

"Six Engine"="c:\program files\ASUS\EPU\EPU.exe" [2008-12-21 4066816]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]

"Ai Nap"="c:\program files\ASUS\Ai Suite\Q-Button\QButton.exe" [2008-12-22 1953280]

"QFan Help"="c:\program files\ASUS\Ai Suite\QFan3\QFanHelp.exe" [2008-05-06 594432]

"Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-12-01 881152]

"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-27 734264]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-07-09 570664]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-15 98304]

"HydraVisionDesktopManager"="c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-16 270336]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 16876032]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

VOIP080.lnk - c:\program files\Philips\VOIP080\VOIP080.exe [2007-4-3 663552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-17 14:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

2010-02-20 04:51 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

"c:\\Program Files\\Steam\\SteamApps\\dangurx\\garrysmod\\hl2.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander - Forged Alliance\\bin\\ForgedAlliance.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead 2\\left4dead2.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/10/2009 2:37 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/10/2009 2:37 AM 108552]

R2 AsSysCtrlService;ASUS System Control Service;c:\program files\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe [2/10/2009 12:05 AM 86016]

R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2/10/2009 2:37 AM 908056]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/10/2009 2:37 AM 297752]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/15/2010 1:27 AM 583640]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [6/17/2009 7:20 AM 12648]

R3 UALFDrv2;UALFDrv2;c:\windows\system32\drivers\UALFDrv2.sys [9/12/2006 11:02 AM 46309]

S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist --> c:\program files\AMD\OverDrive\AODAssist [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2008-06-09 15:14 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-02-21 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm

IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\components\coolirisstub.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071706000001.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7zhhymx2.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{35C11871-DC11-4B60-9943-7C712A2CA0BA} - c:\windows\system32\rsradici.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-02-21 20:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AODService]

"ImagePath"="c:\program files\AMD\OverDrive\AODAssist"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-813497703-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:6d,05,44,af,5d,2a,05,d7,ad,4b,a3,89,8a,66,db,d4,28,49,3b,a1,b6,27,f9,

c7,14,a6,13,20,0d,a4,ac,7a,a6,a8,c2,88,cd,f3,ca,2e,75,fa,54,f0,3e,07,ef,ba,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-117609710-813497703-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:08,2e,1e,75,c2,16,39,b1,07,3e,08,d6,a3,3b,7f,9d,8d,cf,01,cc,71,

db,5b,4c,6f,51,f0,7b,04,13,97,ec,ee,f2,83,81,80,d2,0b,33,da,e1,d0,35,6d,b4,\

"rkeysecu"=hex:a0,86,92,20,91,5d,50,64,8f,48,25,61,5f,c4,2b,20

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3940)

c:\program files\ATI Technologies\ATI HYDRAVISION\HydraDMH.dll

c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

c:\program files\TortoiseSVN\bin\TortoiseStub.dll

c:\program files\TortoiseSVN\bin\TortoiseSVN.dll

c:\program files\TortoiseSVN\bin\intl3_tsvn.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\TortoiseSVN\bin\TSVNCache.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\PnkBstrA.exe

c:\progra~1\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\PSIService.exe

c:\windows\RTHDCPL.EXE

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2010-02-21 20:04:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-02-22 01:04

ComboFix2.txt 2010-02-20 22:18

Pre-Run: 480,672,428,032 bytes free

Post-Run: 480,647,184,384 bytes free

- - End Of File - - 795B7A7F438068031E2A6F1242157674

And...

Malwarebytes' Anti-Malware 1.44

Database version: 3772

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

2/21/2010 8:08:52 PM

mbam-log-2010-02-21 (20-08-52).txt

Scan type: Quick Scan

Objects scanned: 110895

Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you DangurXtreme.

Kenny (Kenny94)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.