Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 xXSelina

xXSelina

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 06 January 2009 - 10:17 PM

Here is the hijack this log

Appreciate the help anyone can give me, and thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:27 PM, on 06/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McGill NetConnect 2.0\ArubaService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Foxit Toolbar - {73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - C:\Program Files\Foxit\tbFoxi.dll (file missing)
O2 - BHO: Media Holding Enterprises, LLC - {0D39A900-0F3A-4C29-A254-3E65244FDC34} - (no file)
O2 - BHO: (no name) - {13DD2B1B-560F-4DEC-9493-0CC95A6A6F71} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {299FB875-D3A5-4B87-A05B-21BE56BA16CB} - (no file)
O2 - BHO: (no name) - {2A2462BA-8A0D-436E-8811-66E69AD36B7D} - (no file)
O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll (file missing)
O2 - BHO: (no name) - {5E05B7D6-8F21-4705-B14B-0DA64ACFD0B0} - (no file)
O2 - BHO: (no name) - {6BF75A45-5D99-49C3-9D5A-FDA8DF960D8A} - C:\WINDOWS\system32\byXPICSL.dll (file missing)
O2 - BHO: Foxit Toolbar - {73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - C:\Program Files\Foxit\tbFoxi.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {907A0287-65CE-47D0-85D3-DA70A17D73B5} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Foxit Toolbar - {73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - C:\Program Files\Foxit\tbFoxi.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB003" /M "Stylus CX4200"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Layer] mrtmoons.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [Windows Layer] mrtmoons.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\Selina\APPLIC~1\ICROSO~1.NET\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKCU\..\Run: [ViStart] C:\Program Files\ViStart\ViStart.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\Selina\LOCALS~1\Temp\yyy1893.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: myPrintMileage.lnk = C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: cbXNEtuU - cbXNEtuU.dll (file missing)
O20 - Winlogon Notify: cnzpwnof - C:\WINDOWS\
O20 - Winlogon Notify: urqnnon - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Aruba VPN Service - Unknown owner - C:\Program Files\McGill NetConnect 2.0\ArubaService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11973 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:36 PM

Posted 07 January 2009 - 05:14 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 xXSelina

xXSelina
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 09 January 2009 - 01:13 AM

Hi,

I ran combofix just like you told me to and posted the file. However, when I was running it, there was a weird antivirus program that I could not get rid of and my screen went blank. Hope you can help me! Much appreciated.

ComboFix 09-01-08.03 - Selina 2009-01-09 0:59:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.609 [GMT -5:00]
Running from: c:\documents and settings\Selina\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: VirusRanger 3.1 *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\pdfppt2.dll
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\Selina\Application Data\ICROSO~1.NET
c:\documents and settings\Selina\Application Data\ICROSO~1.NET\?icrosoft.NET\
c:\program files\Common Files\{2BFA7~1
c:\program files\Common Files\{3BFA7~1
c:\program files\Common Files\companion wizard
c:\program files\Common Files\companion wizard\log.txt
c:\program files\Common Files\Yazzle1396OinUninstaller.exe
c:\program files\network monitor
c:\program files\Temporary
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\3.txt
c:\windows\system32\b702q0el.exe.a_a
c:\windows\system32\cnzpwnof.dllbox
c:\windows\system32\EV02
c:\windows\system32\GjmonUtv.ini
c:\windows\system32\GjmonUtv.ini2
c:\windows\system32\ihkmp.ini
c:\windows\system32\ihkmp.ini2
c:\windows\system32\LSCIPXyb.ini
c:\windows\system32\LSCIPXyb.ini2
c:\windows\system32\pac.txt
c:\windows\system32\set.exe
c:\windows\system32\stera.log
c:\windows\system32\tmp.reg
c:\windows\system32\uBcedcfe.ini
c:\windows\system32\uBcedcfe.ini2
c:\windows\system32\ujqoyeve.ini
c:\windows\system32\UxIRAcfe.ini
c:\windows\system32\UxIRAcfe.ini2
c:\windows\system32\wtstr32.exe
C:\x.dat
C:\z.dat
c:\windows\Fonts\' . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-06 22:11 . 2009-01-06 22:11 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 03:53 . 2008-12-28 03:53 <DIR> d-------- c:\windows\system32\VIRepair
2008-12-23 21:46 . 2008-12-23 21:46 <DIR> d-------- c:\documents and settings\Selina\Application Data\.bittorrent
2008-12-23 21:45 . 2008-12-23 21:45 <DIR> d-------- c:\program files\BitTorrent
2008-12-23 21:45 . 2009-01-09 01:04 <DIR> d-------- c:\documents and settings\Selina\Application Data\DNA
2008-12-22 16:23 . 2008-12-23 17:43 <DIR> d-------- c:\program files\Easy-Hide-IP
2008-12-22 16:23 . 2008-12-22 16:23 62 --a------ c:\windows\MyProg.ini
2008-12-22 15:04 . 2008-12-22 15:04 <DIR> d--hs---- c:\documents and settings\NetworkService\PrivacIE
2008-12-21 23:43 . 2008-12-21 23:43 <DIR> d-------- c:\documents and settings\Selina\Application Data\MSNInstaller
2008-12-21 21:51 . 2008-12-21 21:51 <DIR> d-------- c:\documents and settings\Selina\Application Data\Leadertech
2008-12-20 00:46 . 2008-12-23 21:42 <DIR> d-------- c:\windows\ie8updates
2008-12-16 22:53 . 2008-12-16 22:53 224 --a------ c:\windows\system32\9B13A86D.plf
2008-12-16 22:44 . 2008-12-16 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2008-12-16 22:43 . 2008-12-16 22:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Cached Installations
2008-12-15 15:57 . 2008-12-15 15:57 <DIR> d--hs---- c:\documents and settings\Guest\PrivacIE
2008-12-14 10:47 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-14 10:46 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-13 15:24 . 2008-12-13 15:24 <DIR> d-------- c:\documents and settings\Selina\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 06:04 --------- d-----w c:\program files\DNA
2009-01-07 22:22 --------- d-----w c:\documents and settings\Selina\Application Data\dvdcss
2009-01-01 22:15 --------- d-----w c:\program files\Steam
2008-12-28 08:53 --------- d-----w c:\program files\Styler
2008-11-24 07:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-20 20:57 90,552 ----a-w c:\documents and settings\Selina\Application Data\GDIPFONTCACHEV1.DAT
2008-11-19 11:02 --------- d-----w c:\documents and settings\Selina\Application Data\ViStart
2008-11-19 10:56 --------- d-----w c:\program files\WinFlip
2008-11-19 10:56 --------- d-----w c:\program files\TrueTransparency
2008-11-19 10:56 --------- d-----w c:\documents and settings\Selina\Application Data\Styler
2008-11-19 10:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-03 02:43 68 ----a-w c:\documents and settings\Selina\z.bat
2008-10-03 02:43 46,080 ----a-w c:\documents and settings\Selina\index.exe
2008-04-30 22:18 22,505,912 ----a-w c:\program files\setupeng.exe
2008-02-01 21:40 246 ----a-w c:\program files\Common Files\xula
2007-12-26 03:24 1,491,592 ----a-w c:\program files\install_flash_player.exe
2007-11-03 21:18 142 ----a-w c:\program files\Common Files\certe.html
2007-06-05 23:01 1,301,731 ----a-w c:\program files\MediaMaxXLBeta6.exe
2006-12-30 06:23 1,035,271 ----a-w c:\program files\wrar362.exe
2006-11-17 21:08 92,064 ----a-w c:\documents and settings\Selina\mqdmmdm.sys
2006-11-17 21:08 9,232 ----a-w c:\documents and settings\Selina\mqdmmdfl.sys
2006-11-17 21:08 79,328 ----a-w c:\documents and settings\Selina\mqdmserd.sys
2006-11-17 21:08 66,656 ----a-w c:\documents and settings\Selina\mqdmbus.sys
2006-11-17 21:08 6,208 ----a-w c:\documents and settings\Selina\mqdmcmnt.sys
2006-11-17 21:08 5,936 ----a-w c:\documents and settings\Selina\mqdmwhnt.sys
2006-11-17 21:08 4,048 ----a-w c:\documents and settings\Selina\mqdmcr.sys
2006-11-17 21:08 25,600 ----a-w c:\documents and settings\Selina\usbsermptxp.sys
2006-11-17 21:08 22,768 ----a-w c:\documents and settings\Selina\usbsermpt.sys
2006-05-07 15:03 15,818,536 ----a-w c:\program files\Messenger Beta.exe
2006-04-16 22:19 5,565,536 ----a-w c:\program files\NJ Star.exe
2006-02-13 01:21 552,604 ----a-w c:\program files\TI83Plus_OS.8Xu
2002-12-05 19:12 692,224 ----a-w c:\program files\ikernel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-23 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-23 144792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-06 83360]
myPrintMileage.lnk - c:\program files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe [2005-12-12 98304]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-26 19:02 1271032 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-07-09 16:33 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McGill NetConnect 2.0\\NetConnect.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr .exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Steam\\steamapps\\shockwave321654987\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinggreen\\counter-strike\\hl.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:SAV10 Client Management
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-02 97928]
R4 Aruba VPN Service;Aruba VPN Service;c:\program files\McGill NetConnect 2.0\ArubaService.exe [2006-08-25 65536]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-02 231704]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-06-07 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-06-07 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2007-06-07 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-06-07 10368]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-06-24 13352]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\HPZs2k12.sys [2005-12-12 49944]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f2b5d1a-165c-11dd-9b4c-001500355ae4}]
\Shell\AutoRun\command - E:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44232fac-49e1-11db-990b-001500355ae4}]
\Shell\AutoRun\command - E:\xk2n.bat
\Shell\explore\Command - E:\xk2n.bat
\Shell\open\Command - E:\xk2n.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561d2bef-4dbf-11db-9912-001500355ae4}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-09 c:\windows\Tasks\At1.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At10.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At11.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At12.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At13.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At14.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At15.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At16.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At17.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At18.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At19.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At2.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At20.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At21.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At22.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At23.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At24.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At25.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At26.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At27.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At28.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At29.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At3.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At30.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At31.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At32.job
- c:\windows\system32\b702q0el.exe []

2008-12-31 c:\windows\Tasks\At33.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At34.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At35.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At36.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At37.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At38.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At39.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At4.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At40.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At41.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At42.job
- c:\windows\system32\b702q0el.exe []

2009-01-08 c:\windows\Tasks\At43.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At44.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At45.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At46.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At47.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\At48.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At5.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At6.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At7.job
- c:\windows\system32\b702q0el.exe []

2008-12-22 c:\windows\Tasks\At8.job
- c:\windows\system32\b702q0el.exe []

2008-12-31 c:\windows\Tasks\At9.job
- c:\windows\system32\b702q0el.exe []

2009-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3516988460-628701953-1380080133-1009.job
- c:\documents and settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 09:47]

2009-01-08 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-08 c:\windows\Tasks\User_Feed_Synchronization-{E4D9D8E6-FED2-4349-A27C-801811589DDB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - c:\program files\Foxit\tbFoxi.dll
BHO-{13DD2B1B-560F-4DEC-9493-0CC95A6A6F71} - (no file)
BHO-{299FB875-D3A5-4B87-A05B-21BE56BA16CB} - (no file)
BHO-{2A2462BA-8A0D-436E-8811-66E69AD36B7D} - (no file)
BHO-{5E05B7D6-8F21-4705-B14B-0DA64ACFD0B0} - (no file)
BHO-{6BF75A45-5D99-49C3-9D5A-FDA8DF960D8A} - c:\windows\system32\byXPICSL.dll
BHO-{73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - c:\program files\Foxit\tbFoxi.dll
BHO-{907A0287-65CE-47D0-85D3-DA70A17D73B5} - (no file)
Toolbar-{73c7d5b0-7b03-444a-84c7-ce1ba03b5573} - c:\program files\Foxit\tbFoxi.dll
WebBrowser-{73C7D5B0-7B03-444A-84C7-CE1BA03B5573} - c:\program files\Foxit\tbFoxi.dll
HKCU-Run-Hide IP Platinum - c:\program files\Hide IP Platinum\hideippla.exe
HKCU-Run-Tbsa - c:\docume~1\Selina\APPLIC~1\ICROSO~1.NET\mmc.exe
HKCU-Run-LClock - c:\program files\LClock\LClock.exe
HKCU-Run-Vista Sidebar - c:\program files\Vista Sidebar\sidebar.exe
HKCU-Run-ViStart - c:\program files\ViStart\ViStart.exe
HKCU-Run-ViOrb - c:\program files\ViOrb\ViOrb.exe
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
HKLM-Run-Windows Layer - mrtmoons.exe
HKLM-RunServices-Windows Layer - mrtmoons.exe
ShellExecuteHooks-{2A2462BA-8A0D-436E-8811-66E69AD36B7D} - (no file)
Notify-cbXNEtuU - cbXNEtuU.dll
Notify-cnzpwnof - (no file)
Notify-NavLogon - (no file)
Notify-urqnnon - (no file)
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
MSConfigStartUp-MSGTAG - c:\program files\MSGTAG\MSGTAG.exe
MSConfigStartUp-PCMedBook(Health diary) - c:\program files\Slokor\PCMedBook\PCMedBook.exe
MSConfigStartUp-Veoh - c:\program files\Veoh Networks\Veoh\VeohClient.exe
MSConfigStartUp-WinAble - c:\program files\WinAble\winable.exe
MSConfigStartUp-Words - c:\program files\Words\Words.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = local
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 01:05:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,\
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,22,62,43,e7,a7,4c,41,9a,87,38,\
c4,f6,6f,ce,93,00,00,00,00,02,00,00,00,00,00,03,66,00,00,a8,00,00,00,10,00,\
00,00,64,f2,a9,0f,0a,8c,58,91,8b,84,e8,e1,8f,0f,05,99,00,00,00,00,04,80,00,\
00,a0,00,00,00,10,00,00,00,9a,52,49,fa,85,2f,7e,9c,d9,f2,b0,25,d2,e2,0e,96,\
50,00,00,00,41,ee,d0,60,e3,9c,0f,10,3f,17,b5,2e,91,ca,65,ac,e8,d2,a7,62,0c,\
fc,42,8f,76,5e,9f,77,ff,8c,63,d7,d3,84,d9,83,b0,d5,35,a1,d3,68,74,43,f4,12,\
45,84,2c,67,17,cb,40,83,ca,08,3b,b8,8b,2d,98,b7,5a,0b,33,7e,4b,50,97,8b,f7,\
7f,b6,ba,08,a8,c6,a0,37,38,14,00,00,00,e1,72,79,a9,4c,93,75,fa,ef,30,94,f0,\
34,9c,73,9c,f2,71,3b,54
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,\
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,22,62,43,e7,a7,4c,41,9a,87,38,\
c4,f6,6f,ce,93,00,00,00,00,02,00,00,00,00,00,03,66,00,00,a8,00,00,00,10,00,\
00,00,3f,b1,e0,6c,dc,07,f5,2f,a1,af,d3,ac,61,fe,72,6e,00,00,00,00,04,80,00,\
00,a0,00,00,00,10,00,00,00,d8,60,8d,35,78,c0,50,a1,69,9a,b6,cf,16,a3,1f,05,\
10,00,00,00,ac,9c,2c,1d,4b,6b,c5,ab,2d,65,70,0e,7f,20,14,1a,14,00,00,00,e6,\
bd,9a,05,56,ce,53,80,65,d1,f2,9a,58,2f,6f,72,ac,b7,79,52
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-09 1:09:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 06:08:49

Pre-Run: 57,879,654,400 bytes free
Post-Run: 65,415,077,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

404 --- E O F --- 2008-12-25 12:52:13



Here is the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:53 AM, on 09/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McGill NetConnect 2.0\ArubaService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB003" /M "Stylus CX4200"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: myPrintMileage.lnk = C:\Program Files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Aruba VPN Service - Unknown owner - C:\Program Files\McGill NetConnect 2.0\ArubaService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10030 bytes

Thanks!

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:36 PM

Posted 09 January 2009 - 05:38 AM

Hi,

It appears that your computer was already infected for a while, because I see Combofix deleted malware from more than 2 years ago.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\documents and settings\Selina\index.exe
c:\documents and settings\Selina\z.bat
DDS::
uInternet Settings,ProxyServer = 127.0.0.1:8081
uInternet Settings,ProxyOverride = local
Driver::
LiveUpdate
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44232fac-49e1-11db-990b-001500355ae4}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Edited by miekiemoes, 09 January 2009 - 05:39 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 xXSelina

xXSelina
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 09 January 2009 - 06:09 PM

Hi,

I followed your instructions and here is the new combofix log. Thanks again!

ComboFix 09-01-08.05 - Selina 2009-01-09 17:56:18.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.612 [GMT -5:00]
Running from: c:\documents and settings\Selina\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Selina\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: VirusRanger 3.1 *On-access scanning enabled* (Outdated)
* Created a new restore point

FILE ::
c:\documents and settings\Selina\index.exe
c:\documents and settings\Selina\z.bat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Selina\index.exe
c:\documents and settings\Selina\z.bat
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LIVEUPDATE
-------\Service_LiveUpdate


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-06 22:11 . 2009-01-06 22:11 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 03:53 . 2008-12-28 03:53 <DIR> d-------- c:\windows\system32\VIRepair
2008-12-23 21:46 . 2008-12-23 21:46 <DIR> d-------- c:\documents and settings\Selina\Application Data\.bittorrent
2008-12-23 21:45 . 2008-12-23 21:45 <DIR> d-------- c:\program files\BitTorrent
2008-12-23 21:45 . 2009-01-09 18:02 <DIR> d-------- c:\documents and settings\Selina\Application Data\DNA
2008-12-22 16:23 . 2008-12-23 17:43 <DIR> d-------- c:\program files\Easy-Hide-IP
2008-12-22 16:23 . 2008-12-22 16:23 62 --a------ c:\windows\MyProg.ini
2008-12-22 15:04 . 2008-12-22 15:04 <DIR> d--hs---- c:\documents and settings\NetworkService\PrivacIE
2008-12-21 23:43 . 2008-12-21 23:43 <DIR> d-------- c:\documents and settings\Selina\Application Data\MSNInstaller
2008-12-21 21:51 . 2008-12-21 21:51 <DIR> d-------- c:\documents and settings\Selina\Application Data\Leadertech
2008-12-20 00:46 . 2008-12-23 21:42 <DIR> d-------- c:\windows\ie8updates
2008-12-16 22:53 . 2008-12-16 22:53 224 --a------ c:\windows\system32\9B13A86D.plf
2008-12-16 22:44 . 2008-12-16 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\ParetoLogic
2008-12-16 22:43 . 2008-12-16 22:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Cached Installations
2008-12-15 15:57 . 2008-12-15 15:57 <DIR> d--hs---- c:\documents and settings\Guest\PrivacIE
2008-12-14 10:47 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-14 10:46 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-12-13 15:24 . 2008-12-13 15:24 <DIR> d-------- c:\documents and settings\Selina\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 23:02 --------- d-----w c:\program files\DNA
2009-01-07 22:22 --------- d-----w c:\documents and settings\Selina\Application Data\dvdcss
2009-01-01 22:15 --------- d-----w c:\program files\Steam
2008-12-28 08:53 --------- d-----w c:\program files\Styler
2008-11-24 07:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-11-20 20:57 90,552 ----a-w c:\documents and settings\Selina\Application Data\GDIPFONTCACHEV1.DAT
2008-11-19 11:02 --------- d-----w c:\documents and settings\Selina\Application Data\ViStart
2008-11-19 10:56 --------- d-----w c:\program files\WinFlip
2008-11-19 10:56 --------- d-----w c:\program files\TrueTransparency
2008-11-19 10:56 --------- d-----w c:\documents and settings\Selina\Application Data\Styler
2008-11-19 10:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-04-30 22:18 22,505,912 ----a-w c:\program files\setupeng.exe
2008-02-01 21:40 246 ----a-w c:\program files\Common Files\xula
2007-12-26 03:24 1,491,592 ----a-w c:\program files\install_flash_player.exe
2007-11-03 21:18 142 ----a-w c:\program files\Common Files\certe.html
2007-06-05 23:01 1,301,731 ----a-w c:\program files\MediaMaxXLBeta6.exe
2006-12-30 06:23 1,035,271 ----a-w c:\program files\wrar362.exe
2006-11-17 21:08 92,064 ----a-w c:\documents and settings\Selina\mqdmmdm.sys
2006-11-17 21:08 9,232 ----a-w c:\documents and settings\Selina\mqdmmdfl.sys
2006-11-17 21:08 79,328 ----a-w c:\documents and settings\Selina\mqdmserd.sys
2006-11-17 21:08 66,656 ----a-w c:\documents and settings\Selina\mqdmbus.sys
2006-11-17 21:08 6,208 ----a-w c:\documents and settings\Selina\mqdmcmnt.sys
2006-11-17 21:08 5,936 ----a-w c:\documents and settings\Selina\mqdmwhnt.sys
2006-11-17 21:08 4,048 ----a-w c:\documents and settings\Selina\mqdmcr.sys
2006-11-17 21:08 25,600 ----a-w c:\documents and settings\Selina\usbsermptxp.sys
2006-11-17 21:08 22,768 ----a-w c:\documents and settings\Selina\usbsermpt.sys
2006-05-07 15:03 15,818,536 ----a-w c:\program files\Messenger Beta.exe
2006-04-16 22:19 5,565,536 ----a-w c:\program files\NJ Star.exe
2006-02-13 01:21 552,604 ----a-w c:\program files\TI83Plus_OS.8Xu
2002-12-05 19:12 692,224 ----a-w c:\program files\ikernel.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-09_ 1.07.16.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-09 23:01:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2009-01-09 23:01:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-23 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LVCOMSX"="c:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-02-06 252704]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-23 144792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-28 1261336]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-06 83360]
myPrintMileage.lnk - c:\program files\Hewlett-Packard\hp deskjet 450 printer\ToolBox\mpm.exe [2005-12-12 98304]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-10-25 16:37 2178832 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-26 19:02 1271032 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-07-09 16:33 36352 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McGill NetConnect 2.0\\NetConnect.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr .exe"=
"c:\\kav\\kav7\\setup.exe"=
"c:\\Program Files\\Steam\\steamapps\\shockwave321654987\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\pinggreen\\counter-strike\\hl.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2967:TCP"= 2967:TCP:SAV10 Client Management
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-02 97928]
R4 Aruba VPN Service;Aruba VPN Service;c:\program files\McGill NetConnect 2.0\ArubaService.exe [2006-08-25 65536]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-10-02 231704]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-06-07 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-06-07 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2007-06-07 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-06-07 10368]
S3 dump_wmimmc;dump_wmimmc;\??\c:\windows\system32\drivers\dump_wmimmc.sys --> c:\windows\system32\drivers\dump_wmimmc.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-06-24 13352]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\HPZs2k12.sys [2005-12-12 49944]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f2b5d1a-165c-11dd-9b4c-001500355ae4}]
\Shell\AutoRun\command - E:\ONSPCLCK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561d2bef-4dbf-11db-9912-001500355ae4}]
\Shell\AutoRun\command - E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3516988460-628701953-1380080133-1009.job
- c:\documents and settings\Selina\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 09:47]

2009-01-08 c:\windows\Tasks\ParetoLogic Registration.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-09 c:\windows\Tasks\User_Feed_Synchronization-{E4D9D8E6-FED2-4349-A27C-801811589DDB}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 18:02:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,22,62,43,e7,a7,4c,41,9a,87,38,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,22,62,43,e7,a7,4c,41,9a,87,38,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-09 18:05:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 23:05:18
ComboFix2.txt 2009-01-09 06:09:15

Pre-Run: 65,312,690,176 bytes free
Post-Run: 65,387,622,400 bytes free

320 --- E O F --- 2008-12-25 12:52:13

Edited by miekiemoes, 10 January 2009 - 03:46 AM.
mailaddress deleted


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:36 PM

Posted 10 January 2009 - 03:48 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 xXSelina

xXSelina
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:36 AM

Posted 10 January 2009 - 12:30 PM

Hi,

My computer seems much better now. Thanks for the help! It is very very much appreciated!

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:36 PM

Posted 10 January 2009 - 01:07 PM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:36 PM

Posted 12 January 2009 - 06:30 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users