Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Log/Malware removal


  • Please log in to reply
69 replies to this topic

#1 kozz28

kozz28

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 December 2008 - 10:56 AM

Hi, If someone could help me I would appreciate it. Seems my browser gets hijacked everyday even when I remove the virus/Troj with Malwarebytes 'Anti-Malware software. When I search google for something it seems to navigate below to 1.2.3.0 then to a google page with wrong results. Below is my Hi jack this file:

Thank you

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:53 AM, on 12/29/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WinTVR3\WinTVR.EXE
C:\Program Files\WinTVR3\Schedule.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\pwuser20.PATHWAYDOMAIN\Desktop\CallCenterDashBoard.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE
C:\PathwayBilling\CallCenter2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228503859998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228503850373
O16 - DPF: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A} (ECareAgent Class) - http://ecare4a.netopia.com/techsupport/eca...t_4.2.1.319.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pathwaydomain
O17 - HKLM\Software\..\Telephony: DomainName = pathwaydomain
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DA22277-800F-43EA-8A7D-8737151FC27D}: NameServer = 192.168.1.20,24.92.226.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pathwaydomain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pathwaydomain
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pathwaydomain
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ms-java - Unknown owner - C:\WINDOWS\Driver\i386\ms-java.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: USBDLM - Unknown owner - C:\Documents and Settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe (file missing)

--
End of file - 10226 bytes

BC AdBot (Login to Remove)

 


#2 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 30 December 2008 - 09:07 AM

It now says waiting for 7.7.7, I have used every spyware program i could find and I still cannot solve this problem. Is there anyway to fix this without formatting? Thank you for your help.. Below is my DDS.txt


DDS (Version 1.1.0) - NTFSx86
Run by kozm at 9:49:13.01 on Tue 12/30/2008
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1750 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinTVR3\WinTVR.EXE
C:\Program Files\WinTVR3\Schedule.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\pwuser20.PATHWAYDOMAIN\Desktop\CallCenterDashBoard.exe
C:\PathwayBilling\CallCenter2.exe
C:\Program Files\Microsoft Office\OFFICE11\MSACCESS.EXE
C:\Program Files\GrabIt\GrabIt.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\pwuser20.PATHWAYDOMAIN\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [Openwares LiveUpdate] c:\program files\liveupdate\LiveUpdate.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Itiva Media Accelerator] c:\program files\itiva\itiva media accelerator\ItivaMediaAccelerator.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Nitro PDF Printer Monitor] "c:\program files\nitro pdf\professional\NitroPDFPrinterMonitor.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
IE: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\common files\justdo\IECatcher.DLL/FlashCatcher.htm
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mic273~1\web2~1\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {8DA22277-800F-43EA-8A7D-8737151FC27D} = 192.168.1.20,24.92.226.12
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyvsTkI

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pwuser~1.pat\applic~1\mozilla\firefox\profiles\wk1kp8wb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\pwuser20.pathwaydomain\application data\mozilla\firefox\profiles\wk1kp8wb.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\itiva\itiva media accelerator\npima.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 NAVAPEL;NAVAPEL;\??\c:\progra~1\symant~1\symant~1\NAVAPEL.SYS [2002-6-19 29184]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;"c:\program files\symantec_client_security\symantec antivirus\Rtvscan.exe" [2002-7-30 573440]
R2 SPTimer;SharePoint Timer Service;"c:\program files\common files\microsoft shared\web server extensions\50\bin\OWSTIMER.EXE" [2001-2-16 345504]
R3 NAVAP;NAVAP;\??\c:\program files\symantec_client_security\symantec antivirus\NAVAP.sys [2002-6-19 218112]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.003\NAVENG.sys [2008-12-29 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081228.003\NAVEX15.sys [2008-12-29 876112]
S2 Ms-java;Ms-java;c:\windows\driver\i386\ms-java.exe []
S2 USBDLM;USBDLM;c:\documents and settings\pwuser20.pathwaydomain\desktop\new folder\usbdlm\USBDLM.exe []

=============== Created Last 30 ================

2008-12-29 16:35 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-29 16:35 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-29 16:08 345 a------- c:\windows\gmer.ini
2008-12-29 15:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-29 15:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-29 12:49 <DIR> --d----- c:\program files\EsetOnlineScanner
2008-12-08 09:38 <DIR> --d----- c:\docume~1\pwuser~1.pat\applic~1\Malwarebytes
2008-12-08 09:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-08 09:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 09:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 09:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-08 09:13 54,156 a---h--- c:\windows\QTFont.qfn
2008-12-08 09:13 1,409 a------- c:\windows\QTFont.for
2008-12-05 15:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2008-12-05 15:34 <DIR> --d----- c:\program files\SUPERAntiSpyware
2008-12-05 15:34 <DIR> --d----- c:\docume~1\pwuser~1.pat\applic~1\SUPERAntiSpyware.com
2008-12-05 15:13 0 a------- c:\windows\system32\8104297.jun
2008-12-05 15:12 <DIR> --d----- c:\program files\Browser Hijack Recover
2008-12-05 14:44 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-05 14:44 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-12-05 14:44 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-12-05 14:44 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-12-05 14:44 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-05 14:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-05 14:44 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-05 14:44 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-05 14:43 138,496 -------- c:\windows\system32\dllcache\afd.sys
2008-12-05 14:43 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-12-05 14:43 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2008-12-05 14:43 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2008-12-05 14:42 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2008-12-05 14:42 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2008-12-05 14:38 27,496 a------- c:\windows\system32\mucltui.dll.mui
2008-12-05 14:35 2,656 a------- c:\windows\system32\settings.aaw
2008-12-05 14:35 976 a------- c:\windows\system32\history.aaw
2008-12-05 14:31 <DIR> --d----- c:\windows\system32\scripting
2008-12-05 14:31 <DIR> --d----- c:\windows\system32\en
2008-12-05 14:31 <DIR> --d----- c:\windows\system32\bits
2008-12-05 14:31 <DIR> --d----- c:\windows\l2schemas
2008-12-05 14:29 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-05 14:19 327,040 -------- c:\windows\system32\drivers\ati2mtaa.sys
2008-12-05 14:04 23,576 a------- c:\windows\system32\wuapi.dll.mui
2008-12-05 13:54 <DIR> --d----- c:\program files\Trend Micro
2008-12-05 13:42 0 a------- c:\windows\VPC32.INI
2008-12-05 12:08 123,619 a------- c:\windows\system32\SYMEVNT.386
2008-12-05 12:08 83,672 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-05 12:08 73,224 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-05 12:08 <DIR> --d----- c:\program files\Symantec_Client_Security

==================== Find3M ====================

2008-12-05 16:22 3,960 a------- c:\windows\system32\tmp.reg
2008-12-05 14:34 87,699 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-29 17:58 82,944 a------- c:\windows\system32\o4Patch.exe
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-10-31 14:11 1,682 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-10-01 14:51 87,552 a------- c:\windows\system32\VACFix.exe
2007-01-22 13:09 87,608 a------- c:\docume~1\pwuser~1.pat\applic~1\ezpinst.exe
2007-01-22 13:09 47,360 a------- c:\docume~1\pwuser~1.pat\applic~1\pcouffin.sys

============= FINISH: 9:50:19.58 ===============

Edited by kozz28, 30 December 2008 - 09:49 AM.


#3 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 05 January 2009 - 10:33 AM

Is there anyone that can help me please?

Thank you

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:22 AM

Posted 06 January 2009 - 10:02 AM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.
Please post the contents of the ark.txt as your next reply.

#5 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 January 2009 - 09:25 AM

HI,

I scanned it and have a Ark.txt file attached for you. I was able to get rid of it with combo fix for a day or so but it came back so there must be something thats triggering it to come back.

Thank you

Attached Files

  • Attached File  ark.txt   11.63KB   4 downloads

Edited by kozz28, 07 January 2009 - 10:13 AM.


#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:22 AM

Posted 07 January 2009 - 03:50 PM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#7 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 January 2009 - 03:56 PM

ComboFix 09-01-05.02 - kozm 2009-01-06 14:38:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1692 [GMT -5:00]
Running from: c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wdmaud.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))
.

2009-01-05 13:58 . 2009-01-05 13:58 0 --a------ c:\windows\system32\IBQMYMBMQP
2009-01-05 11:31 . 2009-01-05 11:31 <DIR> d-------- C:\fsaua.data
2008-12-31 14:25 . 2008-12-31 14:27 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-31 11:23 . 2008-12-31 11:23 <DIR> d-------- C:\VundoFix Backups
2008-12-30 13:47 . 2008-12-30 13:47 <DIR> d-------- c:\documents and settings\pwuser20\Application Data\Sunbelt
2008-12-30 13:40 . 2008-12-30 13:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-30 12:43 . 2008-12-30 12:43 <DIR> d-------- c:\documents and settings\pwuser20\Application Data\Malwarebytes
2008-12-30 12:39 . 2009-01-06 10:04 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-30 12:39 . 2008-12-30 12:39 <DIR> d-------- c:\program files\AVG
2008-12-30 12:39 . 2008-12-30 12:39 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-30 12:39 . 2008-12-30 12:39 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-30 11:02 . 2008-12-30 11:02 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-30 10:54 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-12-30 10:54 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Sunbelt
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2008-12-29 16:35 . 2008-12-29 16:35 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-29 16:35 . 2008-12-29 16:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-29 16:08 . 2008-12-29 16:13 345 --a------ c:\windows\gmer.ini
2008-12-29 15:30 . 2008-12-29 15:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 15:30 . 2008-12-29 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-29 12:49 . 2008-12-29 12:51 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-18 09:00 . 2008-12-18 09:22 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Move Networks
2008-12-08 09:38 . 2009-01-05 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 09:38 . 2008-12-08 09:38 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Malwarebytes
2008-12-08 09:38 . 2008-12-08 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 09:38 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 09:38 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 09:13 . 2008-12-12 10:30 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-08 09:13 . 2008-12-08 09:13 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-06 16:27 --------- d-----w c:\program files\Trillian
2009-01-06 15:00 --------- d-----w c:\program files\LIVEUPDATE
2009-01-05 18:14 --------- d-----w c:\program files\mIRC
2008-12-30 17:56 --------- d-----w c:\program files\Symantec
2008-12-30 17:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-30 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-30 16:02 --------- d-----w c:\program files\MSECache
2008-12-29 21:35 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-05 21:14 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-05 21:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-05 21:14 --------- d-----w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\SUPERAntiSpyware.com
2008-12-05 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-05 20:14 --------- d-----w c:\program files\Browser Hijack Recover
2008-12-05 19:01 --------- d-----w c:\program files\Common Files\Justdo
2008-12-05 18:54 --------- d-----w c:\program files\Trend Micro
2008-12-05 17:08 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 17:58 --------- d-----w c:\program files\Alwil Software
2008-12-02 14:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 14:57 --------- d-----w c:\program files\Satori Software
2008-11-11 16:33 --------- d-----w c:\program files\EASEUS
2008-11-11 16:28 --------- d-----w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Thinstall
2008-10-31 19:11 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-10-28 21:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2007-01-22 18:09 87,608 ----a-w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\ezpinst.exe
2007-01-22 18:09 47,360 ----a-w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\pcouffin.sys
2005-09-15 22:26 44,153 -c--a-w c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_14.44.55.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-31 19:25:44 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll
+ 2008-12-31 19:25:44 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll
+ 2008-12-31 19:25:44 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll
+ 2008-12-31 19:25:49 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2008-12-31 19:25:51 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll
+ 2008-12-31 19:25:46 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-02-27 20:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-02-27 20:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
+ 2009-01-05 16:12:55 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\zuppasweb\fa8449b1\ab66bc09\App_Web_uiejettk.dll
- 2008-12-30 19:39:36 274,426 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-06 15:00:26 274,420 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-06 15:00:14 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2005-11-15 1200128]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-05-24 1867776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-26 185896]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-09-02 210224]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-10-28 681256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-30 1261336]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-11-28 11:50 106496 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk
backup=c:\windows\pss\PGPtray.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlazeServoTool]
--a------ 2005-09-16 19:30 262144 c:\program files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 21:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2006-08-16 11:33 1826816 c:\program files\Electronic Arts\EA Downloader\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 08:50 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2004-09-14 08:50 131072 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a--c--- 2004-11-11 10:26 26112 c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-06-26 08:33 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Schedule]
--a------ 2005-09-27 18:03 98304 c:\program files\WinTVR3\Schedule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTVRRemote]
--a------ 2005-09-27 13:56 241664 c:\program files\WinTVR3\Remote.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-30 97928]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-30 13360]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 231704]
R4 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-30 69168]
R4 SPTimer;SharePoint Timer Service;c:\program files\Common Files\Microsoft Shared\web server extensions\50\bin\OWSTIMER.EXE [2001-02-16 345504]
S3 EH;EH;c:\docume~1\PWUSER~1.PAT\LOCALS~1\Temp\EH.exe --> c:\docume~1\PWUSER~1.PAT\LOCALS~1\Temp\EH.exe [?]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-10-28 886056]
S4 USBDLM;USBDLM;c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe --> c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d167caaf-efa1-11dc-86a3-00123f7552be}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
TCP: {8DA22277-800F-43EA-8A7D-8737151FC27D} = 192.168.1.20,24.92.226.12

c:\windows\Downloaded Program Files\CobAgent4_2_1_319.dll - O16 -: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A}
hxxp://ecare4a.netopia.com/techsupport/ecare4/components/CobAgent_4.2.1.319.cab
c:\windows\Downloaded Program Files\CobAgent4_2_1_319.inf
FF - ProfilePath - c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Mozilla\Firefox\Profiles\wk1kp8wb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Mozilla\Firefox\Profiles\wk1kp8wb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Itiva\Itiva Media Accelerator\npima.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-06 14:42:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(648)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-06 14:44:32
ComboFix-quarantined-files.txt 2009-01-06 19:44:10
ComboFix2.txt 2009-01-05 19:38:33
ComboFix3.txt 2008-12-30 19:45:34

Pre-Run: 21,048,455,168 bytes free
Post-Run: 20,952,666,112 bytes free

271

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:22 AM

Posted 07 January 2009 - 04:06 PM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

DirLook::
c:\windows\system32\IBQMYMBMQP

File::
c:\docume~1\PWUSER~1.PAT\LOCALS~1\Temp\EH.exe

Driver::
EH


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

#9 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 January 2009 - 04:31 PM

ComboFix 09-01-05.02 - kozm 2009-01-07 16:18:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1952 [GMT -5:00]
Running from: c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\PWUSER~1.PAT\LOCALS~1\Temp\EH.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EH
-------\Service_EH


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-05 13:58 . 2009-01-05 13:58 0 --a------ c:\windows\system32\IBQMYMBMQP
2009-01-05 11:31 . 2009-01-05 11:31 <DIR> d-------- C:\fsaua.data
2008-12-31 14:25 . 2008-12-31 14:27 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-31 11:23 . 2008-12-31 11:23 <DIR> d-------- C:\VundoFix Backups
2008-12-30 13:47 . 2008-12-30 13:47 <DIR> d-------- c:\documents and settings\pwuser20\Application Data\Sunbelt
2008-12-30 13:40 . 2008-12-30 13:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-30 12:43 . 2008-12-30 12:43 <DIR> d-------- c:\documents and settings\pwuser20\Application Data\Malwarebytes
2008-12-30 12:39 . 2009-01-06 14:51 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-30 12:39 . 2008-12-30 12:39 <DIR> d-------- c:\program files\AVG
2008-12-30 12:39 . 2008-12-30 12:39 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-30 12:39 . 2008-12-30 12:39 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-30 11:02 . 2008-12-30 11:02 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-30 10:54 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-12-30 10:54 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Sunbelt
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2008-12-29 16:35 . 2008-12-29 16:35 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-29 16:35 . 2008-12-29 16:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-29 16:08 . 2009-01-07 10:11 345 --a------ c:\windows\gmer.ini
2008-12-29 15:30 . 2008-12-29 15:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 15:30 . 2008-12-29 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-29 12:49 . 2008-12-29 12:51 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-18 09:00 . 2008-12-18 09:22 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Move Networks
2008-12-08 09:38 . 2009-01-05 10:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-08 09:38 . 2008-12-08 09:38 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Malwarebytes
2008-12-08 09:38 . 2008-12-08 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-08 09:38 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-08 09:38 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-08 09:13 . 2008-12-12 10:30 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-08 09:13 . 2008-12-08 09:13 1,409 --a------ c:\windows\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 15:08 --------- d-----w c:\program files\Trillian
2009-01-06 15:00 --------- d-----w c:\program files\LIVEUPDATE
2009-01-05 18:14 --------- d-----w c:\program files\mIRC
2008-12-30 17:56 --------- d-----w c:\program files\Symantec
2008-12-30 17:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-30 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-30 16:02 --------- d-----w c:\program files\MSECache
2008-12-29 21:35 --------- d-----w c:\program files\Java
2008-12-05 21:14 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-05 21:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-05 21:14 --------- d-----w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\SUPERAntiSpyware.com
2008-12-05 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-05 20:14 --------- d-----w c:\program files\Browser Hijack Recover
2008-12-05 19:01 --------- d-----w c:\program files\Common Files\Justdo
2008-12-05 18:54 --------- d-----w c:\program files\Trend Micro
2008-12-05 17:08 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 17:58 --------- d-----w c:\program files\Alwil Software
2008-12-02 14:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 14:57 --------- d-----w c:\program files\Satori Software
2008-11-11 16:33 --------- d-----w c:\program files\EASEUS
2008-11-11 16:28 --------- d-----w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Thinstall
2007-01-22 18:09 87,608 ----a-w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\ezpinst.exe
2007-01-22 18:09 47,360 ----a-w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\pcouffin.sys
2005-09-15 22:26 44,153 -c--a-w c:\program files\mozilla firefox\components\inspector.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\IBQMYMBMQP ----

c:\windows\system32\IBQMYMBMQP\


((((((((((((((((((((((((((((( snapshot@2008-12-30_14.44.55.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-31 19:25:44 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll
+ 2008-12-31 19:25:44 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll
+ 2008-12-31 19:25:44 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll
+ 2008-12-31 19:25:49 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2008-12-31 19:25:51 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll
+ 2008-12-31 19:25:46 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-02-27 20:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-02-27 20:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
+ 2009-01-05 16:12:55 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\zuppasweb\fa8449b1\ab66bc09\App_Web_uiejettk.dll
- 2008-12-30 19:39:36 274,426 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-07 21:24:01 274,420 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-07 21:23:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2005-11-15 1200128]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-05-24 1867776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-26 185896]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-09-02 210224]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-10-28 681256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-30 1261336]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-11-28 11:50 106496 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk
backup=c:\windows\pss\PGPtray.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlazeServoTool]
--a------ 2005-09-16 19:30 262144 c:\program files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 21:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2006-08-16 11:33 1826816 c:\program files\Electronic Arts\EA Downloader\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 08:50 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2004-09-14 08:50 131072 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a--c--- 2004-11-11 10:26 26112 c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-06-26 08:33 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Schedule]
--a------ 2005-09-27 18:03 98304 c:\program files\WinTVR3\Schedule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTVRRemote]
--a------ 2005-09-27 13:56 241664 c:\program files\WinTVR3\Remote.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-30 97928]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-30 13360]
R4 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-10-28 886056]
R4 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-30 69168]
R4 SPTimer;SharePoint Timer Service;c:\program files\Common Files\Microsoft Shared\web server extensions\50\bin\OWSTIMER.EXE [2001-02-16 345504]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 231704]
S4 USBDLM;USBDLM;c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe --> c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d167caaf-efa1-11dc-86a3-00123f7552be}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
TCP: {8DA22277-800F-43EA-8A7D-8737151FC27D} = 192.168.1.20,24.92.226.12

c:\windows\Downloaded Program Files\CobAgent4_2_1_319.dll - O16 -: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A}
hxxp://ecare4a.netopia.com/techsupport/ecare4/components/CobAgent_4.2.1.319.cab
c:\windows\Downloaded Program Files\CobAgent4_2_1_319.inf
FF - ProfilePath - c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Mozilla\Firefox\Profiles\wk1kp8wb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Mozilla\Firefox\Profiles\wk1kp8wb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Itiva\Itiva Media Accelerator\npima.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 16:24:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BRSS01A.EXE
c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\VARPC.EXE
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-01-07 16:30:31 - machine was rebooted [kozm]
ComboFix-quarantined-files.txt 2009-01-07 21:30:22
ComboFix2.txt 2009-01-06 19:44:34
ComboFix3.txt 2009-01-05 19:38:33
ComboFix4.txt 2008-12-30 19:45:34

Pre-Run: 20,864,081,920 bytes free
Post-Run: 20,775,116,800 bytes free

274




Hijackthis Log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:32, on 2009-01-07
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Itiva Media Accelerator] C:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228503859998
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228503850373
O16 - DPF: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A} (ECareAgent Class) - http://ecare4a.netopia.com/techsupport/eca...t_4.2.1.319.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pathwaydomain
O17 - HKLM\Software\..\Telephony: DomainName = pathwaydomain
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DA22277-800F-43EA-8A7D-8737151FC27D}: NameServer = 192.168.1.20,24.92.226.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pathwaydomain
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pathwaydomain
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pathwaydomain
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wbsys.dll,avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: USBDLM - Unknown owner - C:\Documents and Settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe (file missing)

--
End of file - 10711 bytes

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:22 AM

Posted 07 January 2009 - 04:36 PM

Please delete this file. I had thought it was a directory by mistake:

c:\windows\system32\IBQMYMBMQP


Are you still having the problem now?

#11 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 January 2009 - 04:42 PM

Seems ok now, I will let you know if it comes back again. Thank you for your assitance

#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:22 AM

Posted 07 January 2009 - 05:01 PM

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here for your particular Windows Version:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

or

Windows Vista System Restore Guide


Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


I am closing this topic. Please message a moderator if you need it reopened.

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,618 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:22 AM

Posted 09 January 2009 - 11:39 AM

Open Internet Explorer. When it is open click on Tools and then Internet Options. Then click on the Connections tab and then press the Lan Settings button. Do you have it set to use a proxy server?

#14 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 09 January 2009 - 11:44 AM

No, I do not have it set to use a proxy server

Thanks

#15 kozz28

kozz28
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 09 January 2009 - 12:00 PM

I ran another comboFix and got rid of the problem again. But im sure it will come back again without further investigation. Thank you

ComboFix 09-01-08.05 - kozm 2009-01-09 10:01:15.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1620 [GMT -5:00]
Running from: c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wdmaud.sys

.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-05 11:31 . 2009-01-05 11:31 <DIR> d-------- C:\fsaua.data
2008-12-31 14:25 . 2008-12-31 14:27 <DIR> d-------- c:\windows\BDOSCAN8
2008-12-31 11:23 . 2008-12-31 11:23 <DIR> d-------- C:\VundoFix Backups
2008-12-30 13:47 . 2008-12-30 13:47 <DIR> d-------- c:\documents and settings\pwuser20\Application Data\Sunbelt
2008-12-30 13:40 . 2008-12-30 13:40 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-30 12:43 . 2008-12-30 12:43 <DIR> d-------- c:\documents and settings\pwuser20\Application Data\Malwarebytes
2008-12-30 12:39 . 2009-01-07 16:40 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-30 12:39 . 2008-12-30 12:39 <DIR> d-------- c:\program files\AVG
2008-12-30 12:39 . 2008-12-30 12:39 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-30 12:39 . 2008-12-30 12:39 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-30 11:02 . 2008-12-30 11:02 <DIR> d-------- c:\program files\Windows Installer Clean Up
2008-12-30 10:54 . 2008-09-12 11:12 69,168 --a------ c:\windows\system32\drivers\sbapifs.sys
2008-12-30 10:54 . 2008-09-12 11:12 13,360 --a------ c:\windows\system32\drivers\sbaphd.sys
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\program files\Sunbelt Software
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Sunbelt
2008-12-30 10:51 . 2008-12-30 10:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sunbelt
2008-12-29 16:35 . 2008-12-29 16:35 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-29 16:35 . 2008-12-29 16:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-29 16:08 . 2009-01-07 10:11 345 --a------ c:\windows\gmer.ini
2008-12-29 15:30 . 2008-12-29 15:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-29 15:30 . 2008-12-29 15:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-29 12:49 . 2008-12-29 12:51 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-18 09:00 . 2008-12-18 09:22 <DIR> d-------- c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:50 --------- d-----w c:\program files\Trillian
2009-01-06 15:00 --------- d-----w c:\program files\LIVEUPDATE
2009-01-05 18:14 --------- d-----w c:\program files\mIRC
2009-01-05 15:37 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-04 23:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 23:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-30 17:56 --------- d-----w c:\program files\Symantec
2008-12-30 17:55 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-30 17:39 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-30 16:02 --------- d-----w c:\program files\MSECache
2008-12-29 21:35 --------- d-----w c:\program files\Java
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-08 14:38 --------- d-----w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Malwarebytes
2008-12-08 14:38 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-05 21:14 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-05 21:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-05 21:14 --------- d-----w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\SUPERAntiSpyware.com
2008-12-05 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-05 20:14 --------- d-----w c:\program files\Browser Hijack Recover
2008-12-05 19:01 --------- d-----w c:\program files\Common Files\Justdo
2008-12-05 18:54 --------- d-----w c:\program files\Trend Micro
2008-12-05 17:08 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-04 17:58 --------- d-----w c:\program files\Alwil Software
2008-12-02 14:35 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-18 14:57 --------- d-----w c:\program files\Satori Software
2008-11-11 16:33 --------- d-----w c:\program files\EASEUS
2008-11-11 16:28 --------- d-----w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Thinstall
2008-10-31 19:11 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-10-28 21:28 65,320 ----a-w c:\windows\system32\sbbd.exe
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:12 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2007-01-22 18:09 87,608 ----a-w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\ezpinst.exe
2007-01-22 18:09 47,360 ----a-w c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\pcouffin.sys
2005-09-15 22:26 44,153 -c--a-w c:\program files\mozilla firefox\components\inspector.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-30_14.44.55.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-31 19:25:44 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll
+ 2008-12-31 19:25:44 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll
+ 2008-12-31 19:25:44 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll
+ 2008-12-31 19:25:49 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2008-12-31 19:25:51 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll
+ 2008-12-31 19:25:46 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-02-27 20:59:28 290,816 ----a-w c:\windows\Downloaded Program Files\auc_lib.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-02-27 20:59:28 495,616 ----a-w c:\windows\Downloaded Program Files\daas_s.dll
+ 2008-02-27 21:00:12 262,144 ----a-w c:\windows\Downloaded Program Files\fscax.dll
+ 2008-02-27 20:59:16 588,392 ----a-w c:\windows\Downloaded Program Files\gatelauncher.exe
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
+ 2009-01-05 16:12:55 28,672 ----a-w c:\windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\zuppasweb\fa8449b1\ab66bc09\App_Web_uiejettk.dll
- 2008-12-30 19:39:36 274,426 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-07 21:38:32 274,422 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-07 21:38:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_130.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2005-11-15 1200128]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-05-24 1867776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"Itiva Media Accelerator"="c:\program files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe" [2008-06-04 4994288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-26 185896]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2008-09-02 210224]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"SBAMTray"="c:\program files\Sunbelt Software\CounterSpy\SBAMTray.exe" [2008-10-28 681256]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-30 1261336]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-11-28 11:50 106496 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"aux"= wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PGPtray.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PGPtray.exe.lnk
backup=c:\windows\pss\PGPtray.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlazeServoTool]
--a------ 2005-09-16 19:30 262144 c:\program files\BlazeVideo\BlazeDVD4 Professional\MediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 21:57 395776 c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
-----c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2006-08-16 11:33 1826816 c:\program files\Electronic Arts\EA Downloader\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-09-14 08:50 53248 c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a--c--- 2004-09-14 08:50 131072 c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a--c--- 2004-11-11 10:26 26112 c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2008-06-26 08:33 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Schedule]
--a------ 2005-09-27 18:03 98304 c:\program files\WinTVR3\Schedule.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTVRRemote]
--a------ 2005-09-27 13:56 241664 c:\program files\WinTVR3\Remote.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-30 97928]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2008-12-30 13360]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-30 231704]
R4 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2008-12-30 69168]
R4 SPTimer;SharePoint Timer Service;c:\program files\Common Files\Microsoft Shared\web server extensions\50\bin\OWSTIMER.EXE [2001-02-16 345504]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2008-10-23 92464]
S4 SBAMSvc;CounterSpy Antispyware;c:\program files\Sunbelt Software\CounterSpy\SBAMSvc.exe [2008-10-28 886056]
S4 USBDLM;USBDLM;c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe --> c:\documents and settings\pwuser20.PATHWAYDOMAIN\Desktop\New Folder\USBDLM\USBDLM.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d167caaf-efa1-11dc-86a3-00123f7552be}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: {{90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
TCP: {8DA22277-800F-43EA-8A7D-8737151FC27D} = 192.168.1.20,24.92.226.12

c:\windows\Downloaded Program Files\CobAgent4_2_1_319.dll - O16 -: {6F0C8A8F-8B0D-11D2-801B-00105AA78F4A}
hxxp://ecare4a.netopia.com/techsupport/ecare4/components/CobAgent_4.2.1.319.cab
c:\windows\Downloaded Program Files\CobAgent4_2_1_319.inf
FF - ProfilePath - c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Mozilla\Firefox\Profiles\wk1kp8wb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\pwuser20.PATHWAYDOMAIN\Application Data\Mozilla\Firefox\Profiles\wk1kp8wb.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Itiva\Itiva Media Accelerator\npima.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 10:05:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1220945662-343818398-839522115-1171\Software\Microsoft\SystemCertificates\AddressBook*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1220945662-343818398-839522115-1171\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C2EFE065-04B9-8265-7C6E-240DB3BEB471}*NULL*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C19175F0-6343-C058-D551EA9B69721CA5}\{44B8D0A6-F0B8-27D0-3AB262946B96BF2A}\{D0951FF3-5F85-5129-204F105C4943049E}*NULL*]
"526BA65ZPQS4U365YNAELLJ5XA1"=hex:01,00,01,00,00,00,00,00,50,bd,9f,8a,7e,a0,d0,
fa,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\avgrsstx.dll
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

- - - - - - - > 'lsass.exe'(648)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-09 10:08:00
ComboFix-quarantined-files.txt 2009-01-09 15:07:57
ComboFix2.txt 2009-01-07 21:30:33
ComboFix3.txt 2009-01-06 19:44:34
ComboFix4.txt 2009-01-05 19:38:33
ComboFix5.txt 2009-01-09 15:00:24

Pre-Run: 20,848,979,968 bytes free
Post-Run: 20,834,398,208 bytes free

279




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users