Trojan virus infection

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > Virus, Trojan, Spyware, and Malware Removal Logs

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

DO NOT RUN ComboFix unless requested to.

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

2 Pages

1 2 >

Trojan virus infection, Do not know how to remove

Options

hcbarber View Member Profile	Jun 2 2009, 02:32 PM Post #1
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	I have a trojan virus in my computer. I have used AVG 8.5 which detected the virus named pws mapper and AVG could not remove the virus. I purchased ad aware and upgraded to ad aware anniversary edition, which detects the virus, but cannot remove it. I contacted lavasoft about the virus and after trying to use ad aware in safe mode, the virus will not go away. Lavasoft recommended that I use a forum to get help removing the virus. I am not sure what the virus is called, but whenever searching the internet, everything is redirected. I am not very skilled on the computer, so I have tried to follow your preparation guide in preparing this post. I need help getting rid of this virus. DDS (Ver_09-05-14.01) - NTFSx86 Run by Compaq_Owner at 14:50:54.51 on Tue 06/02/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.233 [GMT -4:00] AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus On-access scanning disabled (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr ============== Pseudo HJT Report =============== mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Settings,ProxyOverride = .local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [AdwareAlert] c:\program files\adwarealert\AdwareAlert.exe -boot mRun: [VTTimer] VTTimer.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\PowerReg Scheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\SpySub.exe IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: c:\windows\system32\INetHTTPFilter.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196288578156 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SpySubtract Shell Extension: {fa010552-4a27-4cb1-a1bb-3e2d697f1639} - c:\program files\intermute\spysubtract\sshook.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-25 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-14 325896] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-27 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-14 108552] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-7 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-7 298776] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [2009-1-2 98432] S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904] =============== Created Last 30 ================ 2009-06-02 14:26 <DIR> --dsh--- c:\documents and settings\compaq_owner\PrivacIE 2009-06-02 14:25 <DIR> --dsh--- c:\documents and settings\compaq_owner\IETldCache 2009-06-02 14:22 <DIR> --d----- c:\windows\ie8updates 2009-06-02 14:22 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll 2009-06-02 14:19 <DIR> -cd-h--- c:\windows\ie8 2009-05-29 18:19 <DIR> --d----- c:\program files\common files\Diskeeper Corporation 2009-05-29 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation 2009-05-29 18:19 <DIR> --d----- c:\program files\Diskeeper Corporation 2009-05-29 15:59 664 a------- c:\windows\system32\d3d9caps.dat 2009-05-25 22:17 15,688 a------- c:\windows\system32\lsdelete.exe 2009-05-25 21:21 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-05-25 21:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-05-25 21:08 <DIR> --d----- c:\program files\Lavasoft 2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx 2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat 2009-05-24 13:07 2,102,048 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-05-24 13:00 2,725 a------- C:\rollback.ini 2009-05-24 12:45 <DIR> --d----- c:\program files\common files\ParetoLogic 2009-05-24 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic 2009-05-18 10:14 <DIR> --d----- c:\program files\PC Tools AntiVirus 2009-05-17 18:53 50 a------- c:\windows\system32\ssmute.ini 2009-05-17 18:53 <DIR> --d----- c:\program files\interMute 2009-05-17 18:01 1,409 a------- c:\windows\system32\tmp08A4B.FOT 2009-05-17 14:19 <DIR> --d----- c:\docume~1\compaq~1\applic~1\AdwareAlert 2009-05-16 13:09 193 a------- c:\docume~1\compaq~1\applic~1\asd.bat ==================== Find3M ==================== 2009-05-29 15:57 3,888 ac------ c:\windows\viassary-hp.reg 2009-05-17 08:53 325,896 a------- c:\windows\system32\drivers\avgldx86.sys 2009-05-17 08:53 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-05-17 08:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll 2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll 2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll 2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll 2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll 2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll 2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll 2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll 2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe 2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll 2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll 2007-11-28 08:17 0 ac-sh--- c:\windows\sminst\HPCD.SYS 2008-08-28 21:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat ============= FINISH: 14:52:22.85 =============== Attached File(s)* Attach.txt ( 9.82k ) Number of downloads: 6

DocSatan View Member Profile	Jun 13 2009, 01:31 PM Post #2
Bleepin' Wanna-Be Group: Malware Response Team Posts: 2,156 Joined: 30-August 07 From: Boston, Ma. Member No.: 153,791	Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan: Download DDS by sUBs from one of the following links. Save it to your desktop. DDS.scr DDS.pif Double click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that pop up for posting the results. Close the program window, and delete the program from your desktop. Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE -------------------- All Other Things Being Equal, The Simplest Solution Is The Best. Anti-Spyware Scanners - Anti-Virus Scanners - Online Scanners - Firewalls Protect Yourself and Surf More Secure

hcbarber View Member Profile	Jun 13 2009, 03:09 PM Post #3
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	I am still having the problem and I am posting the new DDS logs. Thanks for your help. DDS (Ver_09-05-14.01) - NTFSx86 Run by Compaq_Owner at 16:05:25.28 on Sat 06/13/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.265 [GMT -4:00] AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus On-access scanning disabled (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\ALCXMNTR.EXE C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Compaq_Owner\Desktop\dds.pif ============== Pseudo HJT Report =============== mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Settings,ProxyOverride = .local uURLSearchHooks: H - No File uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [VTTimer] VTTimer.exe mRun: [AGRSMMSG] AGRSMMSG.exe mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\PowerReg Scheduler.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\spysub~1.lnk - c:\program files\intermute\spysubtract\SpySub.exe IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL LSP: c:\windows\system32\INetHTTPFilter.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196288578156 DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SpySubtract Shell Extension: {fa010552-4a27-4cb1-a1bb-3e2d697f1639} - c:\program files\intermute\spysubtract\sshook.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-25 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-14 327688] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-27 27784] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-14 108552] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-7 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-7 298776] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [2009-1-2 98432] S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904] =============== Created Last 30 ================ 2009-06-12 10:27 <DIR> --d----- c:\docume~1\compaq~1\applic~1\Malwarebytes 2009-06-12 10:27 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-12 10:27 19,096 a------- c:\windows\system32\drivers\mbam.sys 2009-06-12 10:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-06-12 10:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-06-12 08:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar 2009-06-10 03:04 197 a------- c:\windows\system32\MRT.INI 2009-06-10 01:44 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll 2009-06-10 01:44 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll 2009-06-04 21:23 <DIR> --d----- c:\program files\iPod 2009-06-04 21:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-04 21:17 2,060,288 a------- c:\windows\system32\usbaaplrc.dll 2009-06-02 14:26 <DIR> --dsh--- c:\documents and settings\compaq_owner\PrivacIE 2009-06-02 14:25 <DIR> --dsh--- c:\documents and settings\compaq_owner\IETldCache 2009-06-02 14:22 <DIR> --d----- c:\windows\ie8updates 2009-06-02 14:22 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll 2009-06-02 14:19 <DIR> -cd-h--- c:\windows\ie8 2009-05-29 18:19 <DIR> --d----- c:\program files\common files\Diskeeper Corporation 2009-05-29 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Diskeeper Corporation 2009-05-29 18:19 <DIR> --d----- c:\program files\Diskeeper Corporation 2009-05-29 15:59 664 a------- c:\windows\system32\d3d9caps.dat 2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx 2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts 2009-05-25 22:17 15,688 a------- c:\windows\system32\lsdelete.exe 2009-05-25 21:21 64,160 a------- c:\windows\system32\drivers\Lbd.sys 2009-05-25 21:08 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-05-25 21:08 <DIR> --d----- c:\program files\Lavasoft 2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.idx 2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox2.dat 2009-05-24 13:07 2,102,048 a--sh--- c:\windows\system32\drivers\fidbox.dat 2009-05-24 13:07 32 a--sh--- c:\windows\system32\drivers\fidbox.idx 2009-05-24 13:00 2,725 a------- C:\rollback.ini 2009-05-24 12:45 <DIR> --d----- c:\program files\common files\ParetoLogic 2009-05-24 12:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ParetoLogic 2009-05-18 10:14 <DIR> --d----- c:\program files\PC Tools AntiVirus 2009-05-17 18:53 2,158 a------- c:\windows\system32\ssmute.ini 2009-05-17 18:53 <DIR> --d----- c:\program files\interMute 2009-05-17 18:01 1,409 a------- c:\windows\system32\tmp08A4B.FOT 2009-05-16 13:09 224 a------- c:\windows\system32\UACcltksoexyluwpbo.dat ==================== Find3M ==================== 2009-06-12 08:31 327,688 a------- c:\windows\system32\drivers\avgldx86.sys 2009-05-29 15:57 3,888 ac------ c:\windows\viassary-hp.reg 2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys 2009-05-17 08:53 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-05-17 08:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys 2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll 2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll 2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys 2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll 2007-11-28 08:17 0 ac-sh--- c:\windows\sminst\HPCD.SYS 2008-08-28 21:24 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat ============= FINISH: 16:06:01.98 =============== Attached File(s)* Attach_2.txt ( 8.42k ) Number of downloads: 5

syler View Member Profile	Jun 14 2009, 02:05 PM Post #4
Forum Addict Group: Malware Response Team Posts: 7,637 Joined: 7-November 07 From: Warrington, UK Member No.: 168,228	Hello and welcome to Bleeping Computer. My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would be grateful if you would note the following: Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order. If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions. Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear. If I do not hear back from you within 5 days of my last post, then this topic will be closed. One or more of the identified infections is a backdoor trojan/Rootkit. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide you want to proceed with trying to clean your machine please follow these next steps. We will begin with ComboFix. Please download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply. This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper If you need help, see this link: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Next Download RootRepeal from the following location and save it to your desktop. Extract the contents of RootRepeal.zip, to your desktop. Double click on your desktop. Click on the report tab, then click scan Check all six boxes: Click Ok Check the box for your main system drive (Usually C:), and press Ok. Allow RootRepeal to run a scan of your system. This may take some time. Once the scan completes, Click the Save Report** button. Save the log as RootRepeal.txt and post it in your next reply. Then please post back here with the following: Combofix.txt Gmer log -------------------- If I have helped you, and you would like to make a donation to me, click here

hcbarber View Member Profile	Jun 15 2009, 05:39 PM Post #5
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	I would like to try and fix the computer. The computer is used at home for personal uses. I have a lot of itunes that would need to be backed up, so I wanted to try and fix the computer. I installed the combofix and have the log. I downloaded rootrepeal and I get an error message of invalid PE image found, everytime I try to run the program. Please let me know what I need to do next. Attached File(s) combofix_log.txt ( 20.37k ) Number of downloads: 4

hcbarber View Member Profile	Jun 15 2009, 05:44 PM Post #6
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	Also, if I disconnect from the internet, how can I download the software you suggested to fix the computer? I am not very computer literate, so i am going to need help with each step of the process. Will you be able to tell if the computer is clean when I am finished with this process? If I need to reinstall Windows, how would I go about that process? THank you for your help!

syler View Member Profile	Jun 15 2009, 05:46 PM Post #7
Forum Addict Group: Malware Response Team Posts: 7,637 Joined: 7-November 07 From: Warrington, UK Member No.: 168,228	Try this scanner instead, also please post your logs in future rather than attaching them, unless I ask. Thanks We need to scan for Rootkits with GMER Please download GMER from one of the following locations, and save it to your desktop: Main Mirror This version will download a randomly named file (Recommended) Zip Mirror This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Close any and all open programs, as this process may crash your computer. Double click on Gmer to run it. Allow the gmer.sys driver to load if asked. You may see a rootkit warning window, If you do, click No. Click on and wait for the scan to finish. If you see a rootkit warning window, click OK. Push and save the logfile to your desktop. Copy and Paste the contents of that file in your next post. -------------------- If I have helped you, and you would like to make a donation to me, click here

syler View Member Profile	Jun 15 2009, 05:52 PM Post #8
Forum Addict Group: Malware Response Team Posts: 7,637 Joined: 7-November 07 From: Warrington, UK Member No.: 168,228	QUOTE Also, if I disconnect from the internet, how can I download the software you suggested to fix the computer? You obviously would have to connect to the internet when you need to download tools, you just need to try and use it as little as possible whilst we are cleaning your computer. QUOTE I am not very computer literate, so i am going to need help with each step of the process. No problem, just ask me if your not sure how to complete any of the steps. QUOTE Will you be able to tell if the computer is clean when I am finished with this process? If I need to reinstall Windows, how would I go about that process? THank you for your help! We can cross that bridge if or when we come to it and your welcome! -------------------- If I have helped you, and you would like to make a donation to me, click here

hcbarber View Member Profile	Jun 16 2009, 04:50 PM Post #9
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	I am posting the log from combofix and gmer. I will copy and paste the file instead of using the attachment. Please let me know, if this is not the right way to post the logs. Again, thanks for your help. I am not using the internet except to try and fix the computer. ComboFix 09-06-15.04 - Compaq_Owner 06/15/2009 18:14.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.249 [GMT -4:00] Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus On-access scanning disabled (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll c:\windows\system32\UACcltksoexyluwpbo.dat c:\windows\system32\UACroldgsvmchddmwi.log GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-06-16 17:43:17 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF7DC887E] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7DC8BFE] Code \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- ? Combo-Fix.sys The system cannot find the file specified. ! ? C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) ---- EOF - GMER 1.0.15 ---- . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 ))))))))))))))))))))))))))))))) . 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR 2009-06-12 12:30 . 2009-05-17 12:37 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute 2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod 2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE 2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache 2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates 2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation 2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic 2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations 2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-05-22 13:43 . 2009-05-17 12:53 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-05-22 13:43 . 2009-05-17 12:52 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll 2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-05-22 13:43 . 2009-05-17 12:52 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll 2009-05-22 13:43 . 2009-05-17 12:52 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll 2009-05-22 13:43 . 2009-05-17 12:52 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll 2009-05-22 13:43 . 2009-05-17 12:53 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe 2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-05-22 13:41 . 2009-05-17 12:36 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll 2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools 2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive 2009-05-18 14:14 . 2009-05-22 18:33 -------- d-----w- c:\program files\PC Tools AntiVirus 2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute 2009-05-17 22:15 . 2009-05-22 13:44 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-12 12:31 . 2009-06-12 12:33 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe 2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes 2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple 2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime 2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg 2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe 2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks 2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR 2009-05-17 12:53 . 2009-06-12 12:33 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys 2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-17 12:53 . 2009-06-12 12:33 487704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll 2009-05-17 12:52 . 2009-06-12 12:33 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll 2009-05-17 12:52 . 2009-06-12 12:33 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-05-17 12:52 . 2009-06-12 12:33 1947928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-05-17 12:52 . 2009-06-12 12:33 1217816 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe 2009-05-17 12:52 . 2009-06-12 12:33 1205528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-05-17 12:52 . 2009-06-12 12:33 681752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmx.dll 2009-05-17 12:52 . 2009-06-12 12:33 1262880 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll 2009-05-17 12:52 . 2009-06-12 12:33 761112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe 2009-05-17 12:52 . 2009-06-12 12:33 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe 2009-05-17 12:52 . 2009-06-12 12:33 830232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll 2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys 2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 22:22 . 2007-11-29 15:23 34656 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE 2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe 2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe 2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe 2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe 2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe 2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe 2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe 2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe 2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE 2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe 2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe 2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe 2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363] "AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344] c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2009-5-22 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552] Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423] Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376] SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-15 c:\windows\Tasks\Ad-Aware Scan (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-15 c:\windows\Tasks\Ad-Aware Update (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Settings,ProxyOverride = .local IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-15 18:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\COMPAQ~1\LOCALS~1\Temp\JETDB28.tmp 0 bytes scan completed successfully hidden files: 1 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(720) c:\windows\system32\WININET.dll c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\windows\system32\CF1345.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-06-15 18:27 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-15 22:27 Pre-Run: 15,663,968,256 bytes free Post-Run: 16,074,891,264 bytes free 250 --- E O F --- 2009-06-10 07:08

syler View Member Profile	Jun 16 2009, 05:07 PM Post #10
Forum Addict Group: Malware Response Team Posts: 7,637 Joined: 7-November 07 From: Warrington, UK Member No.: 168,228	Yes you have done it correct by copy and pasting it, but you have posted the Gmer log in the middle of the combofix log. Please repost the logs correctly, first paste the combofix log then leave a couple of spaces then paste the Gmer log thanks This post has been edited by syler: Jun 16 2009, 05:08 PM -------------------- If I have helped you, and you would like to make a donation to me, click here

hcbarber View Member Profile	Jun 17 2009, 04:04 PM Post #11
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	I am copying and pasting the combofix and gmer log files. Sorry, I did not realize that I had pasted them on top of each other. Thanks. ComboFix 09-06-15.04 - Compaq_Owner 06/15/2009 18:14.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.249 [GMT -4:00] Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus On-access scanning disabled (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll c:\windows\system32\UACcltksoexyluwpbo.dat c:\windows\system32\UACroldgsvmchddmwi.log . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 ))))))))))))))))))))))))))))))) . 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR 2009-06-12 12:30 . 2009-05-17 12:37 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe 2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute 2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod 2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE 2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache 2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates 2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation 2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic 2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations 2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-05-22 13:43 . 2009-05-17 12:53 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-05-22 13:43 . 2009-05-17 12:52 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll 2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-05-22 13:43 . 2009-05-17 12:52 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll 2009-05-22 13:43 . 2009-05-17 12:52 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll 2009-05-22 13:43 . 2009-05-17 12:52 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll 2009-05-22 13:43 . 2009-05-17 12:53 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe 2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2009-05-22 13:41 . 2009-05-17 12:36 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll 2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools 2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive 2009-05-18 14:14 . 2009-05-22 18:33 -------- d-----w- c:\program files\PC Tools AntiVirus 2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute 2009-05-17 22:15 . 2009-05-22 13:44 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-12 12:31 . 2009-06-12 12:33 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe 2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes 2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple 2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime 2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg 2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe 2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks 2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR 2009-05-17 12:53 . 2009-06-12 12:33 325896 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys 2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-17 12:53 . 2009-06-12 12:33 487704 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll 2009-05-17 12:52 . 2009-06-12 12:33 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll 2009-05-17 12:52 . 2009-06-12 12:33 3401496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe 2009-05-17 12:52 . 2009-06-12 12:33 1947928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe 2009-05-17 12:52 . 2009-06-12 12:33 1217816 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe 2009-05-17 12:52 . 2009-06-12 12:33 1205528 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll 2009-05-17 12:52 . 2009-06-12 12:33 681752 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmx.dll 2009-05-17 12:52 . 2009-06-12 12:33 1262880 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll 2009-05-17 12:52 . 2009-06-12 12:33 761112 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe 2009-05-17 12:52 . 2009-06-12 12:33 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe 2009-05-17 12:52 . 2009-06-12 12:33 830232 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll 2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys 2009-03-19 20:32 . 2008-01-29 16:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2009-03-18 22:22 . 2007-11-29 15:23 34656 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE 2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe 2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe 2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe 2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe 2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe 2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe 2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe 2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe 2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE 2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe 2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe 2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe 2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363] "AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344] c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2009-5-22 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552] Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423] Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376] SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-15 c:\windows\Tasks\Ad-Aware Scan (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-15 c:\windows\Tasks\Ad-Aware Update (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Settings,ProxyOverride = .local IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-15 18:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\COMPAQ~1\LOCALS~1\Temp\JETDB28.tmp 0 bytes scan completed successfully hidden files: 1 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(720) c:\windows\system32\WININET.dll c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\windows\system32\CF1345.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-06-15 18:27 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-15 22:27 Pre-Run: 15,663,968,256 bytes free Post-Run: 16,074,891,264 bytes free 250 --- E O F --- 2009-06-10 07:08 GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-06-16 17:43:17 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF7DC887E] SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7DC8BFE] Code \??\C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- ? Combo-Fix.sys The system cannot find the file specified. ! ? C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. ! ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??2@YAPAXI@Z 77C29CC5 5 Bytes JMP 0A93C080 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!??3@YAXPAX@Z 77C29CDD 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!?set_new_handler@@YAP6AXXZP6AXXZ@Z 77C29D9F 5 Bytes JMP 0A93C110 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_malloc 77C29DAF 5 Bytes JMP 0A93BFE0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_free 77C29E33 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_malloc 77C29E52 5 Bytes JMP 0A93BFC0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_offset_realloc 77C29E6E 5 Bytes JMP 0A93C020 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_aligned_realloc 77C29FC6 5 Bytes JMP 0A93C000 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_expand 77C29FE5 5 Bytes JMP 0A93BFA0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapadd 77C2BC9F 5 Bytes JMP 0A93C160 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapchk 77C2BCB3 5 Bytes JMP 0A93C170 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapset + 1 77C2BD83 4 Bytes JMP 0A93C191 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapmin 77C2BD8C 5 Bytes JMP 0A93C260 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapused 77C2BE3A 5 Bytes JMP 0A93C230 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_heapwalk 77C2BE4D 5 Bytes JMP 0A93C1A0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!_msize 77C2BF6C 5 Bytes JMP 0A93BEB0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!calloc 77C2C0C3 5 Bytes JMP 0A93BE50 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!free 77C2C21B 5 Bytes JMP 0A93C0E0 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!malloc 77C2C407 5 Bytes JMP 0A93BE10 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) .text C:\Program Files\Palm\Hotsync.exe[3464] msvcrt.dll!realloc 77C2C437 5 Bytes JMP 0A93BE90 C:\Program Files\Palm\SHW32.DLL (Memory Management Library for Win32/MicroQuill Software Publishing, Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) ---- EOF - GMER 1.0.15 ----

syler View Member Profile	Jun 17 2009, 07:24 PM Post #12
Forum Addict Group: Malware Response Team Posts: 7,637 Joined: 7-November 07 From: Warrington, UK Member No.: 168,228	1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: CODE File:: c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll c:\windows\system32\bak c:\windows\system32\bak c:\windows\system\bak c:\windows\SMINST\bak c:\program files\QuickTime\bak c:\program files\Java\j2re1.4.2_03\bin\bak c:\program files\iTunes\bak c:\program files\Grisoft\AVG7\bak c:\program files\Adobe\Reader 8.0\Reader\bak c:\hp\KBD\bak Rootkit:: c:\docume~1\COMPAQ~1\LOCALS~1\Temp\JETDB28.tmp Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000000 Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Thanks -------------------- If I have helped you, and you would like to make a donation to me, click here

hcbarber View Member Profile	Jun 17 2009, 08:12 PM Post #13
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	I hope that I am posting this correctly. I followed the procedures and I am pasting the log file that was created. ComboFix 09-06-17.02 - Compaq_Owner 06/17/2009 20:37.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.422 [GMT -4:00] Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus On-access scanning disabled (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} FILE :: "c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll" "c:\hp\KBD\bak" "c:\program files\Adobe\Reader 8.0\Reader\bak" "c:\program files\Grisoft\AVG7\bak" "c:\program files\iTunes\bak" "c:\program files\Java\j2re1.4.2_03\bin\bak" "c:\program files\QuickTime\bak" "c:\windows\SMINST\bak" "c:\windows\system\bak" "c:\windows\system32\bak" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll . ((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 ))))))))))))))))))))))))))))))) . 2009-06-15 22:32 . 2009-06-15 22:32 0 ----a-w- c:\documents and settings\Compaq_Owner\settings.dat 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-12 12:33 . 2009-06-12 12:31 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe 2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR 2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute 2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod 2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE 2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache 2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates 2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation 2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic 2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations 2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes 2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple 2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime 2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg 2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe 2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-22 18:33 . 2009-05-18 14:14 -------- d-----w- c:\program files\PC Tools AntiVirus 2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-05-22 13:44 . 2009-05-17 22:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft 2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools 2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive 2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute 2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks 2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR 2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS . ((((((((((((((((((((((((((((( SnapShot@2009-06-15_22.22.30 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-18 00:44 . 2009-06-18 00:44 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat - 2009-06-15 22:21 . 2009-06-15 22:21 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE 2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe 2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe 2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe 2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe 2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe 2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe 2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe 2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe 2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE 2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe 2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe 2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe 2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363] "AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344] c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2009-5-22 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552] Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423] Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376] SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-17 c:\windows\Tasks\Ad-Aware Scan (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-17 c:\windows\Tasks\Ad-Aware Update (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Settings,ProxyOverride = .local IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-17 20:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3612) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-06-18 20:54 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-18 00:54 ComboFix2.txt 2009-06-15 22:27 Pre-Run: 16,055,783,424 bytes free Post-Run: 16,036,634,624 bytes free 235 --- E O F --- 2009-06-10 07:08

syler View Member Profile	Jun 17 2009, 08:28 PM Post #14
Forum Addict Group: Malware Response Team Posts: 7,637 Joined: 7-November 07 From: Warrington, UK Member No.: 168,228	Yes, you posted that correctly 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: CODE Folder:: c:\windows\system32\bak c:\windows\system\bak c:\windows\SMINST\bak c:\program files\QuickTime\bak c:\program files\Java\j2re1.4.2_03\bin\bak c:\program files\iTunes\bak c:\program files\Grisoft\AVG7\bak c:\program files\Adobe\Reader 8.0\Reader\bak c:\hp\KBD\bak Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. *Next* Please do a scan with Kaspersky Online Scanner Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan. Click on the Accept button and install any components it needs. The program will install and then begin downloading the latest definition files. After the files have been downloaded on the left side of the page in the Scan section select My Computer This will start the program and scan your system. The scan will take a while, so be patient and let it run. Once the scan is complete, click on View scan report Now, click on the Save Report as button. Save the file to your desktop. Copy and paste that information in your next post. Then please post back here with the following: Combofix.txt Kaspersky report This post has been edited by syler: Jun 17 2009, 08:28 PM -------------------- If I have helped you, and you would like to make a donation to me, click here

hcbarber View Member Profile	Jun 18 2009, 04:26 PM Post #15
New Member Group: Members Posts: 12 Joined: 2-June 09 Member No.: 338,277	I ran the combofix again and I will post the log. I also ran the kaspersky online scanner and the scan report said that no malware had been detected. However, adaware continues to pop up and say that a virus was detected. I disabled adaware, so I am not sure why that happens when the computer reboots. Thank you for your help. ComboFix 09-06-17.02 - Compaq_Owner 06/17/2009 20:37.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.703.422 [GMT -4:00] Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} AV: Lavasoft Ad-Watch Live! Anti-Virus On-access scanning disabled (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33} FILE :: "c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll" "c:\hp\KBD\bak" "c:\program files\Adobe\Reader 8.0\Reader\bak" "c:\program files\Grisoft\AVG7\bak" "c:\program files\iTunes\bak" "c:\program files\Java\j2re1.4.2_03\bin\bak" "c:\program files\QuickTime\bak" "c:\windows\SMINST\bak" "c:\windows\system\bak" "c:\windows\system32\bak" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll . ((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 ))))))))))))))))))))))))))))))) . 2009-06-15 22:32 . 2009-06-15 22:32 0 ----a-w- c:\documents and settings\Compaq_Owner\settings.dat 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-12 14:27 . 2009-06-12 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-06-12 14:27 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-12 13:41 . 2009-06-02 17:37 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll 2009-06-12 12:33 . 2009-06-12 12:31 826624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe 2009-06-12 12:32 . 2009-06-12 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar 2009-06-12 12:32 . 2009-06-12 12:32 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR 2009-06-10 07:16 . 2009-06-10 07:16 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\InterMute 2009-06-10 05:44 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-06-10 05:44 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-05 01:23 . 2009-06-05 01:23 -------- d-----w- c:\program files\iPod 2009-06-05 01:22 . 2009-06-05 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} 2009-06-05 01:17 . 2009-05-29 17:36 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll 2009-06-05 01:13 . 2009-06-05 01:13 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe 2009-06-04 21:33 . 2009-06-04 21:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2009-06-02 18:26 . 2009-06-02 18:26 -------- d-sh--w- c:\documents and settings\Compaq_Owner\PrivacIE 2009-06-02 18:25 . 2009-06-02 18:25 -------- d-sh--w- c:\documents and settings\Compaq_Owner\IETldCache 2009-06-02 18:22 . 2009-06-02 18:22 -------- d-----w- c:\windows\ie8updates 2009-06-02 18:22 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-06-02 18:19 . 2009-06-02 18:21 -------- dc-h--w- c:\windows\ie8 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Common Files\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation 2009-05-29 22:19 . 2009-05-29 22:19 -------- d-----w- c:\program files\Diskeeper Corporation 2009-05-29 19:59 . 2009-05-29 19:59 664 ----a-w- c:\windows\system32\d3d9caps.dat 2009-05-28 01:34 . 2009-05-28 01:34 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2009-05-28 01:34 . 2009-05-28 01:34 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2009-05-28 01:34 . 2009-05-28 01:34 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2009-05-28 01:34 . 2009-05-28 01:34 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2009-05-26 02:17 . 2009-05-28 01:34 15688 ----a-w- c:\windows\system32\lsdelete.exe 2009-05-26 01:20 . 2009-05-26 01:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys 2009-05-26 01:08 . 2009-05-29 20:10 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F} 2009-05-26 01:08 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe 2009-05-26 01:08 . 2009-05-26 01:08 -------- d-----w- c:\program files\Lavasoft 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2009-05-24 17:07 . 2009-05-24 19:33 2102048 --sha-w- c:\windows\system32\drivers\fidbox.dat 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\program files\Common Files\ParetoLogic 2009-05-24 16:45 . 2009-05-24 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic 2009-05-24 16:43 . 2009-05-24 16:43 -------- d-----w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Downloaded Installations 2009-05-22 13:48 . 2009-05-22 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft 2009-05-22 13:43 . 2009-05-22 13:42 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-05-22 13:41 . 2009-05-22 13:41 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-12 12:31 . 2008-06-15 02:40 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-06-05 01:23 . 2007-11-30 04:28 -------- d-----w- c:\program files\iTunes 2009-06-05 01:22 . 2007-11-30 04:23 -------- d-----w- c:\program files\Common Files\Apple 2009-06-05 01:19 . 2007-11-30 04:25 -------- d-----w- c:\program files\QuickTime 2009-05-29 19:57 . 2004-08-10 15:43 3888 -c--a-w- c:\windows\viassary-hp.reg 2009-05-29 17:36 . 2008-08-01 01:16 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys 2009-05-26 12:20 . 2007-11-29 15:43 -------- d-----w- c:\program files\Common Files\Adobe 2009-05-24 19:58 . 2004-08-10 15:11 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2009-05-24 17:07 . 2009-05-24 17:07 32 --sha-w- c:\windows\system32\drivers\fidbox.idx 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-05-23 02:24 . 2007-11-28 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-22 18:33 . 2009-05-18 14:14 -------- d-----w- c:\program files\PC Tools AntiVirus 2009-05-22 18:29 . 2009-05-16 21:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-05-22 13:44 . 2009-05-17 22:15 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Lavasoft 2009-05-18 16:34 . 2009-05-18 16:34 34656 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft 2009-05-18 16:30 . 2009-05-18 16:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools 2009-05-18 15:12 . 2009-05-18 15:12 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Motive 2009-05-17 22:53 . 2009-05-17 22:53 -------- d-----w- c:\program files\interMute 2009-05-17 18:17 . 2008-09-30 00:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Move Networks 2009-05-17 15:13 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\AVGTOOLBAR 2009-05-17 12:53 . 2008-06-15 02:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-17 12:53 . 2008-02-28 01:18 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-17 12:53 . 2008-06-15 02:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-16 17:37 . 2008-06-15 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-05-13 05:15 . 2007-11-28 17:00 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-07 15:32 . 2007-11-28 16:59 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-17 12:26 . 2007-11-28 17:00 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2007-11-28 17:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2007-11-28 12:17 . 2007-11-28 17:30 0 -csha-w- c:\windows\SMINST\HPCD.SYS . ((((((((((((((((((((((((((((( SnapShot@2009-06-15_22.22.30 ))))))))))))))))))))))))))))))))))))))))) . + 2009-06-18 00:44 . 2009-06-18 00:44 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat - 2009-06-15 22:21 . 2009-06-15 22:21 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2004-08-10 14:57 . 2003-02-12 03:02 61440 c:\hp\KBD\bak\KBD.EXE 2007-10-11 00:51 . 2007-10-11 00:51 39792 c:\program files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe 2008-01-12 02:16 . 2008-01-12 02:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe 2007-11-30 02:22 . 2007-12-22 16:46 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe 2008-01-15 08:22 . 2008-01-15 08:22 267048 c:\program files\iTunes\bak\iTunesHelper.exe 2009-05-30 16:30 . 2009-05-30 16:30 292136 c:\program files\iTunes\iTunesHelper.exe 2004-08-10 14:09 . 2004-08-10 14:09 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe 2008-01-10 20:27 . 2008-01-10 20:27 385024 c:\program files\QuickTime\bak\QTTask.exe 2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe 2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE 2004-08-10 14:24 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe 2007-11-28 16:58 . 2004-08-03 19:00 15360 c:\windows\system32\bak\ctfmon.exe 2007-11-28 16:58 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe 2004-08-10 14:57 . 2003-09-13 03:13 98304 c:\windows\system32\bak\ps2.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-06-02 17:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-12 1948440] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-29 518488] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136] "VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-03-08 53248] "AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363] "AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344] c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\ PowerReg Scheduler.exe [2009-5-22 225280] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552] Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423] Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2008-8-31 229376] SpySubtract.lnk - c:\program files\interMute\SpySubtract\SpySub.exe [2009-5-17 1183744] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"= "c:\program files\interMute\SpySubtract\sshook.dll" [2009-05-17 73728] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-17 12:53 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk \0autocheck lsdelete\0autocheck lsdelete\0autocheck lsdelete [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/25/2009 9:21 PM 64160] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2008 10:40 PM 327688] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2008 10:40 PM 108552] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/7/2008 10:03 AM 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/7/2008 10:03 AM 298776] R3 Belkin Belkin 11Mbps Wireless USB Network Adapter®;Belkin Belkin 11Mbps Wireless USB Network Adapter® Service for Belkin 11Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\bkusbxp.sys [1/2/2009 3:34 PM 98432] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 1005904] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-17 c:\windows\Tasks\Ad-Aware Scan (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-17 c:\windows\Tasks\Ad-Aware Update (Daily).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:21] 2009-06-11 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34] . . ------- Supplementary Scan ------- . mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop uInternet Settings,ProxyOverride = .local IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-17 20:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3612) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2009-06-18 20:54 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-18 00:54 ComboFix2.txt 2009-06-15 22:27 Pre-Run: 16,055,783,424 bytes free Post-Run: 16,036,634,624 bytes free 235 --- E O F --- 2009-06-10 07:08

« Next Oldest · Virus, Trojan, Spyware, and Malware Removal Logs · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 29th July 2010 - 09:22 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides