Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Unknown Virus


  • This topic is locked This topic is locked
16 replies to this topic

#1 Jophiel

Jophiel

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 25 February 2009 - 07:52 PM

Hi guys. My wife accidentally mistyped the URL to myspace.com this morning and went to a site which started downloading viruses onto her system. I ran AVG (found 3 items) and then Pandascan (came up clean) but I still have two problems. First is that I can not open Spybot S&D or reach their website. I can get to their site from my office computer. I tried reinstalling Spybot through Download.com but it won't reinstall either. Secondly, no matter how many times I turn on her Microsoft firewall, it turns itself off when the computer reboots. I need to either find out that her system is clean and figure out how to fix these problems or else remove what the other things are missing. Thanks!


DDS (Ver_09-02-01.01) - NTFSx86
Run by user at 18:26:55.32 on Wed 02/25/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.99 [GMT -6:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1198593540390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 85.255.112.39,85.255.112.40
TCP: {92493C4E-589D-462D-824E-DA21BE6B185F} = 85.255.112.39,85.255.112.40
TCP: {A2A9BEDB-CE93-422E-9B50-80E84BDE7C85} = 85.255.112.39,85.255.112.40
TCP: {E194BF8B-A4CA-46DE-BBEB-11C4E00AAC73} = 85.255.112.39,85.255.112.40
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {E25C29AB-12B9-4523-A53C-324B5FBA648C} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\k11hzgdy.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fnsr%3D1%26ui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\k11hzgdy.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\pandora.tv\launcher\npmini.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-25 28544]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-26 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-26 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-26 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-26 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-26 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-26 49664]
R2 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-26 406528]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-26 4960]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-2-13 87936]

=============== Created Last 30 ================

2009-02-25 17:30 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-02-25 17:30 <DIR> --d----- c:\program files\Panda Security
2009-02-25 17:25 <DIR> --d----- c:\program files\Trend Micro
2009-02-20 04:55 415 ---shr-- C:\autorun.inf
2009-02-12 05:43 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-01-26 17:16 4,566,136 a------- C:\VLCfree_8676.exe
2008-12-06 12:14 124,432 a------- c:\windows\system32\PanInstaller.dll
2008-12-06 12:14 83,480 a------- c:\windows\system32\FirstLoad.dll
2007-12-29 21:50 24,192 a------- c:\documents and settings\user\usbsermptxp.sys
2007-12-29 21:50 22,768 a------- c:\documents and settings\user\usbsermpt.sys

============= FINISH: 18:27:38.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 11 March 2009 - 12:47 AM

Hi Jophiel,

Welcome to BC HijackThis forum and sorry for the delay. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Tell me if you have run any tool or have made a major change to the system since your last post. Also tell me how is the current condition of your computer.

  • To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.
    • Once it has finished, two logs will open.
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized).
  • Please copy and paste the content of just log.txt to your reply. No need for info.txt

    Note 1: If you have difficulty finding the log, the logs is in this folder: C:\rsit

    Note 2: The tool takes not more than one minute to scan the system.

You might want to save this page on your favorites, so you can find it again when you return.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 13 March 2009 - 09:44 AM

I'll wait one more day before closing the topic due to inactivity.

#4 Jophiel

Jophiel
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 13 March 2009 - 01:44 PM

My apologies. I must have missed the first "You have a reply" e-mail message.

I'm at the office now and it's my wife's laptop at home so I'll run the program and post the results this evening. Thanks for the reply.

Since I can't say with certainty that there hasn't been a Windows update or anything since Feb 25th, would it be helpful for me to simply post brand new logs?

Edited by Jophiel, 13 March 2009 - 01:46 PM.


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 13 March 2009 - 02:15 PM

The logs will do but please tell me also about the current condition of the laptop.

#6 Jophiel

Jophiel
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 13 March 2009 - 09:34 PM

The laptop is running alright except that, as I said, the Spybot S&D won't update nor will the AVG anti-virus. And, as I said, the firewall won't remain on through a boot-up. So it seems fishy although not overtly "Broken". Here's the Info.txt log you asked for.


Logfile of random's system information tool 1.05 (written by random/random)
Run by user at 2009-03-13 21:30:03
Microsoft Windows XP Professional Service Pack 3
System drive C: has 2 GB (6%) free of 38 GB
Total RAM: 511 MB (20% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30:22, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198593540390
O17 - HKLM\System\CCS\Services\Tcpip\..\{92493C4E-589D-462D-824E-DA21BE6B185F}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2A9BEDB-CE93-422E-9B50-80E84BDE7C85}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\..\{E194BF8B-A4CA-46DE-BBEB-11C4E00AAC73}: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7300 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-02-12 320920]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2005-12-19 1347584]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2006-09-15 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2006-09-15 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2006-09-15 118784]
"BluetoothAuthenticationAgent"=C:\WINDOWS\system32\bthprops.cpl [2008-04-13 110592]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-01-11 344064]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2009-02-25 590848]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-12 136600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-03-28 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-03-30 267048]
"Autorun Eater"=C:\Program Files\Autorun Eater\oldmcdonald.exe [2008-11-27 501768]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe [2005-02-25 212992]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2005-01-11 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2006-09-15 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E25C29AB-12B9-4523-A53C-324B5FBA648C}"= []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\PANDORA.TV\Video Streamer\VideoStreamer.exe"="C:\Program Files\PANDORA.TV\Video Streamer\VideoStreamer.exe:*:Enabled:VideoStreamer.exe"
"C:\Program Files\PANDORA.TV\Video Streamer\VSStream.exe"="C:\Program Files\PANDORA.TV\Video Streamer\VSStream.exe:*:Enabled:VSStream.exe"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bab3aef0-c56c-11dc-91c5-0010c67ef416}]
shell\AutoRun\command - E:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2009-03-13 21:30:03 ----D---- C:\rsit
2009-02-25 19:36:48 ----D---- C:\Program Files\Autorun Eater
2009-02-25 18:30:03 ----D---- C:\Program Files\Panda Security
2009-02-25 18:25:00 ----D---- C:\Program Files\Trend Micro
2009-02-21 09:16:09 ----D---- C:\Documents and Settings\user\Application Data\dvdcss
2009-02-12 06:43:27 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-12 06:43:27 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-12 06:43:27 ----A---- C:\WINDOWS\system32\java.exe
2009-02-12 06:43:27 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-02-12 06:32:13 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-01-26 18:21:42 ----D---- C:\Documents and Settings\user\Application Data\vlc
2009-01-26 18:19:11 ----D---- C:\Program Files\VideoLAN
2009-01-26 18:16:13 ----A---- C:\VLCfree_8676.exe
2009-01-25 14:37:59 ----D---- C:\Program Files\uTorrent
2009-01-25 14:37:57 ----D---- C:\Documents and Settings\user\Application Data\uTorrent
2009-01-15 06:33:22 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-03 11:09:18 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-01-03 11:08:58 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-01-03 11:04:02 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-01-03 11:03:47 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-01-03 11:03:39 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-01-03 11:02:47 ----HDC---- C:\WINDOWS\$NtUninstallKB954459$
2009-01-03 11:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-01-03 11:01:19 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-01-03 10:59:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$

======List of files/folders modified in the last 3 months======

2009-03-13 21:24:30 ----D---- C:\Program Files\Mozilla Firefox
2009-03-13 20:39:52 ----D---- C:\WINDOWS\system32
2009-03-13 20:39:52 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-13 20:34:31 ----D---- C:\WINDOWS
2009-03-13 20:34:29 ----D---- C:\WINDOWS\Temp
2009-03-13 20:34:26 ----D---- C:\Documents and Settings\user\Application Data\AVG7
2009-03-13 20:32:56 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-08 19:02:48 ----D---- C:\WINDOWS\Prefetch
2009-03-07 13:41:49 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-07 13:41:47 ----HD---- C:\WINDOWS\inf
2009-03-07 13:41:46 ----D---- C:\WINDOWS\system32\Macromed
2009-03-07 08:56:23 ----D---- C:\Documents and Settings\user\Application Data\Move Networks
2009-03-02 17:00:31 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-01 18:59:35 ----D---- C:\WINDOWS\Help
2009-03-01 16:41:54 ----D---- C:\WINDOWS\network diagnostic
2009-02-25 20:20:09 ----A---- C:\WINDOWS\PhotoSnapViewer.INI
2009-02-25 19:59:58 ----D---- C:\Documents and Settings\user\Application Data\Ahead
2009-02-25 19:36:54 ----A---- C:\Documents and Settings\user\Application Data\QuickZip45.ini
2009-02-25 19:36:48 ----RD---- C:\Program Files
2009-02-25 18:33:24 ----D---- C:\WINDOWS\system32\drivers
2009-02-25 07:59:40 ----RHD---- C:\$VAULT$.AVG
2009-02-25 07:59:39 ----SHD---- C:\RECYCLER
2009-02-21 17:27:02 ----SHD---- C:\WINDOWS\Installer
2009-02-21 09:14:31 ----RSD---- C:\WINDOWS\assembly
2009-02-21 09:14:29 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-02-20 06:00:05 ----D---- C:\Documents and Settings\user\Application Data\Aquatica 3D
2009-02-20 05:56:58 ----A---- C:\WINDOWS\NeroDigital.ini
2009-02-18 21:34:46 ----SD---- C:\Documents and Settings\user\Application Data\Microsoft
2009-02-12 06:43:00 ----D---- C:\Program Files\Java
2009-02-12 06:27:57 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-03 18:21:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-26 18:09:40 ----D---- C:\Documents and Settings\user\Application Data\Apple Computer
2009-01-15 06:33:40 ----A---- C:\WINDOWS\imsins.BAK
2009-01-15 06:33:25 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-01-03 10:57:34 ----D---- C:\WINDOWS\WinSxS
2008-12-28 19:06:12 ----HD---- C:\Program Files\InstallShield Installation Information
2008-12-24 16:19:24 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-12-26 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-12-26 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-12-26 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-26 10760]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2007-12-26 4960]
R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-12 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-12 55936]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-01-11 800768]
R3 b57w2k;Broadcom NetXtreme 57xx Gigabit Controller; C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2004-08-23 121472]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-11-02 424320]
R3 BthEnum;Bluetooth Enumerator Service; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2008-04-13 17024]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2008-04-13 101120]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2008-04-13 18944]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 GTIPCI21;GTIPCI21; C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 87936]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS [2005-05-03 1033728]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2005-05-03 208384]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2008-04-13 59136]
R3 SMCIRDA;SMC IrCC Miniport Device Driver; C:\WINDOWS\system32\DRIVERS\smcirda.sys [2001-08-17 35913]
R3 STAC97;SigmaTel C-Major Audio; C:\WINDOWS\system32\drivers\STAC97.sys [2005-03-10 273168]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-05-03 705408]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2008-06-13 272128]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2006-09-15 1173468]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\drivers\UIUSys.sys []
S3 usbser;Motorola USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 usbsermpt;Motorola USB Modem Driver for MPT; C:\WINDOWS\system32\DRIVERS\usbsermpt.sys [2007-12-29 22768]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 w29n51;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-01-11 405504]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-12-26 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-12-26 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-26 406528]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-12 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE [2005-12-19 18944]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-03-30 504104]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-05-21 68096]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 16 March 2009 - 02:05 PM

Hi again,

I'm sorry for the delay, seems I had missed your reply too. If my reply took more than 24 hours you may send me a PM.

Your DNS is hijacked by a trojan DNS changer and it is preventing the security programs from updating.
AVG 7 is outdated and we install an updated antivirus the next round after we cleaned the computer from active malware.

===============

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. We are not here to pass judgment on file-sharing as a concept. But file-sharing is used to infect users as tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  • You have the program Spybot S&D (Teatimer option) running on your machine. We need to disable TeaTimer so it does not interfere with the fixes we are about to do. This will only take a few seconds.
    • First disable TeaTimer:
      • Run Spybot-S&D
      • Go to the Mode menu, and make sure Advanced Mode is selected
      • On the left hand side, choose Tools -> Resident
      • Uncheck Resident TeaTimer and OK any prompts
      • Restart your computer.
      Instruction is also here: How to disable TeaTimer during HijackThis Cleanup

      Note:If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

    • Then download ResetTeaTimer.exe to your desktop. (In case you use Firefox, rightclick the link and choose "Save Link As").
      • Doubleclick ResetTeaTimer.exe and let it run.
    Note: The Teatimer should be kept disabled until I give you the clean sign.


  • You have Java 6 update 11 and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    J2SE Runtime Environment 5.0 Update 3
    Java™ 6 Update 7


  • Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below (if present):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{92493C4E-589D-462D-824E-DA21BE6B185F}: NameServer = 85.255.112.39,85.255.112.40
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A2A9BEDB-CE93-422E-9B50-80E84BDE7C85}: NameServer = 85.255.112.39,85.255.112.40
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E194BF8B-A4CA-46DE-BBEB-11C4E00AAC73}: NameServer = 85.255.112.39,85.255.112.40
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.39,85.255.112.40


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Open CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Close all open windows inclusive Internet Explorer and click Run Cleaner.
    • Close CCleaner.
  • Please download Malwarebytes' Anti-Malware from MajorGeeks
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please copy and paste a fresh Hijackthis log to your reply.
Please include in your next reply:
  • The log of MBAM.
  • A fresh Hijackthis log.
  • Any comment or feedback about how it went.


#8 Jophiel

Jophiel
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 16 March 2009 - 08:29 PM

I had two problems:
(1) I could not open Spybot S&D to access the menu to close Teatimer. I wound up closing Teatimer.exe through the Windows task manager.
(2) MBAM would not connect to the internet. I ran the scan without the updates and cleared 8 items. I just tried it again and this time it would connect and update so I rescanned. I am posting both logs just in case you need something from both. The log in this post is the first scan, the next post will be the new scan, the one following the latest HJT log.

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

3/16/2009 8:04:12 PM
mbam-log-2009-03-16 (20-04-12).txt

Scan type: Quick Scan
Objects scanned: 63946
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e25c29ab-12b9-4523-a53c-324b5fba648c} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{92493c4e-589d-462d-824e-da21be6b185f}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{a2a9bedb-ce93-422e-9b50-80e84bde7c85}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e194bf8b-a4ca-46de-bbeb-11c4e00aac73}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxgfomjose.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxoykmrdyi.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 5.1.2600 Service Pack 3

3/16/2009 8:27:18 PM
mbam-log-2009-03-16 (20-27-18).txt

Scan type: Quick Scan
Objects scanned: 67509
Time elapsed: 9 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\user\Start Menu\Programs\BHVideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

#9 Jophiel

Jophiel
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 16 March 2009 - 08:30 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:29:48, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198593540390
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6837 bytes

#10 Jophiel

Jophiel
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 16 March 2009 - 08:33 PM

Oops... mis-post!

Edited by Jophiel, 16 March 2009 - 08:34 PM.


#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 16 March 2009 - 08:43 PM

Hi again,

You did a good job running MBAM twice., and posting both the logs. :thumbup2:

BTW: It's too late here and I have a long day work tomorrow. I see the log tomorrow, after this we have one more round to go.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


#12 Jophiel

Jophiel
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 16 March 2009 - 09:20 PM

Good luck at the office tomorrow... here's what ComboFix had to say:

ComboFix 09-03-15.01 - user 2009-03-16 21:14:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.245 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG 7.5.557 *On-access scanning disabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\tmp.reg

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((( Files Created from 2009-02-17 to 2009-03-17 )))))))))))))))))))))))))))))))
.

2009-03-16 19:57 . 2009-03-16 19:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-16 19:57 . 2009-03-16 19:57 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-03-16 19:57 . 2009-03-16 19:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-16 19:57 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-16 19:57 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-16 19:50 . 2009-03-16 19:50 <DIR> d-------- c:\program files\CCleaner
2009-03-15 08:17 . 2009-03-15 08:17 162,304 --a------ c:\documents and settings\user\lame_enc.dll
2009-03-15 08:17 . 2009-03-15 08:17 57,344 --a------ c:\documents and settings\user\lametritonus.dll
2009-03-15 08:00 . 2008-04-13 12:45 60,032 --a------ c:\windows\system32\drivers\USBAUDIO.sys
2009-03-15 08:00 . 2008-04-13 12:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2009-03-15 08:00 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-15 08:00 . 2008-04-13 12:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-15 07:42 . 2009-03-15 07:42 162,304 --a------ c:\documents and settings\user\lame_enc_en.dll
2009-03-15 07:42 . 2009-03-15 07:42 53,248 --a------ c:\documents and settings\user\lametritonus_en.dll
2009-03-13 21:30 . 2009-03-13 21:30 <DIR> d-------- C:\rsit
2009-02-25 19:36 . 2009-03-16 20:06 <DIR> d-------- c:\program files\Autorun Eater
2009-02-25 18:30 . 2009-02-25 18:30 <DIR> d-------- c:\program files\Panda Security
2009-02-25 18:30 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-02-25 18:25 . 2009-02-25 18:25 <DIR> d-------- c:\program files\Trend Micro
2009-02-21 09:16 . 2009-02-21 09:18 <DIR> d-------- c:\documents and settings\user\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-17 01:06 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2009-03-17 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-17 00:45 --------- d-----w c:\program files\Java
2009-03-16 11:02 --------- d-----w c:\documents and settings\user\Application Data\Move Networks
2009-03-09 01:13 --------- d-----w c:\documents and settings\user\Application Data\uTorrent
2009-02-26 00:59 --------- d-----w c:\documents and settings\user\Application Data\Ahead
2009-02-20 11:00 --------- d-----w c:\documents and settings\user\Application Data\Aquatica 3D
2009-02-12 11:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-26 23:24 --------- d-----w c:\documents and settings\user\Application Data\vlc
2009-01-26 23:19 --------- d-----w c:\program files\VideoLAN
2009-01-26 23:16 4,566,136 ----a-w C:\VLCfree_8676.exe
2009-01-26 23:09 --------- d-----w c:\documents and settings\user\Application Data\Apple Computer
2009-01-25 19:37 --------- d-----w c:\program files\uTorrent
2007-12-30 03:50 24,192 ----a-w c:\documents and settings\user\usbsermptxp.sys
2007-12-30 03:50 22,768 ----a-w c:\documents and settings\user\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 212992]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-11 344064]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-25 590848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 136600]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 c:\windows\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-26 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-02-15 110592]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-02-12 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\PANDORA.TV\\Video Streamer\\VideoStreamer.exe"=
"c:\\Program Files\\PANDORA.TV\\Video Streamer\\VSStream.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-25 28544]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-02-13 87936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bab3aef0-c56c-11dc-91c5-0010c67ef416}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F%3Fnsr%3D1%26ui%3Dhtml%26zy%3Dl&ltmpl=default&ltmplcache=2
FF - plugin: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\PANDORA.TV\Launcher\npmini.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 21:15:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-03-16 21:17:37
ComboFix-quarantined-files.txt 2009-03-17 02:16:53

Pre-Run: 3,325,304,832 bytes free
Post-Run: 3,403,812,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

143 --- E O F --- 2009-02-21 14:14:32

#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 17 March 2009 - 06:59 AM

It is now time to get some protection and scan the whole computer:
  • AVG 7 is outdated. You need protection from an updated Antivirus.

    Visit http://free.avg.com/download?prd=afe to download AVG 8 setup file to your desktop. Don't install it yet.
    • Go to Add/Remove programs and uninstall AVG 7.5
    • Reboot.
    • Remove the folder in bold: C:\Program Files\Grisoft
    • Double click the downloaded setup file to Install AVG 8 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.
  • Please copy and paste a fresh Hijackthis log to your reply for a final review and tell me how is the computer running.


#14 Jophiel

Jophiel
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:32 AM

Posted 17 March 2009 - 07:35 PM

Things seem much better. I have installed the updated AVG and also was able to update my Spybot S&D (which was one of the original problems). Here's the AVG log followed by the HJT log.

"Scan ""Scan whole computer"" was finished."
"Warnings";"14"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Tuesday, March 17, 2009, 5:46:28 PM"
"Scan finished:";"Tuesday, March 17, 2009, 7:13:30 PM (1 hour(s) 27 minute(s) 1 second(s))"
"Total object scanned:";"401539"
"User who launched the scan:";"user"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\pro-market.net.bbf67f2d";"Found Tracking cookie.Pro-market";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\revsci.net.50e13b1b";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\revsci.net.55564293";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\revsci.net.a5874ce1";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\k11hzgdy.default\cookies.sqlite:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Potentially dangerous object"


==========================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:05, on 3/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198593540390
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6970 bytes

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:32 PM

Posted 18 March 2009 - 11:29 AM

Everything looks good.
  • Go to start > run and copy and paste or type next command in the field then hit enter:

    ComboFix /u

    Note: There's a space between Combofix and /

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore.

    The first reboot might be a little slow, the next one will be faster.

  • Your log looks clean. But your computer is still very much susceptible in particular to hacking and intrusion from outside. If you are not behind a router I strongly advise you to install a firewall before surfing. The windows firewall is not good enough. The Windows firewall provides protection from outside threats as long as the malware is not on your system. When the malware gets to your computer Windows firewall is no more effective. You find more information on firewalls below.
    Click for more information on:Understanding and Using Firewalls

    There are several good free programs available like:

    Sunbelt-Kerio
    (Note: You install the Sunbelt trial version but after the trial period it will revert back to free version.)

    Online Armor Free edition


  • I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. Update it manually (if you use the free version) once in 2-3 weeks and enable the restriction.
Please let me know Combofix uninstalled properly.

Happy surfing!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users