Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to Recover from Virtumonde...


  • This topic is locked This topic is locked
7 replies to this topic

#1 tallkris

tallkris

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 13 January 2009 - 12:38 AM

First off thank you in advance for your help. Now onto my problem.

A few days ago I went to a website which caused my computer to run really slow for a period of about 15 minutes and killed my Norton 360. I continued to use my computer for the next little bit after this slow down and started getting random full screen pop ups in IE when I was browsing with Firefox. I did a Spy Bot Scan and it found a few version of Virtumonde and Smith -c. I would have Spybot clean the infection restart and the error kept coming back over and over. After scanning my computer with Windows Defender (Once), Housecall (Twice), LavaSoft Adware (once), MicroSoft One Care (Full Scan once) and SpyBot (Unsure how many times) none of the programs found any infections however the computer still did not appear to be moving at the same speed that it did prior to visiting the website in question, not to mention my Norton 360 was still inoperable.

I managed to completely remove Norton 360 from my computer using the Norton Removal tool (Had to put the removal program on a flash drive from another computer because this computer had issues with the Norton site). Once this was done I installed AVG Free (I was going to get rid of Norton once my subscription was up anyway). At this point everything was fine for a a night. The next day I decided I wanted to degragment my HD using the windows defrag and got the following error message "Disk Defragmenter has detected that Chkdsk is scheduled to run on the volume HP_PAVILION (C:). Please run Chkdsk /f." I tried to restart my machine to see if the issue would go away and this is when restarts started acting funny. The computer restarted logged into windows (No Chkdsk was run) but did not load any programs and I was unable to do anything but move the mouse. When I put the mouse over the task bar an hour glass showed up. After about 30 min of the computer sitting there I shut it down by holding down the power button. About 15 seconds passed and I turned on the machine. As before everything was fine showed the windows XP splash screen then the mouse appeared on the screen but the rest of the screen remained black. I let it sit for 15 min and nothing happened so I held down the power button again and turned the machine off. So I waited a minute and turned the machine back on and everything started up completely fine I was able to browse the internet and all but still unable to defragment.

Tried to do some research to get my computer to run Chkdsk and numerous attempts (command prompt always telling me it would run at restart cause the volume was locked) and I could never get Chkdsk to run. Every time I restarted my computer during my attempts to get chkdsk to run I had follow a similar process as above before the machine finally let me in without having to hold the power button down.

So I'm at my witts end. To sum it up here are my issues.

1. Unable to run Windows Defragmenter
2. Unable to get Chkdsk to run
3. Computer still not at the same speed before I got the infection
4. Most import of them all my computer will not preform a straight up restart

I don't know if I still have an infection and it's not showing up in the scans or if all the scans and cleans that were done created additional errors.

I have posted the logs that the forum header requests.

Any help you can provide would be greatly appreciated.



****************DDS Log*************

DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 23:04:21.62 on Mon 01/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.375 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Belkin\Switch2\Switch2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {2f8c7152-38ec-436f-add3-1fa9f2645bc4} - __BHODemonDisabled
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5BB77BA1-35A9-4D8A-A885-4BD9E3C6611C} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {85965dcf-92d6-45cf-97aa-b9e04368e81a} - No File
BHO: {8822F736-B645-49E9-BC91-F1B8BDD2E5E8} - No File
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E5BA06D5-8288-4DBC-9354-36799750DEF4} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {0483894E-2422-45E0-8384-021AFF1AF3CD} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [<NO NAME>]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\switch2.lnk - c:\docume~1\hp_adm~1\applic~1\microsoft\installer\{067b5e9a-a4ba-4bf2-aff2-6d5414b2e88a}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: uRlLfFyy - uRlLfFyy.dll
AppInit_DLLs: lmwrie.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvVLdaw

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\zfjyzbxp.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\zfjyzbxp.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\zfjyzbxp.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {0ACBD67D-84A6-42AD-A898-CE99B9D4B117} - c:\windows\system32\config\systemprofile\local settings\application data\{0acbd67d-84a6-42ad-a898-ce99b9d4b117}\

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-11 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-11 26824]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-11 231704]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-4-17 31872]

=============== Created Last 30 ================

2009-01-12 21:48 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Auslogics
2009-01-12 21:48 <DIR> --d----- c:\program files\Auslogics
2009-01-12 19:36 266,360 a------- c:\windows\system32\TweakUI.exe
2009-01-12 19:36 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-01-11 15:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-11 14:20 <DIR> --d----- c:\windows\Extra Programs
2009-01-11 02:56 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-11 02:17 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-11 02:17 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-11 02:17 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-11 02:17 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\AVGTOOLBAR
2009-01-11 02:17 <DIR> --d----- c:\program files\AVG
2009-01-11 02:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-10 20:42 1,256,329 ---sh--- c:\windows\system32\ucaavblx.ini
2009-01-10 13:52 262,144 a------- c:\windows\system32\default_user_class.dat
2009-01-10 12:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-09 20:39 1,248,432 ---sh--- c:\windows\system32\mxesycik.ini
2009-01-09 20:31 59,904 a------- c:\windows\system32\drivers\TDSSpqxt.sys
2009-01-09 15:33 <DIR> --d----- c:\windows\LMI79.tmp
2009-01-09 00:04 <DIR> --d----- c:\program files\UPHClean
2009-01-08 21:38 <DIR> --d----- c:\program files\Trend Micro
2009-01-08 20:49 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\HouseCall 6.6
2009-01-08 20:40 1,250,178 ---sh--- c:\windows\system32\megmslrc.ini
2009-01-08 20:30 59,904 a------- c:\windows\system32\drivers\TDSSmqlt.sys
2009-01-08 19:57 <DIR> --d----- C:\VundoFix Backups
2009-01-08 19:37 1,250,178 ---sh--- c:\windows\system32\xrfbpqpi.ini
2009-01-08 00:12 <DIR> --d----- c:\program files\Lavasoft
2009-01-07 19:28 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-07 19:26 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-07 19:25 <DIR> --d----- c:\documents and settings\hp_administrator\.housecall6.6
2009-01-03 14:24 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\MSNInstaller
2009-01-02 18:19 <DIR> --d----- c:\program files\Unlocker
2009-01-02 18:11 <DIR> --d----- c:\program files\GiPo@Utilities
2009-01-02 18:11 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-01-01 11:45 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-30 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-12-26 14:20 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Research In Motion
2008-12-26 14:20 256 a------- c:\windows\system32\pool.bin
2008-12-26 14:19 256 a------- c:\documents and settings\hp_administrator\pool.bin
2008-12-26 14:08 <DIR> --d----- c:\program files\Roxio
2008-12-26 14:03 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2008-12-26 14:03 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Blackberry Desktop
2008-12-26 14:02 <DIR> --d----- c:\program files\common files\Research In Motion
2008-12-26 14:02 <DIR> --d----- c:\program files\Research In Motion
2008-12-17 13:23 49 a------- c:\windows\entpack.ini

==================== Find3M ====================

2009-01-09 14:27 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 14:27 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-16 07:11 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 07:11 13,824 a------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 10:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-15 01:06 633,632 a------- c:\windows\system32\dllcache\iexplore.exe
2008-10-15 01:04 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2007-01-15 17:15 92,064 a------- c:\documents and settings\hp_administrator\mqdmmdm.sys
2007-01-15 17:15 79,328 a------- c:\documents and settings\hp_administrator\mqdmserd.sys
2007-01-15 17:15 66,656 a------- c:\documents and settings\hp_administrator\mqdmbus.sys
2007-01-15 17:15 25,600 a------- c:\documents and settings\hp_administrator\usbsermptxp.sys
2007-01-15 17:15 22,768 a------- c:\documents and settings\hp_administrator\usbsermpt.sys
2007-01-15 17:15 9,232 a------- c:\documents and settings\hp_administrator\mqdmmdfl.sys
2007-01-15 17:15 6,208 a------- c:\documents and settings\hp_administrator\mqdmcmnt.sys
2007-01-15 17:15 5,936 a------- c:\documents and settings\hp_administrator\mqdmwhnt.sys
2007-01-15 17:15 4,048 a------- c:\documents and settings\hp_administrator\mqdmcr.sys
2008-05-16 22:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat
2008-05-27 00:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052720080528\index.dat

============= FINISH: 23:04:55.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:18 PM

Posted 13 January 2009 - 07:53 AM

Hello Tallkris and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 tallkris

tallkris
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 13 January 2009 - 06:59 PM

Thank you so much for your quick reply. My computer didn't like the Goored fix reboot as it took me 7 restarts before my computer finally let me into windows and resume the process of removal.

Below you will find the logs you requested. Once again I really appreciate your help.



***********Gooredlog.txt*********************

GooredFix v1.82 by jpshortstuff
Log created at 16:14 on 13/01/2009 running Option #2 (HP_Administrator)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{0ACBD67D-84A6-42AD-A898-CE99B9D4B117}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{0ACBD67D-84A6-42AD-A898-CE99B9D4B117}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{0ACBD67D-84A6-42AD-A898-CE99B9D4B117}\
->Backing up folder... Done.
->Emptying folder... Failed.
->Deleting folder... Failed.
->Delete on reboot... Set.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

=====Reboot=====

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{0ACBD67D-84A6-42AD-A898-CE99B9D4B117}"
->Unable to find folder.



************Combofix Log***************

ComboFix 09-01-13.03 - HP_Administrator 2009-01-13 17:27:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.515 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekafmuvlohf.sys
c:\windows\system32\Drivers\TDSSmqlt.sys
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\megmslrc.ini
c:\windows\system32\mxesycik.ini
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaksrmwwii.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekarnswujkw.dll
c:\windows\system32\ucaavblx.ini
c:\windows\system32\UpMedia
c:\windows\system32\xrfbpqpi.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-12 23:19 . 2009-01-12 23:19 917,504 --a------ c:\windows\system32\FLASH.OCX
2009-01-12 21:48 . 2009-01-12 21:48 <DIR> d-------- c:\program files\Auslogics
2009-01-12 21:48 . 2009-01-12 21:48 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Auslogics
2009-01-12 19:36 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-01-12 19:36 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-01-11 15:53 . 2009-01-11 15:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 14:20 . 2009-01-12 22:12 <DIR> d-------- c:\windows\Extra Programs
2009-01-11 02:56 . 2009-01-11 02:59 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-11 02:17 . 2009-01-13 16:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 02:17 . 2009-01-11 02:17 <DIR> d-------- c:\program files\AVG
2009-01-11 02:17 . 2009-01-11 02:17 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\AVGTOOLBAR
2009-01-11 02:17 . 2009-01-11 02:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-11 02:17 . 2009-01-11 02:17 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 02:17 . 2009-01-11 02:17 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-10 13:52 . 2009-01-10 13:52 262,144 --a------ c:\windows\system32\default_user_class.dat
2009-01-10 13:34 . 2009-01-10 13:34 <DIR> d-------- c:\program files\Windows Defender
2009-01-10 12:54 . 2009-01-10 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-09 15:33 . 2009-01-09 15:33 <DIR> d-------- c:\windows\LMI79.tmp
2009-01-09 00:04 . 2009-01-09 00:04 <DIR> d-------- c:\program files\UPHClean
2009-01-08 21:38 . 2009-01-08 21:38 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 20:49 . 2009-01-08 20:57 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\HouseCall 6.6
2009-01-08 19:57 . 2009-01-08 19:57 <DIR> d-------- C:\VundoFix Backups
2009-01-08 00:12 . 2009-01-08 00:12 <DIR> d-------- c:\program files\Lavasoft
2009-01-08 00:12 . 2009-01-11 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 19:28 . 2009-01-07 19:28 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-07 19:26 . 2009-01-07 19:25 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-07 19:25 . 2009-01-07 19:26 <DIR> d-------- c:\documents and settings\HP_Administrator\.housecall6.6
2009-01-03 14:24 . 2009-01-03 14:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-01-02 18:19 . 2009-01-02 18:20 <DIR> d-------- c:\program files\Unlocker
2009-01-02 18:11 . 2009-01-02 18:11 <DIR> d-------- c:\program files\GiPo@Utilities
2009-01-02 18:11 . 2009-01-02 18:11 <DIR> d-------- c:\program files\Common Files\Gibinsoft Shared
2009-01-01 11:45 . 2009-01-01 11:45 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-30 22:44 . 2008-12-30 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-26 14:20 . 2008-12-26 14:20 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Research In Motion
2008-12-26 14:20 . 2008-12-27 15:32 256 --a------ c:\windows\system32\pool.bin
2008-12-26 14:19 . 2008-12-26 14:20 256 --a------ c:\documents and settings\HP_Administrator\pool.bin
2008-12-26 14:08 . 2008-12-26 14:08 <DIR> d-------- c:\program files\Roxio
2008-12-26 14:08 . 2008-12-26 14:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-26 14:07 . 2008-12-26 14:08 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-26 14:03 . 2008-12-26 14:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Blackberry Desktop
2008-12-26 14:03 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-12-26 14:02 . 2008-12-26 14:02 <DIR> d-------- c:\program files\Research In Motion
2008-12-26 14:02 . 2008-12-26 14:03 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-17 13:23 . 2008-12-17 13:23 49 --a------ c:\windows\entpack.ini
2008-12-13 14:46 . 2008-12-13 14:46 78 --a------ c:\windows\system\WIN32S.INI
2008-12-13 14:43 . 2008-12-13 14:43 <DIR> d-------- C:\WESTWOOD
2008-12-13 14:43 . 1994-08-24 00:00 188,960 --a------ c:\windows\system\WINGDE.DLL
2008-12-13 14:43 . 1994-09-21 00:00 92,208 --a------ c:\windows\system\WING.DLL
2008-12-13 14:43 . 1994-09-21 00:00 12,800 --a------ c:\windows\system\WING32.DLL
2008-12-13 14:43 . 1994-09-21 00:00 6,736 --a------ c:\windows\system\WINGDIB.DRV
2008-12-13 14:43 . 1994-09-21 00:00 5,024 --a------ c:\windows\system\WINGPAL.WND
2008-12-13 14:43 . 1994-06-27 00:00 1,966 --a------ c:\windows\system\DVA.386

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 20:09 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-11 08:15 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Symantec
2009-01-11 07:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-11 06:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2009-01-11 06:04 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-01-10 20:38 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-09 20:27 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 20:27 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 05:28 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Viewpoint
2009-01-03 20:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 20:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-01-01 17:45 --------- d-----w c:\program files\Java
2009-01-01 16:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-01-01 00:46 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\WeatherBug
2008-12-31 06:08 --------- d-----w c:\program files\AIM6
2008-12-31 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-31 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-26 20:10 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-26 20:10 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-04 18:45 --------- d-----w c:\program files\Apple Software Update
2008-11-28 18:22 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-11-20 21:24 --------- d-----w c:\program files\Belkin
2007-01-15 23:15 92,064 ----a-w c:\documents and settings\HP_Administrator\mqdmmdm.sys
2007-01-15 23:15 9,232 ----a-w c:\documents and settings\HP_Administrator\mqdmmdfl.sys
2007-01-15 23:15 79,328 ----a-w c:\documents and settings\HP_Administrator\mqdmserd.sys
2007-01-15 23:15 66,656 ----a-w c:\documents and settings\HP_Administrator\mqdmbus.sys
2007-01-15 23:15 6,208 ----a-w c:\documents and settings\HP_Administrator\mqdmcmnt.sys
2007-01-15 23:15 5,936 ----a-w c:\documents and settings\HP_Administrator\mqdmwhnt.sys
2007-01-15 23:15 4,048 ----a-w c:\documents and settings\HP_Administrator\mqdmcr.sys
2007-01-15 23:15 25,600 ----a-w c:\documents and settings\HP_Administrator\usbsermptxp.sys
2007-01-15 23:15 22,768 ----a-w c:\documents and settings\HP_Administrator\usbsermpt.sys
2008-05-17 04:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
2008-05-27 06:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-11 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-08-11 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-08-11 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Switch2.lnk - c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe [2008-11-20 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lmwrie.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-10-26 10:10 652624 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 97928]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 231704]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-04-17 31872]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-01-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2F8C7152-38EC-436F-ADD3-1FA9F2645BC4} - __BHODemonDisabled
BHO-{5BB77BA1-35A9-4D8A-A885-4BD9E3C6611C} - (no file)
BHO-{85965dcf-92d6-45cf-97aa-b9e04368e81a} - (no file)
BHO-{8822F736-B645-49E9-BC91-F1B8BDD2E5E8} - (no file)
BHO-{E5BA06D5-8288-4DBC-9354-36799750DEF4} - (no file)
Notify-uRlLfFyy - uRlLfFyy.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 17:49:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\system32\dumprep.exe [2424] 0x85374DA0

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2147614819-192308621-1342240211-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2147614819-192308621-1342240211-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BCDF547A-11F8-F856-4212-E36C17F0741F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namdcbfmmdphfnabonielgccgcie"=hex:6a,61,69,6e,6a,63,68,6e,68,62,6c,65,63,66,
6b,61,65,61,6e,63,00,00
"macfeaoeakkhnccgjhbjkoooml"=hex:6a,61,69,6e,6a,63,68,6e,68,62,6c,65,63,66,6b,
61,65,61,6e,63,00,85
.
Completion time: 2009-01-13 17:54:00 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2009-01-13 23:51:31

Pre-Run: 196,308,758,528 bytes free
Post-Run: 196,191,215,616 bytes free

258 --- E O F --- 2009-01-13 00:29:44

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:18 PM

Posted 14 January 2009 - 09:57 AM

Hello Tallkris,

Looking better now. :thumbsup:

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\system32\ffkuz.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="avgrsstx.dll"
RegNull::
[HKEY_USERS\S-1-5-21-2147614819-192308621-1342240211-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BCDF547A-11F8-F856-4212-E36C17F0741F}*]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
No more problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 tallkris

tallkris
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 14 January 2009 - 06:33 PM

The two logs you requested are below.

I was able to run the Windows defragmenter, Scan disk, and restart my machine without issue today so it appears everything is back to normal. Internet speeds have returned to normal as well so it looks like we may have gotten everything.

I did not find any of the Viewpoint programs you listed in my add remove but I did find folders for them when I searched, there were not any uninstall programs in those folders. How should I go about getting rid of those?

Scanning over the DDS log, which I'm not very familar with hence the reason I'm speaking with you. Do you know what the Roxio program is? I do not see it installed in my add remove programs nor can I find an uninstaller for it.

Anything else I should be getting rid of?

Final question, which antivirus/malware program do you recomend? Either pay or free I'm against paying for something that's worth it.

Thanks for all your help as it looks like we are almost done!




****DDS Log****

DDS (Ver_09-01-07.01) - NTFSx86
Run by HP_Administrator at 17:16:30.70 on Wed 01/14/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.478 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Switch2\Switch2.exe
C:\WINDOWS\arservice.exe
svchost.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - No File
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {0483894E-2422-45E0-8384-021AFF1AF3CD} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\switch2.lnk - c:\docume~1\hp_adm~1\applic~1\microsoft\installer\{067b5e9a-a4ba-4bf2-aff2-6d5414b2e88a}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\zfjyzbxp.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\zfjyzbxp.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\firefox\profiles\zfjyzbxp.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\documents and settings\hp_administrator\application data\mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-11 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-11 26824]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-11 231704]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-4-17 31872]

=============== Created Last 30 ================

2009-01-14 16:55 <DIR> --d----- C:\ComboFix
2009-01-13 17:22 161,792 a------- c:\windows\SWREG.exe
2009-01-13 17:22 98,816 a------- c:\windows\sed.exe
2009-01-12 23:19 917,504 a------- c:\windows\system32\FLASH.OCX
2009-01-12 21:48 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Auslogics
2009-01-12 21:48 <DIR> --d----- c:\program files\Auslogics
2009-01-12 19:36 266,360 a------- c:\windows\system32\TweakUI.exe
2009-01-12 19:36 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-01-11 15:53 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-11 14:20 <DIR> --d----- c:\windows\Extra Programs
2009-01-11 02:56 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-11 02:17 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-11 02:17 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-11 02:17 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-11 02:17 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\AVGTOOLBAR
2009-01-11 02:17 <DIR> --d----- c:\program files\AVG
2009-01-11 02:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-10 13:52 262,144 a------- c:\windows\system32\default_user_class.dat
2009-01-10 12:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-09 15:33 <DIR> --d----- c:\windows\LMI79.tmp
2009-01-09 00:04 <DIR> --d----- c:\program files\UPHClean
2009-01-08 21:38 <DIR> --d----- c:\program files\Trend Micro
2009-01-08 20:49 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\HouseCall 6.6
2009-01-08 19:57 <DIR> --d----- C:\VundoFix Backups
2009-01-08 00:12 <DIR> --d----- c:\program files\Lavasoft
2009-01-07 19:26 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-07 19:25 <DIR> --d----- c:\documents and settings\hp_administrator\.housecall6.6
2009-01-03 14:24 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\MSNInstaller
2009-01-02 18:19 <DIR> --d----- c:\program files\Unlocker
2009-01-02 18:11 <DIR> --d----- c:\program files\GiPo@Utilities
2009-01-02 18:11 <DIR> --d----- c:\program files\common files\Gibinsoft Shared
2009-01-01 11:45 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-30 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2008-12-26 14:20 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Research In Motion
2008-12-26 14:20 256 a------- c:\windows\system32\pool.bin
2008-12-26 14:19 256 a------- c:\documents and settings\hp_administrator\pool.bin
2008-12-26 14:08 <DIR> --d----- c:\program files\Roxio
2008-12-26 14:03 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2008-12-26 14:03 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Blackberry Desktop
2008-12-26 14:02 <DIR> --d----- c:\program files\common files\Research In Motion
2008-12-26 14:02 <DIR> --d----- c:\program files\Research In Motion
2008-12-17 13:23 49 a------- c:\windows\entpack.ini

==================== Find3M ====================

2009-01-09 14:27 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 14:27 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2008-12-13 00:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 04:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-10-24 05:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 06:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2007-01-15 17:15 92,064 a------- c:\documents and settings\hp_administrator\mqdmmdm.sys
2007-01-15 17:15 79,328 a------- c:\documents and settings\hp_administrator\mqdmserd.sys
2007-01-15 17:15 66,656 a------- c:\documents and settings\hp_administrator\mqdmbus.sys
2007-01-15 17:15 25,600 a------- c:\documents and settings\hp_administrator\usbsermptxp.sys
2007-01-15 17:15 22,768 a------- c:\documents and settings\hp_administrator\usbsermpt.sys
2007-01-15 17:15 9,232 a------- c:\documents and settings\hp_administrator\mqdmmdfl.sys
2007-01-15 17:15 6,208 a------- c:\documents and settings\hp_administrator\mqdmcmnt.sys
2007-01-15 17:15 5,936 a------- c:\documents and settings\hp_administrator\mqdmwhnt.sys
2007-01-15 17:15 4,048 a------- c:\documents and settings\hp_administrator\mqdmcr.sys
2008-05-16 22:21 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051620080517\index.dat
2008-05-27 00:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052720080528\index.dat

============= FINISH: 17:17:08.29 ===============


****ComboFix Log****

ComboFix 09-01-13.03 - HP_Administrator 2009-01-13 17:27:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.515 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekafmuvlohf.sys
c:\windows\system32\Drivers\TDSSmqlt.sys
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\megmslrc.ini
c:\windows\system32\mxesycik.ini
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaksrmwwii.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekarnswujkw.dll
c:\windows\system32\ucaavblx.ini
c:\windows\system32\UpMedia
c:\windows\system32\xrfbpqpi.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-12 23:19 . 2009-01-12 23:19 917,504 --a------ c:\windows\system32\FLASH.OCX
2009-01-12 21:48 . 2009-01-12 21:48 <DIR> d-------- c:\program files\Auslogics
2009-01-12 21:48 . 2009-01-12 21:48 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Auslogics
2009-01-12 19:36 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-01-12 19:36 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-01-11 15:53 . 2009-01-11 15:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 14:20 . 2009-01-12 22:12 <DIR> d-------- c:\windows\Extra Programs
2009-01-11 02:56 . 2009-01-11 02:59 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-11 02:17 . 2009-01-13 16:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 02:17 . 2009-01-11 02:17 <DIR> d-------- c:\program files\AVG
2009-01-11 02:17 . 2009-01-11 02:17 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\AVGTOOLBAR
2009-01-11 02:17 . 2009-01-11 02:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-11 02:17 . 2009-01-11 02:17 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 02:17 . 2009-01-11 02:17 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-10 13:52 . 2009-01-10 13:52 262,144 --a------ c:\windows\system32\default_user_class.dat
2009-01-10 13:34 . 2009-01-10 13:34 <DIR> d-------- c:\program files\Windows Defender
2009-01-10 12:54 . 2009-01-10 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-09 15:33 . 2009-01-09 15:33 <DIR> d-------- c:\windows\LMI79.tmp
2009-01-09 00:04 . 2009-01-09 00:04 <DIR> d-------- c:\program files\UPHClean
2009-01-08 21:38 . 2009-01-08 21:38 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 20:49 . 2009-01-08 20:57 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\HouseCall 6.6
2009-01-08 19:57 . 2009-01-08 19:57 <DIR> d-------- C:\VundoFix Backups
2009-01-08 00:12 . 2009-01-08 00:12 <DIR> d-------- c:\program files\Lavasoft
2009-01-08 00:12 . 2009-01-11 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 19:28 . 2009-01-07 19:28 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-07 19:26 . 2009-01-07 19:25 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-07 19:25 . 2009-01-07 19:26 <DIR> d-------- c:\documents and settings\HP_Administrator\.housecall6.6
2009-01-03 14:24 . 2009-01-03 14:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-01-02 18:19 . 2009-01-02 18:20 <DIR> d-------- c:\program files\Unlocker
2009-01-02 18:11 . 2009-01-02 18:11 <DIR> d-------- c:\program files\GiPo@Utilities
2009-01-02 18:11 . 2009-01-02 18:11 <DIR> d-------- c:\program files\Common Files\Gibinsoft Shared
2009-01-01 11:45 . 2009-01-01 11:45 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-30 22:44 . 2008-12-30 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-26 14:20 . 2008-12-26 14:20 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Research In Motion
2008-12-26 14:20 . 2008-12-27 15:32 256 --a------ c:\windows\system32\pool.bin
2008-12-26 14:19 . 2008-12-26 14:20 256 --a------ c:\documents and settings\HP_Administrator\pool.bin
2008-12-26 14:08 . 2008-12-26 14:08 <DIR> d-------- c:\program files\Roxio
2008-12-26 14:08 . 2008-12-26 14:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-26 14:07 . 2008-12-26 14:08 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-26 14:03 . 2008-12-26 14:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Blackberry Desktop
2008-12-26 14:03 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-12-26 14:02 . 2008-12-26 14:02 <DIR> d-------- c:\program files\Research In Motion
2008-12-26 14:02 . 2008-12-26 14:03 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-17 13:23 . 2008-12-17 13:23 49 --a------ c:\windows\entpack.ini
2008-12-13 14:46 . 2008-12-13 14:46 78 --a------ c:\windows\system\WIN32S.INI
2008-12-13 14:43 . 2008-12-13 14:43 <DIR> d-------- C:\WESTWOOD
2008-12-13 14:43 . 1994-08-24 00:00 188,960 --a------ c:\windows\system\WINGDE.DLL
2008-12-13 14:43 . 1994-09-21 00:00 92,208 --a------ c:\windows\system\WING.DLL
2008-12-13 14:43 . 1994-09-21 00:00 12,800 --a------ c:\windows\system\WING32.DLL
2008-12-13 14:43 . 1994-09-21 00:00 6,736 --a------ c:\windows\system\WINGDIB.DRV
2008-12-13 14:43 . 1994-09-21 00:00 5,024 --a------ c:\windows\system\WINGPAL.WND
2008-12-13 14:43 . 1994-06-27 00:00 1,966 --a------ c:\windows\system\DVA.386

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 20:09 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-11 08:15 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Symantec
2009-01-11 07:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-11 06:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2009-01-11 06:04 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-01-10 20:38 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-09 20:27 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 20:27 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 05:28 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Viewpoint
2009-01-03 20:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 20:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-01-01 17:45 --------- d-----w c:\program files\Java
2009-01-01 16:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-01-01 00:46 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\WeatherBug
2008-12-31 06:08 --------- d-----w c:\program files\AIM6
2008-12-31 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-31 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-26 20:10 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-26 20:10 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-04 18:45 --------- d-----w c:\program files\Apple Software Update
2008-11-28 18:22 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-11-20 21:24 --------- d-----w c:\program files\Belkin
2007-01-15 23:15 92,064 ----a-w c:\documents and settings\HP_Administrator\mqdmmdm.sys
2007-01-15 23:15 9,232 ----a-w c:\documents and settings\HP_Administrator\mqdmmdfl.sys
2007-01-15 23:15 79,328 ----a-w c:\documents and settings\HP_Administrator\mqdmserd.sys
2007-01-15 23:15 66,656 ----a-w c:\documents and settings\HP_Administrator\mqdmbus.sys
2007-01-15 23:15 6,208 ----a-w c:\documents and settings\HP_Administrator\mqdmcmnt.sys
2007-01-15 23:15 5,936 ----a-w c:\documents and settings\HP_Administrator\mqdmwhnt.sys
2007-01-15 23:15 4,048 ----a-w c:\documents and settings\HP_Administrator\mqdmcr.sys
2007-01-15 23:15 25,600 ----a-w c:\documents and settings\HP_Administrator\usbsermptxp.sys
2007-01-15 23:15 22,768 ----a-w c:\documents and settings\HP_Administrator\usbsermpt.sys
2008-05-17 04:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
2008-05-27 06:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-11 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-08-11 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-08-11 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Switch2.lnk - c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe [2008-11-20 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lmwrie.dll,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-10-26 10:10 652624 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 97928]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 231704]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-04-17 31872]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-01-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2F8C7152-38EC-436F-ADD3-1FA9F2645BC4} - __BHODemonDisabled
BHO-{5BB77BA1-35A9-4D8A-A885-4BD9E3C6611C} - (no file)
BHO-{85965dcf-92d6-45cf-97aa-b9e04368e81a} - (no file)
BHO-{8822F736-B645-49E9-BC91-F1B8BDD2E5E8} - (no file)
BHO-{E5BA06D5-8288-4DBC-9354-36799750DEF4} - (no file)
Notify-uRlLfFyy - uRlLfFyy.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 17:49:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\system32\dumprep.exe [2424] 0x85374DA0

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2147614819-192308621-1342240211-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2147614819-192308621-1342240211-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BCDF547A-11F8-F856-4212-E36C17F0741F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"namdcbfmmdphfnabonielgccgcie"=hex:6a,61,69,6e,6a,63,68,6e,68,62,6c,65,63,66,
6b,61,65,61,6e,63,00,00
"macfeaoeakkhnccgjhbjkoooml"=hex:6a,61,69,6e,6a,63,68,6e,68,62,6c,65,63,66,6b,
61,65,61,6e,63,00,85
.
Completion time: 2009-01-13 17:54:00 - machine was rebooted [HP_Administrator]
ComboFix-quarantined-files.txt 2009-01-13 23:51:31

Pre-Run: 196,308,758,528 bytes free
Post-Run: 196,191,215,616 bytes free

258 --- E O F --- 2009-01-13 00:29:44

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:18 PM

Posted 15 January 2009 - 04:49 AM

Hello Tallkris,

Unless I'm mistaken, you've posted an old ComboFix log :thumbsup:

Your DDS log look fine however. :)

Roxio software is CD/DVD burning software, sometimes installed along with some mediaviewers :
http://www.roxio.com/

Those Viewpoint folders you can manually delete using Windows Explorer.

If you no longer have any issues,
you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

As for security programs : AVG is fine, personally I tend to prefer Avira AntiVir, or if you prefer paying solutions you can consider Kaspersky, Nod32, Panda...

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 tallkris

tallkris
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 15 January 2009 - 10:52 AM

Thunder,

There's so many logs on my desktop right now it's entirely possible that I pasted an old Combo Fix log. Here is the combo fix log that was created yesterday afternoon around 5pm CST. If all looks good to you in the log then I think we are good to go.

I really appreciate the help.

ComboFix 09-01-13.04 - HP_Administrator 2009-01-14 16:56:17.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.519 [GMT -6:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\ffkuz.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ffkuz.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-12 23:19 . 2009-01-12 23:19 917,504 --a------ c:\windows\system32\FLASH.OCX
2009-01-12 21:48 . 2009-01-12 21:48 <DIR> d-------- c:\program files\Auslogics
2009-01-12 21:48 . 2009-01-12 21:48 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Auslogics
2009-01-12 19:36 . 2003-06-25 16:05 266,360 --a------ c:\windows\system32\TweakUI.exe
2009-01-12 19:36 . 2002-06-21 15:09 160,217 --a------ c:\windows\system32\PowerToysLicense.rtf
2009-01-11 15:53 . 2009-01-11 15:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 14:20 . 2009-01-12 22:12 <DIR> d-------- c:\windows\Extra Programs
2009-01-11 02:56 . 2009-01-11 02:59 <DIR> d--h----- C:\$AVG8.VAULT$
2009-01-11 02:17 . 2009-01-13 16:08 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-11 02:17 . 2009-01-11 02:17 <DIR> d-------- c:\program files\AVG
2009-01-11 02:17 . 2009-01-11 02:17 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\AVGTOOLBAR
2009-01-11 02:17 . 2009-01-11 02:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-11 02:17 . 2009-01-11 02:17 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-11 02:17 . 2009-01-11 02:17 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-10 13:52 . 2009-01-10 13:52 262,144 --a------ c:\windows\system32\default_user_class.dat
2009-01-10 13:34 . 2009-01-10 13:34 <DIR> d-------- c:\program files\Windows Defender
2009-01-10 12:54 . 2009-01-10 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-09 15:33 . 2009-01-09 15:33 <DIR> d-------- c:\windows\LMI79.tmp
2009-01-09 00:04 . 2009-01-09 00:04 <DIR> d-------- c:\program files\UPHClean
2009-01-08 21:38 . 2009-01-08 21:38 <DIR> d-------- c:\program files\Trend Micro
2009-01-08 20:49 . 2009-01-08 20:57 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\HouseCall 6.6
2009-01-08 19:57 . 2009-01-08 19:57 <DIR> d-------- C:\VundoFix Backups
2009-01-08 00:12 . 2009-01-08 00:12 <DIR> d-------- c:\program files\Lavasoft
2009-01-08 00:12 . 2009-01-11 15:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-07 19:26 . 2009-01-07 19:25 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-01-07 19:25 . 2009-01-07 19:26 <DIR> d-------- c:\documents and settings\HP_Administrator\.housecall6.6
2009-01-03 14:24 . 2009-01-03 14:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-01-02 18:19 . 2009-01-02 18:20 <DIR> d-------- c:\program files\Unlocker
2009-01-02 18:11 . 2009-01-02 18:11 <DIR> d-------- c:\program files\GiPo@Utilities
2009-01-02 18:11 . 2009-01-02 18:11 <DIR> d-------- c:\program files\Common Files\Gibinsoft Shared
2009-01-01 11:45 . 2009-01-01 11:45 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-30 22:44 . 2008-12-30 22:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2008-12-26 14:20 . 2008-12-26 14:20 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Research In Motion
2008-12-26 14:20 . 2008-12-27 15:32 256 --a------ c:\windows\system32\pool.bin
2008-12-26 14:19 . 2008-12-26 14:20 256 --a------ c:\documents and settings\HP_Administrator\pool.bin
2008-12-26 14:08 . 2008-12-26 14:08 <DIR> d-------- c:\program files\Roxio
2008-12-26 14:08 . 2008-12-26 14:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2008-12-26 14:07 . 2008-12-26 14:08 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2008-12-26 14:03 . 2008-12-26 14:24 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Blackberry Desktop
2008-12-26 14:03 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-12-26 14:02 . 2008-12-26 14:02 <DIR> d-------- c:\program files\Research In Motion
2008-12-26 14:02 . 2008-12-26 14:03 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-12-17 13:23 . 2008-12-17 13:23 49 --a------ c:\windows\entpack.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 20:09 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-11 08:15 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Symantec
2009-01-11 07:17 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-11 06:05 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Skype
2009-01-11 06:04 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-01-10 20:38 --------- d-----w c:\program files\Windows Live Safety Center
2009-01-09 20:27 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 20:27 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 05:28 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Viewpoint
2009-01-03 20:34 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-03 20:18 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-01-01 17:45 --------- d-----w c:\program files\Java
2009-01-01 16:27 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Move Networks
2009-01-01 00:46 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\WeatherBug
2008-12-31 06:08 --------- d-----w c:\program files\AIM6
2008-12-31 04:44 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-31 03:52 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-12-26 20:10 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-12-26 20:10 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-04 18:45 --------- d-----w c:\program files\Apple Software Update
2008-11-28 18:22 --------- d-----w c:\documents and settings\All Users\Application Data\CanonIJPLM
2008-11-20 21:24 --------- d-----w c:\program files\Belkin
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll
2007-01-15 23:15 92,064 ----a-w c:\documents and settings\HP_Administrator\mqdmmdm.sys
2007-01-15 23:15 9,232 ----a-w c:\documents and settings\HP_Administrator\mqdmmdfl.sys
2007-01-15 23:15 79,328 ----a-w c:\documents and settings\HP_Administrator\mqdmserd.sys
2007-01-15 23:15 66,656 ----a-w c:\documents and settings\HP_Administrator\mqdmbus.sys
2007-01-15 23:15 6,208 ----a-w c:\documents and settings\HP_Administrator\mqdmcmnt.sys
2007-01-15 23:15 5,936 ----a-w c:\documents and settings\HP_Administrator\mqdmwhnt.sys
2007-01-15 23:15 4,048 ----a-w c:\documents and settings\HP_Administrator\mqdmcr.sys
2007-01-15 23:15 25,600 ----a-w c:\documents and settings\HP_Administrator\usbsermptxp.sys
2007-01-15 23:15 22,768 ----a-w c:\documents and settings\HP_Administrator\usbsermpt.sys
2008-05-17 04:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051620080517\index.dat
2008-05-27 06:44 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_17.50.37.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-03 00:57:02 593,920 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-01-14 10:02:33 593,920 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-01-03 00:57:02 12,288 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-01-14 10:02:33 12,288 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-01-03 00:57:01 135,168 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-01-14 10:02:33 135,168 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-01-03 00:57:02 11,264 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-01-14 10:02:33 11,264 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-01-03 00:57:02 27,136 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-01-14 10:02:33 27,136 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-01-03 00:57:02 4,096 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-01-14 10:02:33 4,096 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-01-03 00:57:02 794,624 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-01-14 10:02:33 794,624 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-01-03 00:57:02 249,856 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-01-14 10:02:33 249,856 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-01-03 00:57:02 61,440 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-01-14 10:02:33 61,440 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-01-03 00:57:02 23,040 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-01-14 10:02:33 23,040 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-01-03 00:57:01 286,720 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-01-14 10:02:33 286,720 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-01-03 00:57:01 409,600 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-01-14 10:02:33 409,600 ----a-r c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-12-09 21:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-14 10:09:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-21 842584]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-11 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-21 185896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]
"ftutil2"="ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-08-11 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-08-11 27136]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Switch2.lnk - c:\documents and settings\HP_Administrator\Application Data\Microsoft\Installer\{067B5E9A-A4BA-4BF2-AFF2-6D5414B2E88A}\NewShortcut1_067B5E9AA4BA4BF2AFF26D5414B2E88A.exe [2008-11-20 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-10-26 10:10 652624 c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-11 97928]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-11 231704]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-04-17 31872]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-01-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-01-14 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-30 13:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\zfjyzbxp.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000005.dll
FF - plugin: c:\documents and settings\HP_Administrator\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll

---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks
FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk
FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 16:59:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2147614819-192308621-1342240211-1007\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(740)
c:\windows\system32\avgrsstx.dll

- - - - - - - > 'lsass.exe'(852)
c:\windows\system32\avgrsstx.dll
.
Completion time: 2009-01-14 17:00:56
ComboFix-quarantined-files.txt 2009-01-14 23:00:46
ComboFix2.txt 2009-01-13 23:54:03

Pre-Run: 196,057,731,072 bytes free
Post-Run: 196,038,320,128 bytes free

289 --- E O F --- 2009-01-14 10:02:35

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:18 PM

Posted 15 January 2009 - 05:32 PM

Hello Tallkris,

That one looks fine as well. :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users