Pls Help - Trojan BHO.O - Logs attached

janell · September 1, 2010

i ran malwarebytes to remove the trojan but it keeps showing up after the reboot. i have updated the malwarebytes.

attached are the requested logs.

thank you for your help.

janell

DDS (Ver_10-03-17.01) - NTFSX64

Run by dooley at 23:02:33.96 on Tue 08/31/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.7935.6050 [GMT -4:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe

C:\Program Files (x86)\AVG\AVG9\avgchsva.exe

C:\Program Files (x86)\AVG\AVG9\avgrsa.exe

C:\Windows\system32\lsm.exe

C:\Program Files (x86)\AVG\AVG9\avgcsrva.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Program Files (x86)\Kodak\KODAK Share Button App\Listener.exe

C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Google\Update\1.2.183.29\GoogleCrashHandler.exe

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Windows\system32\taskeng.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\AVG\AVG9\avgnsa.exe

C:\Windows\System32\nvraidservice.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Windows\system32\SearchIndexer.exe

C:\PROGRA~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Users\dooley\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files\StorageSync\StrgSync.exe

C:\Windows\Samsung\PanelMgr\SSMMgr.exe

C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe

C:\Windows\Samsung\PanelMgr\caller64.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\AVG\AVG9\avgtray.exe

c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe

c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\system32\DllHost.exe

c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Hewlett-Packard\KBD\kbd.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\splwow64.exe

C:\Program Files (x86)\SAMSUNG\Samsung CLP-510 Series\SPanel\Spanel.exe

C:\Program Files (x86)\SAMSUNG\Samsung CLP-510 Series\SPanel\caller64.exe

C:\Users\dooley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FF8EO3GN\Defogger[1].exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\dooley\Desktop\dds.com

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

mLocal Page = c:\windows\syswow64\blank.htm

uInternet Settings,ProxyOverride = <local>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files (x86)\avg\avg9\avgssie.dll

BHO: TTB000000 Class: {62960d20-6d0d-1ab4-4bf1-95b0b5b8783a} - c:\users\dooley\appdata\local\temp\low\COUPON~1.DLL

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files (x86)\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: Updater For My.Freeze.com Toolbar: {c26cd490-5f01-41e3-b150-eb29f19da056} - c:\program files (x86)\myfreezetoolbar\auxi\myfreezetoolbAu.dll

BHO: {CC3C8D60-29D6-4880-B9D8-443C4CBA2BEC} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll

BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files (x86)\google\google gears\internet explorer\0.5.36.0\gears.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: CouponBar: {5bed3930-2e9e-76d8-bacc-80df2188d455} - c:\users\dooley\appdata\local\temp\low\CouponBarIE.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files (x86)\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [swg] "c:\program files (x86)\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Octoshape Streaming Services] "c:\users\dooley\appdata\roaming\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrun

uRun: [iSUSPM Startup] c:\progra~2\common~1\instal~1\update~1\isuspm.exe -startup

uRun: [HPADVISOR] c:\program files (x86)\hewlett-packard\hp advisor\HPAdvisor.exe view=DOCKVIEW

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRunOnce: [shockwave Updater] c:\windows\syswow64\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; GTB6.3; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; ety8v64_cfg)" -"http://www8.agame.com/games/shockwave/m/My3DRoom/My3DRoom_girlsgogames_com.htm"

mRun: [NWEReboot]

mRun: [sunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"

mRun: [strgSync.exe] c:\program files\storagesync\StrgSync.exe -w

mRun: [samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun

mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime

mRun: [NeroFilterCheck] c:\windows\syswow64\NeroCheck.exe

mRun: [KBD] c:\program files (x86)\hewlett-packard\kbd\KbdStub.EXE

mRun: [iSUSScheduler] "c:\program files (x86)\common files\installshield\updateservice\issch.exe" -start

mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\hp odometer\hpsysdrv.exe

mRun: [hpqSRMon] c:\program files (x86)\hp\digital imaging\bin\hpqSRMon.exe

mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe

mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe

mRun: [HP Health Check Scheduler] c:\program files (x86)\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [Google Desktop Search] "c:\program files (x86)\google\google desktop search\GoogleDesktop.exe" /startup

mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVG9_TRAY] c:\progra~2\avg\avg9\avgtray.exe

StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files (x86)\microsoft office\office10\OSA.EXE

StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files (x86)\picturemover\bin\PictureMover.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files (x86)\google\google gears\internet explorer\0.5.36.0\gears.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll

Trusted Zone: intuit.com\ttlc

Trusted Zone: jacobs.com\prolog

Trusted Zone: jacobs.com\prologtn

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files (x86)\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files (x86)\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~2\common~1\skype\SKYPE4~1.DLL

AppInit_DLLs: c:\progra~2\google\google~4\GO36F4~1.DLL

BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files (x86)\avg\avg9\avgssiea.dll

BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll

BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg64.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\google toolbar\GoogleToolbar_64.dll

TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB-X64: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File

TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [smartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe

mRun-x64: [NVRaidService] c:\windows\system32\nvraidservice.exe

mRun-x64: [HP Remote Software] c:\program files\hewlett-packard\hp remote\HP REMOTE V1.0.5.exe

mRun-x64: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun-x64: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

AppInit_DLLs-X64: avgrssta.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dooley\appdata\roaming\mozilla\firefox\profiles\xobiklfd.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us

FF - prefs.js: browser.search.selectedEngine - Yahoo! Search

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files (x86)\avg\avg9\firefox\components\avgssff.dll

FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files (x86)\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files (x86)\google\google gears\firefox\lib\ff35\gears.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll

FF - component: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll

FF - component: c:\program files (x86)\mozilla firefox\components\GoogleDesktopMozilla.dll

FF - plugin: c:\program files (x86)\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files (x86)\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll

FF - plugin: c:\program files (x86)\microsoft\office live\npOLW.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\NPcol400.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\NPcol500.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dv.dll

FF - plugin: c:\program files (x86)\nvidia corporation\3d vision\npnv3dvstreaming.dll

FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll

FF - plugin: c:\users\dooley\appdata\roaming\mozilla\plugins\npicaN.dll

FF - plugin: c:\users\dooley\appdata\roaming\mozilla\plugins\npoctoshape.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 AvgLdx64;AVG Free AVI Loader Driver x64;c:\windows\system32\drivers\avgldx64.sys [2010-8-7 269904]

R1 AvgMfx64;AVG Free On-access Scanner Minifilter Driver x64;c:\windows\system32\drivers\avgmfx64.sys [2010-8-7 35536]

R1 AvgTdiA;AVG Free Network Redirector x64;c:\windows\system32\drivers\avgtdia.sys [2010-8-7 317520]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 173984]

R2 avg9wd;AVG Free WatchDog;c:\program files (x86)\avg\avg9\avgwdsvc.exe [2010-8-7 308136]

R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2010-1-4 11576]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2010-7-9 248936]

R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 40832]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 23040]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);c:\program files (x86)\google\update\GoogleUpdate.exe [2009-11-9 135664]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files (x86)\avg\avg9\toolbar\ToolbarBroker.exe [2010-8-7 431432]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files (x86)\google\google desktop search\GoogleDesktop.exe [2010-1-17 30192]

S3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\drivers\lvrs64.sys [2009-10-7 327704]

S3 LVUVC64;Logitech QuickCam Pro 9000(UVC);c:\windows\system32\drivers\lvuvc64.sys [2009-10-7 6379288]

S3 Pcouffin64;Low level access layer for CD devices;c:\windows\system32\drivers\pcouffin64a.sys [2009-12-15 55136]

S3 Samsung UPD Service;Samsung UPD Service;c:\windows\system32\SUPDSvc.exe [2010-2-7 161448]

S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-1 1255736]

=============== Created Last 30 ================

2010-09-01 02:59:21 20 ----a-w- c:\users\dooley\defogger_reenable

2010-08-31 05:32:22 0 d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2010-08-27 14:15:40 0 d-----w- c:\users\dooley\appdata\roaming\Catalina Marketing Corp

2010-08-25 03:32:13 861184 ----a-w- c:\windows\system32\oleaut32.dll

2010-08-25 03:32:13 571904 ----a-w- c:\windows\syswow64\oleaut32.dll

2010-08-12 21:23:32 0 d-----w- c:\program files (x86)\Cisco Systems

2010-08-12 21:20:24 0 d-----w- c:\programdata\Cisco Systems

2010-08-12 14:03:15 0 d-----w- c:\program files (x86)\Microsoft Antimalware

2010-08-12 14:03:12 0 d-----w- c:\program files\Microsoft Security Essentials

2010-08-11 18:55:37 463360 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-11 18:55:37 404992 ----a-w- c:\windows\system32\drivers\srv2.sys

2010-08-11 18:55:36 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys

2010-08-11 18:55:16 340992 ----a-w- c:\windows\system32\schannel.dll

2010-08-11 18:55:16 224256 ----a-w- c:\windows\syswow64\schannel.dll

2010-08-11 18:51:08 1896832 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-08-11 18:49:50 52224 ----a-w- c:\windows\system32\rtutils.dll

2010-08-11 18:49:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll

2010-08-11 18:49:27 82944 ----a-w- c:\windows\syswow64\iccvid.dll

2010-08-11 18:48:45 3122688 ----a-w- c:\windows\system32\win32k.sys

2010-08-11 18:48:18 1877504 ----a-w- c:\windows\system32\msxml3.dll

2010-08-11 18:48:18 1233920 ----a-w- c:\windows\syswow64\msxml3.dll

2010-08-07 16:40:51 0 d-----w- c:\program files (x86)\McAfee

2010-08-07 16:39:00 0 d-----w- C:\Virus_Scan_8.7_with_Patch_2

2010-08-07 16:38:16 0 d--h--w- C:\$AVG

2010-08-07 16:15:58 13048 ----a-w- c:\windows\system32\avgrssta.dll

2010-08-07 16:15:57 317520 ----a-w- c:\windows\system32\drivers\avgtdia.sys

2010-08-07 16:15:52 269904 ----a-w- c:\windows\system32\drivers\avgldx64.sys

2010-08-07 16:15:50 35536 ----a-w- c:\windows\system32\drivers\avgmfx64.sys

2010-08-07 16:15:50 0 d-----w- c:\windows\system32\drivers\Avg

2010-08-07 16:15:48 0 d-----w- c:\programdata\AVG Security Toolbar

2010-08-07 16:13:07 0 d-----w- c:\program files (x86)\AVG

2010-08-07 16:12:52 0 d-----w- c:\programdata\avg9

2010-08-07 15:42:11 0 d-----w- c:\users\dooley\appdata\roaming\AVP 2009

2010-08-07 14:54:43 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys

2010-08-03 19:00:48 0 d-----w- c:\windows\pss

2010-08-03 15:18:25 0 d-----w- c:\users\dooley\appdata\roaming\Malwarebytes

2010-08-03 15:17:51 0 d-----w- c:\programdata\Malwarebytes

2010-08-03 15:17:50 24664 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-08-02 19:18:29 12867584 ----a-w- c:\windows\syswow64\shell32.dll

==================== Find3M ====================

2010-07-29 04:38:41 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2010-07-09 22:38:00 930272 ----a-w- c:\windows\system32\dpinst.exe

2010-07-09 22:38:00 660072 ----a-w- c:\windows\system32\nvudisp.exe

2010-07-09 22:38:00 65128 ----a-w- c:\windows\system32\OpenCL.dll

2010-07-09 22:38:00 56936 ----a-w- c:\windows\syswow64\OpenCL.dll

2010-07-09 22:38:00 2761832 ----a-w- c:\windows\system32\nvcuvenc.dll

2010-07-09 22:38:00 260712 ----a-w- c:\windows\system32\nvcod1922.dll

2010-07-09 22:38:00 14513768 ----a-w- c:\windows\system32\nvcompiler.dll

2010-07-09 22:38:00 10267240 ----a-w- c:\windows\syswow64\nvcompiler.dll

2010-07-07 17:46:54 660072 ----a-w- c:\windows\system32\nvuninst.exe

2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll

2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll

2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll

2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll

2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll

2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll

2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll

2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll

2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll

2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll

2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll

2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe

2010-06-30 04:12:16 13312 ----a-w- c:\windows\LPRES.DLL

2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe

2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe

2010-06-13 22:31:10 42 ----a-w- c:\users\dooley\jagex_runescape_preferences.dat

2010-06-07 17:31:01 99384 ----a-w- c:\users\dooley\appdata\roaming\inst.exe

2010-06-07 17:31:01 82816 ----a-w- c:\users\dooley\appdata\roaming\pcouffin.sys

2010-06-06 15:52:21 23143 ----a-w- c:\windows\hpqins15.dat

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat

2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat

2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat

2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini

2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat

2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat

2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat

2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe

2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:03:29.17 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4385

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/7/2010 11:21:52 AM

mbam-log-2010-08-07 (11-21-52).txt

Scan type: Quick scan

Objects scanned: 140386

Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\dooley\AppData\Local\Temp\low\COUPON~1.DLL (Trojan.BHO.H) -> Quarantined and deleted successfully.

Attach.zip

ark.zip

screen317 · September 1, 2010

Hi and welcome to Malwarebytes.

Please download CCleaner and save it to your desktop.

Run the CCleaner installer.
During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
Please do NOT run a scan yet!

Now, open CCleaner:

Click the "Windows" tab.
Select the following:
- Check everything under the "Internet Explorer" section.
- Check everything under the "Windows Explorer" section.
- Check everything under the "System" section.
- Check ONLY "Old Prefetch data" under the "Advanced" section.
[*]Then, click the "Applications" tab:
- CHECK everything there.
[*]Next, click the "Options" button in the left pane, then click the "Advanced" button:
- CHECK : "Only delete files in Windows Temp folders older than 48 hours".
[*]Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
[*]When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don

janell · September 1, 2010

here is the log after i ran the ccleaner and mbam.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4521

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

9/1/2010 8:50:19 AM

mbam-log-2010-09-01 (08-50-19).txt

Scan type: Quick scan

Objects scanned: 137429

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Users\dooley\AppData\Local\Temp\low\COUPON~1.DLL (Trojan.BHO.H) -> Quarantined and deleted successfully.

janell · September 2, 2010

the trojan still shows up after the reboot.

i would appreciate any help you can provide.

thanks,

janell

screen317 · September 3, 2010

Hi Janell,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

janell · September 3, 2010

i have windows 7 and 64 bit.

combofix does not work with 64 bit.

pls help.

thanks,

janell

screen317 · September 3, 2010

My mistake.

Navigate to this folder:

C:\Users\dooley\AppData\Local\Temp\low

Can you delete it manually? Does it even exist?

janell · September 3, 2010

it doesn't exsist.

what program should i use instead?

janell · September 3, 2010

actually that folder does exsist. should i do something with it.

janell · September 4, 2010