Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer very slow, problems with browsers etc


  • This topic is locked This topic is locked
11 replies to this topic

#1 echeckpost

echeckpost

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 26 January 2009 - 01:43 PM

As advised, below please find the DDS.txt contents:

DDS (Version 1.1.0) - NTFSx86
Run by Shree420 at 13:37:59.20 on Mon 01/26/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1369 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Shree420\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Djjseg] "c:\program files\??crosoft\??oolsv.exe"
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_S11E.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [RunNarrator] Narrator.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shree420\applic~1\mozilla\firefox\profiles\qgunt1nc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-8-1 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-8-1 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-8-1 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-8-1 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-26 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-26 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-26 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-8-1 4960]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2008-1-4 587096]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe" -sMSSMLBIZ [2008-2-26 29183504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]

=============== Created Last 30 ================

2009-01-24 17:29 <DIR> --d----- c:\program files\Rebate! Rebate!
2009-01-24 17:29 344,064 -------- c:\windows\Setup1.exe
2009-01-24 17:29 73,216 a------- c:\windows\ST6UNST.EXE
2009-01-23 20:54 259,448 a------- c:\windows\system32\awrdscdc.ax
2009-01-23 20:54 24,576 -------- c:\windows\system32\msxml3a.dll
2009-01-23 20:54 <DIR> --d----- c:\program files\Audible
2009-01-22 15:17 1,190 a------- C:\net_save.dna
2009-01-22 15:17 <DIR> --d----- c:\program files\support.com
2009-01-22 15:17 <DIR> --d----- c:\program files\common files\SupportSoft
2009-01-20 14:40 339,968 a------- c:\windows\stsystra.exe
2009-01-20 14:40 90,112 a------- c:\windows\system32\stacsv.exe
2009-01-20 14:40 4,939,776 a------- c:\windows\system32\stacgui.cpl
2009-01-20 14:40 1,601,536 a------- c:\windows\system32\stlang.dll
2009-01-18 23:20 106,496 a------- c:\windows\system32\Astro Gemini Screensaver Manager.scr
2009-01-18 23:20 <DIR> --d----- c:\docume~1\shree420\applic~1\Astro Gemini Software
2009-01-18 23:20 <DIR> --d----- c:\program files\Astro Gemini Software
2009-01-13 07:08 985,472 a------- c:\windows\system32\drivers\HSF_DPV.sys
2009-01-13 07:08 237,568 a------- c:\windows\system32\UCI32M30.dll
2009-01-13 07:08 146,036 a------- c:\windows\system32\drivers\HSFProf.cty
2009-01-13 06:52 <DIR> --d----- c:\windows\OPTIONS
2009-01-13 06:50 35,704 a------- c:\windows\system32\NicInst.dll
2009-01-13 06:50 28,536 a------- c:\windows\system32\NicCo.dll
2009-01-13 06:47 <DIR> --d----- C:\Intel
2009-01-13 06:45 520,192 -------- c:\windows\system32\ati2sgag.exe
2009-01-13 06:40 23,600 a------- c:\windows\system32\drivers\TVICHW32.SYS
2009-01-09 12:58 <DIR> --d----- c:\program files\CCleaner
2009-01-09 09:53 <DIR> --d----- c:\program files\directx
2009-01-09 09:51 <DIR> --d----- C:\Dynamix

==================== Find3M ====================

2008-12-19 08:16 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-07 06:25 74,703 a------- c:\windows\system32\mfc45.dll
2007-11-05 11:34 846,504 a------- c:\documents and settings\shree420\JNativeCpp.dll

============= FINISH: 13:38:40.28 ===============


Step 2:

See attached DDS.txt

Step 3 Symptons:

1. extremely slow startup

2. When the Desktop does come...after a long time....the cursor is still showing the hour glass for atleast few minutes before it will let me do anything.

3. First time I start Web browser, it takes a long time before fully opens up

4. When the web browser does open up....it takes long time to get to the webpage. After the first time, everything seems rather quick
5. sometimes when I go to gmail, it crashes and says that my webbrowser is not set to accept or enable cookies ? But when you check, it is set to accept cookies.

Attached Files


Edited by echeckpost, 26 January 2009 - 01:51 PM.

eCheckPost

I want to earn Passcode for Bleeping computer Training

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:48 PM

Posted 26 January 2009 - 02:47 PM

Hello echeckpost,

This one is also infected.
  • You have the latest version of Java and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java 2 Runtime Environment, SE v1.4.1_02
    Java 2 Runtime Environment, SE v1.4.2_03
    Java Web Start
    Java™ 6 Update 11
    Java™ 6 Update 7


  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of Files/Folders created to 3 Months.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open, log.txt (<<will be maximized) and info.txt (<<will be minimized)

      Please post the content of just log.txt as the info.txt is not needed.

      Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

      Note 2: The tool takes not more than one minute to scan the system.


#3 echeckpost

echeckpost
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 26 January 2009 - 04:48 PM

Step 1 completed successfully

Step 2. ompleted successfully. Log pasted below.

Malwarebytes' Anti-Malware 1.33
Database version: 1696
Windows 5.1.2600 Service Pack 3

1/26/2009 4:46:35 PM
mbam-log-2009-01-26 (16-46-35).txt

Scan type: Quick Scan
Objects scanned: 64371
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Step 3. Completed Successfully. See contents of log.txt pasted below:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Shree420 at 2009-01-26 16:49:08
Microsoft Windows XP Professional Service Pack 3
System drive C: has 47 GB (66%) free of 71 GB
Total RAM: 2046 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:14 PM, on 1/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Shree420\Desktop\RSIT.exe
C:\Program Files\trend micro\Shree420.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Djjseg] "C:\Program Files\??crosoft\??oolsv.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S11E.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151254634890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - http://81.86.29.25/cab/OCXChecker_8000.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 6665 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2006-02-09 344064]
"SigmatelSysTrayApp"=C:\WINDOWS\stsystra.exe [2005-03-22 339968]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-01-14 399504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Djjseg"=C:\Program Files\??crosoft\??oolsv.exe []
"EPSON Stylus CX7400 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE [2007-02-15 179200]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=91
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Ethereal\ethereal.exe"="C:\Program Files\Ethereal\ethereal.exe:*:Enabled:Ethereal"
"C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe"="C:\Program Files\SolarWinds\Free Tools\TFTP-Server.exe:*:Enabled:TFTP Server"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2006\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe"="C:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Disabled:Microsoft Office OneNote"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a375db0-fd56-11da-af46-001372d27fe8}]
shell\AutoRun\command - G:\setupSNK.exe


======List of files/folders created in the last 3 months======

2009-01-26 16:49:08 ----D---- C:\rsit
2009-01-26 16:49:08 ----D---- C:\Program Files\trend micro
2009-01-26 16:41:20 ----D---- C:\Documents and Settings\Shree420\Application Data\Malwarebytes
2009-01-26 16:41:15 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-26 16:41:15 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-26 16:32:54 ----SHD---- C:\Config.Msi
2009-01-24 17:29:26 ----D---- C:\Program Files\Rebate! Rebate!
2009-01-24 17:29:10 ----N---- C:\WINDOWS\Setup1.exe
2009-01-24 17:29:08 ----A---- C:\WINDOWS\ST6UNST.EXE
2009-01-23 20:54:26 ----N---- C:\WINDOWS\system32\msxml3a.dll
2009-01-23 20:54:20 ----D---- C:\Program Files\Audible
2009-01-22 15:17:44 ----D---- C:\Program Files\support.com
2009-01-22 15:17:40 ----D---- C:\Program Files\Common Files\SupportSoft
2009-01-20 14:40:31 ----A---- C:\WINDOWS\system32\stacsv.exe
2009-01-20 14:40:31 ----A---- C:\WINDOWS\stsystra.exe
2009-01-20 14:40:30 ----A---- C:\WINDOWS\system32\stlang.dll
2009-01-18 23:20:47 ----D---- C:\Documents and Settings\Shree420\Application Data\Astro Gemini Software
2009-01-18 23:20:46 ----D---- C:\Program Files\Astro Gemini Software
2009-01-15 00:22:56 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-13 08:08:27 ----A---- C:\WINDOWS\ModemLog_Conexant D850 PCI V.92 Modem.txt
2009-01-13 07:08:36 ----A---- C:\WINDOWS\system32\UCI32M30.dll
2009-01-13 06:52:00 ----D---- C:\WINDOWS\OPTIONS
2009-01-13 06:50:24 ----A---- C:\WINDOWS\system32\NicInst.dll
2009-01-13 06:50:24 ----A---- C:\WINDOWS\system32\NicCo.dll
2009-01-13 06:49:41 ----A---- C:\WINDOWS\system32\WmiConf.txt
2009-01-13 06:47:51 ----D---- C:\Intel
2009-01-13 06:45:30 ----N---- C:\WINDOWS\system32\ati2sgag.exe
2009-01-12 21:22:08 ----A---- C:\WINDOWS\OEWABLog.txt
2009-01-09 12:58:03 ----D---- C:\Program Files\CCleaner
2009-01-09 09:53:06 ----D---- C:\Program Files\directx
2009-01-09 09:51:25 ----D---- C:\Dynamix
2008-12-19 08:16:56 ----A---- C:\WINDOWS\system32\javaw.exe
2008-12-19 08:16:56 ----A---- C:\WINDOWS\system32\java.exe
2008-12-19 08:16:56 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-18 05:36:07 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2008-12-10 17:22:12 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-10 17:22:00 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2008-12-10 17:21:33 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-10 17:21:28 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-10 17:21:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-12-08 06:39:11 ----D---- C:\Program Files\iolo
2008-12-07 06:25:32 ----A---- C:\WINDOWS\system32\mfc45.dll
2008-12-07 06:24:26 ----D---- C:\Documents and Settings\Shree420\Application Data\iolo
2008-12-07 06:24:26 ----D---- C:\Documents and Settings\All Users\Application Data\iolo
2008-12-05 08:02:47 ----A---- C:\WINDOWS\system32\escwiad.dll
2008-11-29 16:56:20 ----D---- C:\epson
2008-11-12 20:44:18 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 20:44:12 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2008-11-12 20:44:04 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-09 07:46:07 ----D---- C:\Ligtel
2008-10-29 07:54:32 ----HD---- C:\WINDOWS\PIF

======List of files/folders modified in the last 3 months======

2009-01-26 16:49:14 ----D---- C:\WINDOWS\Prefetch
2009-01-26 16:49:08 ----D---- C:\Program Files
2009-01-26 16:44:34 ----D---- C:\Program Files\Mozilla Firefox
2009-01-26 16:41:19 ----D---- C:\WINDOWS\system32\drivers
2009-01-26 16:39:12 ----D---- C:\WINDOWS\system32\inetsrv
2009-01-26 16:35:22 ----D---- C:\WINDOWS\Temp
2009-01-26 16:35:22 ----D---- C:\WINDOWS\Registration
2009-01-26 16:35:12 ----D---- C:\WINDOWS
2009-01-26 16:33:49 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-26 16:33:29 ----D---- C:\WINDOWS\system32
2009-01-26 16:33:08 ----SHD---- C:\WINDOWS\Installer
2009-01-26 16:33:02 ----D---- C:\Program Files\Java
2009-01-26 16:33:02 ----D---- C:\Program Files\Common Files
2009-01-20 14:50:20 ----HD---- C:\WINDOWS\inf
2009-01-20 14:50:17 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-20 14:48:10 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-16 15:16:54 ----D---- C:\Program Files\Free Easy Burner
2009-01-15 00:22:25 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-15 00:20:54 ----D---- C:\WINDOWS\Debug
2009-01-13 07:02:36 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-01-13 06:59:18 ----HD---- C:\Program Files\InstallShield Installation Information
2009-01-13 06:52:51 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-13 06:51:37 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-01-13 06:51:13 ----D---- C:\Program Files\Intel
2009-01-13 06:44:49 ----D---- C:\Program Files\ATI Technologies
2009-01-09 20:35:28 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-09 13:00:00 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 12:59:24 ----D---- C:\WINDOWS\Minidump
2009-01-07 22:22:37 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-01-07 22:22:37 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2008-12-30 21:01:50 ----D---- C:\Documents and Settings\Shree420\Application Data\AVG7
2008-12-26 09:49:07 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-26 09:38:20 ----RHD---- C:\$VAULT$.AVG
2008-12-12 12:01:00 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-10 17:22:46 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-05 08:02:47 ----D---- C:\WINDOWS\twain_32
2008-12-03 06:42:57 ----D---- C:\WINDOWS\Help
2008-11-30 12:37:38 ----D---- C:\Documents and Settings\All Users\Application Data\EPSON
2008-11-29 16:56:26 ----D---- C:\Program Files\epson
2008-11-12 20:43:32 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-10-24 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-08-01 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-08-01 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-26 10760]
R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2007-08-01 4960]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-18 12672]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-10 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-10 55936]
R3 Afc;PPdus ASPI Shell; C:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-02-09 1502208]
R3 E100B;Intel® PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2006-10-31 165752]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2008-05-08 985472]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2008-05-08 267520]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 rtl8139;Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2001-08-23 25434]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2005-11-16 1047816]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2008-05-08 731264]
S2 DgiVecp;Team MFP Comm Driver; C:\WINDOWS\System32\Drivers\DgiVecp.sys [2005-03-14 41984]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 CO_Mon;CO_Mon; \??\C:\WINDOWS\system32\Drivers\CO_Mon.sys []
S3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2008-04-13 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 34064]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 vaxscsi;vaxscsi; C:\WINDOWS\System32\Drivers\vaxscsi.sys [2006-09-07 223128]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-02-09 405504]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-12-26 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-12-26 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-26 406528]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 SNMP;SNMP Service; C:\WINDOWS\System32\snmp.exe [2008-04-13 33280]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2007-02-10 89968]
R2 UTSCSI;CLCV0; C:\WINDOWS\system32\UTSCSI.EXE [2007-11-05 45056]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2006-02-09 520192]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 aawservice;Ad-Aware 2007 Service; C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [2008-01-04 587096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LPDSVC;TCP/IP Print Server; C:\WINDOWS\system32\tcpsvcs.exe [2004-08-10 19456]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-11-06 92792]
S3 SNMPTRAP;SNMP Trap Service; C:\WINDOWS\System32\snmptrap.exe [2008-04-13 8704]
S3 Symantec RemoteAssist;Symantec RemoteAssist; C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [2008-01-29 394704]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2005-10-14 45272]
S4 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2007-02-10 242544]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\wmpnetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

Edited by echeckpost, 26 January 2009 - 04:50 PM.

eCheckPost

I want to earn Passcode for Bleeping computer Training

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:48 PM

Posted 26 January 2009 - 05:28 PM

  • Since you are not using Symantec products you don't need this one:

    Please go to Add/Remove program and uninstall: Symantec Technical Support Web Controls

    Then download and run the Norton Removal Tool.

    Note: Norton removal tool is one and the same for all versions named below. It doesn't matter which version you have.

    Warning: The Norton Removal Tool uninstalls all Norton 2008/2007/2006/2005/2004/2003 products and Norton 360 from your computer. If you use ACT! or WinFAX, back up those databases before you proceed.

  • Delete the folders in bold (if present):
    C:\Program Files\Symantec
    C:\Program Files\Common Files\Symantec Shared

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

  • Run Hijackthis. If you don't know how go to start > Run and copy and paste the following and click OK:

    "C:\Program Files\trend micro\Shree420.exe"

    Click "Do a system scan and safe a logfile". Post the content of the log. Tell me also how is the computer behaving now.


#5 echeckpost

echeckpost
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 26 January 2009 - 08:24 PM

Step 1 complete
Step2 Complete.
Step3 complete. Please find the log contents below:

ComboFix 09-01-21.04 - Shree420 2009-01-26 20:18:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1376 [GMT -5:00]
Running from: c:\documents and settings\Shree420\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-26 17:30 . 2009-01-26 17:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-26 16:49 . 2009-01-26 16:49 <DIR> d-------- C:\rsit
2009-01-26 16:49 . 2009-01-26 16:49 <DIR> d-------- c:\program files\trend micro
2009-01-26 16:41 . 2009-01-26 16:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 16:41 . 2009-01-26 16:41 <DIR> d-------- c:\documents and settings\Shree420\Application Data\Malwarebytes
2009-01-26 16:41 . 2009-01-26 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 16:41 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 16:41 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-24 17:29 . 2009-01-24 17:31 <DIR> d-------- c:\program files\Rebate! Rebate!
2009-01-24 17:29 . 2009-01-24 17:29 344,064 --------- c:\windows\Setup1.exe
2009-01-24 17:29 . 2009-01-24 17:29 73,216 --a------ c:\windows\ST6UNST.EXE
2009-01-23 20:54 . 2009-01-23 20:54 <DIR> d-------- c:\program files\Audible
2009-01-23 20:54 . 2009-01-23 20:54 259,448 --a------ c:\windows\system32\awrdscdc.ax
2009-01-23 20:54 . 2001-08-17 22:43 24,576 --------- c:\windows\system32\msxml3a.dll
2009-01-22 15:17 . 2009-01-22 15:44 <DIR> d-------- c:\program files\support.com
2009-01-22 15:17 . 2009-01-22 15:17 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-01-22 15:17 . 2009-01-22 15:24 1,190 --a------ C:\net_save.dna
2009-01-20 14:40 . 2007-02-19 14:26 4,939,776 --a------ c:\windows\system32\stacgui.cpl
2009-01-20 14:40 . 2007-02-19 14:26 1,601,536 --a------ c:\windows\system32\stlang.dll
2009-01-20 14:40 . 2005-03-22 16:20 339,968 --a------ c:\windows\stsystra.exe
2009-01-20 14:40 . 2007-02-19 14:27 90,112 --a------ c:\windows\system32\stacsv.exe
2009-01-18 23:20 . 2009-01-19 18:25 <DIR> d-------- c:\program files\Astro Gemini Software
2009-01-18 23:20 . 2009-01-18 23:20 <DIR> d-------- c:\documents and settings\Shree420\Application Data\Astro Gemini Software
2009-01-18 23:20 . 2007-11-06 17:46 106,496 --a------ c:\windows\system32\Astro Gemini Screensaver Manager.scr
2009-01-13 07:08 . 2008-05-08 13:53 985,472 --a------ c:\windows\system32\drivers\HSF_DPV.sys
2009-01-13 07:08 . 2008-05-15 10:35 237,568 --a------ c:\windows\system32\UCI32M30.dll
2009-01-13 07:08 . 2008-05-06 13:42 146,036 --a------ c:\windows\system32\drivers\HSFProf.cty
2009-01-13 06:52 . 2009-01-13 06:52 <DIR> d-------- c:\windows\OPTIONS
2009-01-13 06:50 . 2006-09-12 21:41 35,704 --a------ c:\windows\system32\NicInst.dll
2009-01-13 06:50 . 2006-09-12 21:39 28,536 --a------ c:\windows\system32\NicCo.dll
2009-01-13 06:47 . 2009-01-13 06:47 <DIR> d-------- C:\Intel
2009-01-13 06:45 . 2006-02-09 21:05 520,192 --------- c:\windows\system32\ati2sgag.exe
2009-01-13 06:40 . 2009-01-13 06:40 23,600 --a------ c:\windows\system32\drivers\TVICHW32.SYS
2009-01-09 12:58 . 2009-01-09 12:58 <DIR> d-------- c:\program files\CCleaner
2009-01-09 09:53 . 2009-01-09 09:53 <DIR> d-------- c:\program files\directx
2009-01-09 09:51 . 2009-01-09 09:51 <DIR> d-------- C:\Dynamix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 01:17 --------- d-----w c:\documents and settings\Shree420\Application Data\AVG7
2009-01-26 21:33 --------- d-----w c:\program files\Java
2009-01-20 19:42 12,880 ----a-w c:\windows\system32\drivers\sthdae.log
2009-01-16 20:16 --------- d-----w c:\program files\Free Easy Burner
2009-01-13 11:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 11:51 --------- d-----w c:\program files\Intel
2009-01-13 11:44 --------- d-----w c:\program files\ATI Technologies
2009-01-09 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 14:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-19 13:16 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-08 11:39 --------- d-----w c:\program files\iolo
2008-12-07 11:25 74,703 ----a-w c:\windows\system32\mfc45.dll
2008-12-07 11:24 --------- d-----w c:\documents and settings\Shree420\Application Data\iolo
2008-12-07 11:24 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-11-30 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2008-11-29 21:56 --------- d-----w c:\program files\epson
2007-11-05 16:34 846,504 ----a-w c:\documents and settings\Shree420\JNativeCpp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Djjseg"="c:\program files\??crosoft\??oolsv.exe" [?]
"EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-26 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\system32\GeoCodec.dll
"vidc.GM20"= c:\windows\system32\GXGM20.dll
"vidc.GEOV"= c:\windows\system32\GeoCodec.dll
"vidc.GMP4"= c:\windows\system32\GXAMP4.dll
"vidc.GM40"= c:\windows\system32\GXAMP4.dll
"vidc.G264"= c:\windows\system32\GX264.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ethereal\\ethereal.exe"=
"c:\\Program Files\\SolarWinds\\Free Tools\\TFTP-Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a375db0-fd56-11da-af46-001372d27fe8}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WMPNSCFG - c:\program files\Windows Media Player\WMPNSCFG.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://81.86.29.25/cab/OCXChecker_8000.cab
FF - ProfilePath - c:\documents and settings\Shree420\Application Data\Mozilla\Firefox\Profiles\qgunt1nc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 20:18:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-26 20:20:30
ComboFix-quarantined-files.txt 2009-01-27 01:20:28

Pre-Run: 49,325,711,360 bytes free
Post-Run: 50,240,860,160 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

175 --- E O F --- 2009-01-15 05:23:02

Step 4: Completed. Below are the contents of thelog file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:03 PM, on 1/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\trend micro\Shree420.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKCU\..\Run: [Djjseg] "C:\Program Files\??crosoft\??oolsv.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S11E.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151254634890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - http://81.86.29.25/cab/OCXChecker_8000.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 6589 bytes

Notes:

1) No significant change. Internet explorer seems a little faster.
2) when performing combo fix, it came and wanrned that AVG scanner was active. I tried but did not know how to turned it off. I am thinking of getting rid of AVG and go with your last thread recommendations. So, looking to unstall all active scanners etc.

Edited by echeckpost, 26 January 2009 - 08:59 PM.

eCheckPost

I want to earn Passcode for Bleeping computer Training

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:48 PM

Posted 26 January 2009 - 09:21 PM

Good job!

This is the log of the fourth run of Combofix. But it'll do.

  • Go to control panel. Open Windows firewall and make sure it is ON.

  • Go to start > Run copy/paste the following line in the run box and click OK.

    sc delete "Symantec RemoteAssist"

  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O4 - HKCU\..\Run: [Djjseg] "C:\Program Files\??crosoft\??oolsv.exe"


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • AVG 7 is outdated. You need protection from an updated Antivirus.

    Visit http://free.avg.com/download?prd=afe to download AVG 8 setup file to your desktop. Don't install it yet.
    • Go to Add/Remove programs and uninstall AVG 7.
    • Reboot.
  • Close any open browsers.

    Open notepad and copy/paste the text in the code box below into it:

    Folder::
    C:\Program Files\??crosoft
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Djjseg"=-

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall


  • Double click the downloaded setup file to Install AVG 8 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.
  • Please post a Hijackthis log for a final review.


#7 echeckpost

echeckpost
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 26 January 2009 - 10:26 PM

Step 1 completed
Step 2 Completed
Step 3 completed
Step 4 completed
Step 5 completed See log contents below:

ComboFix 09-01-21.04 - Shree420 2009-01-26 22:18:39.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1647 [GMT -5:00]
Running from: c:\documents and settings\Shree420\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Shree420\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-27 to 2009-01-27 )))))))))))))))))))))))))))))))
.

2009-01-26 22:04 . 2009-01-26 22:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-26 17:30 . 2009-01-26 17:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-26 16:49 . 2009-01-26 16:49 <DIR> d-------- C:\rsit
2009-01-26 16:49 . 2009-01-26 21:59 <DIR> d-------- c:\program files\trend micro
2009-01-26 16:41 . 2009-01-26 16:41 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-26 16:41 . 2009-01-26 16:41 <DIR> d-------- c:\documents and settings\Shree420\Application Data\Malwarebytes
2009-01-26 16:41 . 2009-01-26 16:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-26 16:41 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-26 16:41 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-24 17:29 . 2009-01-24 17:31 <DIR> d-------- c:\program files\Rebate! Rebate!
2009-01-24 17:29 . 2009-01-24 17:29 344,064 --------- c:\windows\Setup1.exe
2009-01-24 17:29 . 2009-01-24 17:29 73,216 --a------ c:\windows\ST6UNST.EXE
2009-01-23 20:54 . 2009-01-23 20:54 <DIR> d-------- c:\program files\Audible
2009-01-23 20:54 . 2009-01-23 20:54 259,448 --a------ c:\windows\system32\awrdscdc.ax
2009-01-23 20:54 . 2001-08-17 22:43 24,576 --------- c:\windows\system32\msxml3a.dll
2009-01-22 15:17 . 2009-01-22 15:44 <DIR> d-------- c:\program files\support.com
2009-01-22 15:17 . 2009-01-22 15:17 <DIR> d-------- c:\program files\Common Files\SupportSoft
2009-01-22 15:17 . 2009-01-22 15:24 1,190 --a------ C:\net_save.dna
2009-01-20 14:40 . 2007-02-19 14:26 4,939,776 --a------ c:\windows\system32\stacgui.cpl
2009-01-20 14:40 . 2007-02-19 14:26 1,601,536 --a------ c:\windows\system32\stlang.dll
2009-01-20 14:40 . 2005-03-22 16:20 339,968 --a------ c:\windows\stsystra.exe
2009-01-20 14:40 . 2007-02-19 14:27 90,112 --a------ c:\windows\system32\stacsv.exe
2009-01-18 23:20 . 2009-01-19 18:25 <DIR> d-------- c:\program files\Astro Gemini Software
2009-01-18 23:20 . 2009-01-18 23:20 <DIR> d-------- c:\documents and settings\Shree420\Application Data\Astro Gemini Software
2009-01-18 23:20 . 2007-11-06 17:46 106,496 --a------ c:\windows\system32\Astro Gemini Screensaver Manager.scr
2009-01-13 07:08 . 2008-05-08 13:53 985,472 --a------ c:\windows\system32\drivers\HSF_DPV.sys
2009-01-13 07:08 . 2008-05-15 10:35 237,568 --a------ c:\windows\system32\UCI32M30.dll
2009-01-13 07:08 . 2008-05-06 13:42 146,036 --a------ c:\windows\system32\drivers\HSFProf.cty
2009-01-13 06:52 . 2009-01-13 06:52 <DIR> d-------- c:\windows\OPTIONS
2009-01-13 06:50 . 2006-09-12 21:41 35,704 --a------ c:\windows\system32\NicInst.dll
2009-01-13 06:50 . 2006-09-12 21:39 28,536 --a------ c:\windows\system32\NicCo.dll
2009-01-13 06:47 . 2009-01-13 06:47 <DIR> d-------- C:\Intel
2009-01-13 06:45 . 2006-02-09 21:05 520,192 --------- c:\windows\system32\ati2sgag.exe
2009-01-13 06:40 . 2009-01-13 06:40 23,600 --a------ c:\windows\system32\drivers\TVICHW32.SYS
2009-01-09 12:58 . 2009-01-09 12:58 <DIR> d-------- c:\program files\CCleaner
2009-01-09 09:53 . 2009-01-09 09:53 <DIR> d-------- c:\program files\directx
2009-01-09 09:51 . 2009-01-09 09:51 <DIR> d-------- C:\Dynamix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-26 21:33 --------- d-----w c:\program files\Java
2009-01-20 19:42 12,880 ----a-w c:\windows\system32\drivers\sthdae.log
2009-01-16 20:16 --------- d-----w c:\program files\Free Easy Burner
2009-01-13 11:59 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-13 11:51 --------- d-----w c:\program files\Intel
2009-01-13 11:44 --------- d-----w c:\program files\ATI Technologies
2009-01-09 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 14:49 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-19 13:16 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-12 17:01 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-08 11:39 --------- d-----w c:\program files\iolo
2008-12-07 11:25 74,703 ----a-w c:\windows\system32\mfc45.dll
2008-12-07 11:24 --------- d-----w c:\documents and settings\Shree420\Application Data\iolo
2008-12-07 11:24 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-11-30 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2008-11-29 21:56 --------- d-----w c:\program files\epson
2007-11-05 16:34 846,504 ----a-w c:\documents and settings\Shree420\JNativeCpp.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-26_20.19.36.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-26 21:39:12 241,323 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-27 02:00:04 241,323 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-01-27 01:56:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_728.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"vidc.mpg4"= c:\windows\mpg4c32.dll
"vidc.mpg2"= c:\windows\mpg4c32.dll
"vidc.mpg3"= c:\windows\mpg4c32.dll
"vidc.MJPG"= c:\windows\m3jpeg32.dll
"vidc.dmb1"= c:\windows\m3jpeg32.dll
"vidc.GEOX"= c:\windows\system32\GeoCodec.dll
"vidc.GM20"= c:\windows\system32\GXGM20.dll
"vidc.GEOV"= c:\windows\system32\GeoCodec.dll
"vidc.GMP4"= c:\windows\system32\GXAMP4.dll
"vidc.GM40"= c:\windows\system32\GXAMP4.dll
"vidc.G264"= c:\windows\system32\GX264.dll
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ethereal\\ethereal.exe"=
"c:\\Program Files\\SolarWinds\\Free Tools\\TFTP-Server.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)

S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 29183504]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]

--- Other Services/Drivers In Memory ---

*Deregistered* - Avg7Core
*Deregistered* - Avg7RsXP
*Deregistered* - AvgClean
*Deregistered* - AvgTdi

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a375db0-fd56-11da-af46-001372d27fe8}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://81.86.29.25/cab/OCXChecker_8000.cab
FF - ProfilePath - c:\documents and settings\Shree420\Application Data\Mozilla\Firefox\Profiles\qgunt1nc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-26 22:20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-26 22:22:12
ComboFix-quarantined-files.txt 2009-01-27 03:22:10
ComboFix2.txt 2009-01-27 01:20:31

Pre-Run: 50,216,251,392 bytes free
Post-Run: 50,220,724,224 bytes free

170 --- E O F --- 2009-01-15 05:23:02

Step 6 Complete See log contents

"Scan ""Scan whole computer"" was finished."
"Infections found:";"0"
"Infected objects removed or healed:";"0"
"Not removed or healed:";"0"
"Spyware found:";"2"
"Spyware removed:";"2"
"Not removed:";"0"
"Warnings count:";"33"
"Information count:";"0"
"Scan started:";"Monday, January 26, 2009, 10:35:39 PM"
"Scan finished:";"Monday, January 26, 2009, 11:13:53 PM (38 minute(s) 14 second(s))"
"Total object scanned:";"691251"
"User who launched the scan:";"Shree420"

"Spyware"
"File";"Infection";"Result"
"C:\WINDOWS\system32\kp9\liopud89104.exe";"Adware Generic2.ABNX";"Moved to Virus Vault"
"C:\WINDOWS\system32\kp9\liopud89104.exe:\$CG\TTC.dll";"Adware Generic2.ABNX";"Moved to Virus Vault"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Athiti\Cookies\athiti@m.webtrends[2].txt";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"C:\Documents and Settings\Athiti\Cookies\athiti@m.webtrends[2].txt:\m.webtrends.com.b4ca7df0";"Found Tracking cookie.Webtrends";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@2o7[2].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@2o7[2].txt:\2o7.net.c8d658d3";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@2o7[2].txt:\2o7.net.e27aabc7";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@adopt.euroclick[1].txt";"Found Tracking cookie.Euroclick";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@adopt.euroclick[1].txt:\adopt.euroclick.com.891542da";"Found Tracking cookie.Euroclick";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@adopt.euroclick[1].txt:\adopt.euroclick.com.fb764ef7";"Found Tracking cookie.Euroclick";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@adopt.euroclick[1].txt:\adopt.euroclick.com.ffe11db7";"Found Tracking cookie.Euroclick";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@realmedia[1].txt";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@realmedia[1].txt:\realmedia.com.125a868c";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@realmedia[1].txt:\realmedia.com.68087763";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@realmedia[1].txt:\realmedia.com.e14be39e";"Found Tracking cookie.Realmedia";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@revsci[2].txt";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@revsci[2].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@revsci[2].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@revsci[2].txt:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@revsci[2].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@searchportal.information[1].txt";"Found Tracking cookie.Information";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@searchportal.information[1].txt:\searchportal.information.com.3a8d7204";"Found Tracking cookie.Information";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@searchportal.information[1].txt:\searchportal.information.com.44e78b2";"Found Tracking cookie.Information";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@searchportal.information[1].txt:\searchportal.information.com.e68fa7d9";"Found Tracking cookie.Information";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tacoda[2].txt";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tacoda[2].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tacoda[2].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tacoda[2].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tacoda[2].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tacoda[2].txt:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tacoda[2].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@trafficmp[2].txt";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@trafficmp[2].txt:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tribalfusion[1].txt";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Shree420\Cookies\shree420@tribalfusion[1].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"

Step 7 ijackthis log contents

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:54 PM, on 1/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\trend micro\Shree420.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S11E.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151254634890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - http://81.86.29.25/cab/OCXChecker_8000.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 6545 bytes

Edited by echeckpost, 26 January 2009 - 11:21 PM.

eCheckPost

I want to earn Passcode for Bleeping computer Training

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:48 PM

Posted 27 January 2009 - 09:14 AM

echeckpost,

The logs look good.
  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

  • Your log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
    Click for more information on:Understanding and Using Firewalls

    There are several good free programs available like:
    Sunbelt-Kerio
    Note: You install the trial version but after the trial period the application wil revert back to the free version which is good enough.

    Online Armor Free edition

  • For safe surfing I recommend using Javacoolsİ SpywareBlaster .
    SpywareBlaster is a mall application that will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. What you need is updating it once in 2-3 weeks and enabling the restriction.

  • Also for safe surfing I recommend using SiteAdvisor. It is an extension both for Internet Explorer and Firefox. When you want to visit a site or give a Google/Yahoo search it gives you an indication of how safe the site is.
Do you have any question?

farbar

#9 echeckpost

echeckpost
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 January 2009 - 09:53 AM

Step 1. Completed successfully
Step 2. Installed Sunbelt-Kerio and love it
Step 3. Will read on Javacools. Is this in addition to AVG and Kerio ?
Step 4. Will read on Siteadvisor.
Step 5: Successfully installed the latest version of JAVA runtime

Q. If i install Javacools, shoould i uninstall adware ?
Q. I still see a long time hour glass, which change to arrow with hour glass. This goes on for a good two minutes. As if some program is loading up or something. Once the computer what it is doing, finishes, everything is fine.
Q. While working with you this past few days, I have become very very interested in troublehooting this kindof problems (only as hobby and not as a job). what advise you may give me on how to get started or a learning path.

Thanks

Edited by echeckpost, 27 January 2009 - 12:55 PM.

eCheckPost

I want to earn Passcode for Bleeping computer Training

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:48 PM

Posted 27 January 2009 - 03:01 PM

Q. If i install Javacools, shoould i uninstall adware ?

No, SpywareBlaster is not a detection or removal tool, rather a prevention tool. It adds a lot of bad sites to the list of the Internet browser restricted sites. When, sometimes not knowingly, you click a link to those bad sites it prevents connection.

I still see a long time hour glass, which change to arrow with hour glass. This goes on for a good two minutes. As if some program is loading up or something. Once the computer what it is doing, finishes, everything is fine.


It is loading programs. You can take a look at those 04 startup entries on Hijackthis and check if they are needed, if not configure them not to run with Windows. You can check the .exe or .dll file at the end of those o4 entries here to see if they are needed:
http://www.bleepingcomputer.com/startups/

But there was a long list of restore point, they should have been removed by uninstalling Combofix. The second reboot should go faster.

A major step is defragmenting the computer. This you should do every once a while (some do it every week) and when you install and uninstall a couple of programs. To do that go to start > All Prgrams > Bureau Accessories > System Tools > Disk Defragmenter. Before doing it close all open windows.


Q. While working with you this past few days, I have become very very interested in troublehooting this kindof problems (only as hobby and not as a job). what advise you may give me on how to get started or a learning path.


We will be happy to have you with us. All the helpers are volunteers here. I have a totally different kind of job.

You can PM one of moderators and they know how you can apply to join the Hijackthis classrooms.

Let me know if you have still a question.

#11 echeckpost

echeckpost
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:48 PM

Posted 27 January 2009 - 03:41 PM

No more Problems and Questions.

Thank you very much for your help

Edited by echeckpost, 27 January 2009 - 03:41 PM.

eCheckPost

I want to earn Passcode for Bleeping computer Training

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:48 PM

Posted 27 January 2009 - 04:39 PM

You are welcome, glad I could help.

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you. Include the address of this thread in your request.

If you should have a new issue, please start a new topic.

This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users