Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log


  • This topic is locked This topic is locked
17 replies to this topic

#1 Sugatux

Sugatux

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 25 February 2009 - 08:45 PM

Hi, ive had these threat warnings from avg talking about clusap.dll and also when i startup my computer theres another ".dll", i can't quite remember the name but on my next post i'll mention it. I was wondering, if you guys can help me get rid of the unwanted stuff from this liste.

Thank you!




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:54 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MessengerDiscovery\MessengerDiscovery Live.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5192A517-02B5-4DEA-8C72-B026329057E7} - C:\WINDOWS\system32\qoMgGyaa.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8E075F09-DB41-4256-8BDB-AE6837D9CC1D} - C:\WINDOWS\system32\clusap.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: {5d5018a4-d451-414a-1f14-513fca009abb} - {bba900ac-f315-41f1-a414-154d4a8105d5} - C:\WINDOWS\system32\ziqwuj.dll (file missing)
O2 - BHO: (no name) - {F6BB0E4E-AC9D-496A-8984-74AE48321127} - C:\WINDOWS\system32\ddcYoLEv.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [9c455b93] rundll32.exe "C:\WINDOWS\system32\dwdlsrgt.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSI Configuration] msiconf.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ziqwuj.dll,avgrsstx.dll
O20 - Winlogon Notify: ddcYoLEv - ddcYoLEv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8968 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 25 February 2009 - 11:07 PM

Hello Sugatux,

Posted Image

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Sugatux

Sugatux
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 26 February 2009 - 09:05 AM

Ok so i ran combofix and rebooted my pc fine and stuff, it told me avg was running and that could create a problem. I did my best to turn avg off, I ran task manager and closed everything avg in it, but somehow combofix saw it as still running. Anyway after it finished the first reboot it countinued working then rebooted again... Ok here is the combofix log, i think


ComboFix 09-02-25.02 - SugaTux 2009-02-26 8:36:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1023.625 [GMT -5:00]
Running from: C:\Documents and Settings\SugaTux\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aayGgMoq.ini
C:\WINDOWS\system32\aayGgMoq.ini2

.
((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-25 21:07 . 2009-02-25 19:27 15,688 --a------ C:\WINDOWS\system32\lsdelete.exe
2009-02-25 19:49 . 2009-02-25 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2009-02-25 19:27 . 2009-02-25 19:27 64,160 --a------ C:\WINDOWS\system32\drivers\Lbd.sys
2009-02-25 19:26 . 2009-02-25 19:26 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 19:05 . 2009-02-25 19:05 268 --ah----- C:\sqmdata07.sqm
2009-02-25 19:05 . 2009-02-25 19:05 244 --ah----- C:\sqmnoopt07.sqm
2009-02-17 07:57 . 2009-02-17 07:57 268 --ah----- C:\sqmdata06.sqm
2009-02-17 07:57 . 2009-02-17 07:57 244 --ah----- C:\sqmnoopt06.sqm
2009-01-27 16:55 . 2009-01-27 16:55 <DIR> d-------- C:\Program Files\iTunes
2009-01-27 16:55 . 2009-01-27 16:55 <DIR> d-------- C:\Program Files\iPod
2009-01-27 16:55 . 2009-01-27 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-27 16:52 . 2009-01-27 16:52 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 13:21 --------- d-----w C:\Documents and Settings\SugaTux\Application Data\AVGTOOLBAR
2009-02-26 03:28 --------- d-----w C:\Program Files\Full Tilt Poker
2009-02-26 00:28 --------- d-----w C:\Program Files\Microsoft Silverlight
2009-02-26 00:26 --------- d-----w C:\Program Files\Lavasoft
2009-02-26 00:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-02-26 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-02-09 19:59 --------- d-----w C:\Documents and Settings\SugaTux\Application Data\Azureus
2009-01-27 21:55 --------- d-----w C:\Program Files\Common Files\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E075F09-DB41-4256-8BDB-AE6837D9CC1D}]
2008-11-13 19:14 116480 --a------ C:\WINDOWS\system32\clusap.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 17:35 202024]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 14:34 5724184]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe" [2004-03-31 13:12 417280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 03:07 8491008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 11:51 1836328]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 03:07 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-12-14 13:24 1261336]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-01-05 16:18 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-01-06 13:06 290088]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-25 19:27 509784]
"nwiz"="nwiz.exe" [2007-09-17 03:07 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\NVIDIA\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\lennywinx\\counter-strike\\hl.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 kwhifkiy;kwhifkiy;C:\WINDOWS\system32\drivers\vzkbmwvo.dat --> C:\WINDOWS\system32\drivers\vzkbmwvo.dat [?]
R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [2009-02-25 19:27:37 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [2008-12-14 13:25:15 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\drivers\avgtdix.sys [2008-12-14 13:25:21 76040]
S2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-12-14 13:24:26 875288]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-12-14 13:24:25 231704]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 16:34:37 950096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{465fd277-74eb-11dc-a047-806d6172696f}]
\Shell\AutoRun\command - D:\Bin\Assetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-25 19:27]

2009-01-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 14:34]

2009-02-26 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-03-05 03:03]

2009-01-24 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-03-05 03:03]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5192A517-02B5-4DEA-8C72-B026329057E7} - C:\WINDOWS\system32\qoMgGyaa.dll
BHO-{bba900ac-f315-41f1-a414-154d4a8105d5} - C:\WINDOWS\system32\ziqwuj.dll
BHO-{F6BB0E4E-AC9D-496A-8984-74AE48321127} - C:\WINDOWS\system32\ddcYoLEv.dll
HKCU-Run-Uniblue RegistryBooster 2009 - C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
HKLM-Run-9c455b93 - C:\WINDOWS\system32\dwdlsrgt.dll
ShellExecuteHooks-{F6BB0E4E-AC9D-496A-8984-74AE48321127} - C:\WINDOWS\system32\ddcYoLEv.dll
Notify-ddcYoLEv - ddcYoLEv.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
Name-Space Handler: ftp\DBoost - {3BF4771A-18F5-4EAB-80B7-AC254D3C7503} - C:\PROGRA~1\BOOSTY~1.COM\DOWNLO~1\fdcatch.dll
Name-Space Handler: http\DBoost - {3BF4771A-18F5-4EAB-80B7-AC254D3C7503} - C:\PROGRA~1\BOOSTY~1.COM\DOWNLO~1\fdcatch.dll
FF - ProfilePath - C:\Documents and Settings\SugaTux\Application Data\Mozilla\Firefox\Profiles\l5iwpjfr.default\
FF - component: C:\Program Files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: C:\Program Files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 08:43:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kwhifkiy]
"ImagePath"="system32\drivers\vzkbmwvo.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-02-26 8:46:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-26 13:46:49

Pre-Run: 13,978,411,008 bytes free
Post-Run: 16,346,038,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

186 --- E O F --- 2009-02-26 00:17:39





and here is the hijack this log




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04, on 2009-02-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5192A517-02B5-4DEA-8C72-B026329057E7} - C:\WINDOWS\system32\qoMgGyaa.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {8E075F09-DB41-4256-8BDB-AE6837D9CC1D} - C:\WINDOWS\system32\clusap.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: {5d5018a4-d451-414a-1f14-513fca009abb} - {bba900ac-f315-41f1-a414-154d4a8105d5} - C:\WINDOWS\system32\ziqwuj.dll (file missing)
O2 - BHO: (no name) - {F6BB0E4E-AC9D-496A-8984-74AE48321127} - C:\WINDOWS\system32\ddcYoLEv.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [9c455b93] rundll32.exe "C:\WINDOWS\system32\dwdlsrgt.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ddcYoLEv - ddcYoLEv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 8603 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 26 February 2009 - 04:22 PM

Hello,

Thanks for that, and thank you for the details on what happened. :thumbup2: It helps!

This time disable ALL your protective programs before you run ComboFix, offline of course. You might have to actually uninstall AVG temporarily if it gives you trouble.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E075F09-DB41-4256-8BDB-AE6837D9CC1D}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kwhifkiy]

File::
C:\WINDOWS\system32\clusap.dll
C:\WINDOWS\system32\drivers\vzkbmwvo.dat

Driver::
vzkbmwvo


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Also please let me know how it's running now. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Sugatux

Sugatux
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 27 February 2009 - 01:00 PM

Hi tea ok so I had begun by trying to uninstall avg but now i came accross another problem. Everytime i would try to uninstall it i would get an error message saying:

Local machine: Unstallation failed
Uninstallation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

So i decided to try and delete the files manually, but one file (avgse.dll) is running so i have not being able to delete it.
So then i decided maybe i could try reinstalling avg but now i get this message from avg:

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

I've come upon a road block i hope you can help get past it...

Thank you very much for your time.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 27 February 2009 - 02:17 PM

Hello,

We'll deal with AVG later then. Go ahead and run the script and post the reports, please. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Sugatux

Sugatux
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 27 February 2009 - 02:46 PM

Well here's the Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:44, on 2009-02-27
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5192A517-02B5-4DEA-8C72-B026329057E7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: {5d5018a4-d451-414a-1f14-513fca009abb} - {bba900ac-f315-41f1-a414-154d4a8105d5} - (no file)
O2 - BHO: (no name) - {F6BB0E4E-AC9D-496A-8984-74AE48321127} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ddcYoLEv - ddcYoLEv.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe

--
End of file - 7436 bytes




And here's the combofix log:

omboFix 09-02-26.02 - SugaTux 2009-02-27 2:29:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1023.622 [GMT -5:00]
Running from: C:\Documents and Settings\SugaTux\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SugaTux\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
C:\WINDOWS\system32\clusap.dll
C:\WINDOWS\system32\drivers\vzkbmwvo.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\clusap.dll
C:\WINDOWS\system32\drivers\vzkbmwvo.dat
C:\WINDOWS\system32\eeemuoca.ini
C:\WINDOWS\system32\emojudjm.ini
C:\WINDOWS\system32\hsavykwy.ini
C:\WINDOWS\system32\lxkjffvl.ini
C:\WINDOWS\system32\pwdxkmpt.ini
C:\WINDOWS\system32\tgrsldwd.ini
C:\WINDOWS\system32\uxuxivex.ini
C:\WINDOWS\system32\yoxxkobt.ini
.
---- Previous Run -------
.
C:\WINDOWS\system32\aayGgMoq.ini
C:\WINDOWS\system32\aayGgMoq.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kwhifkiy
-------\Service_kwhifkiy


((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-27 01:46 . 2009-02-27 01:46 <DIR> d-------- C:\Program Files\Alcohol Soft
2009-02-27 01:43 . 2009-02-27 01:43 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2009-02-27 01:28 . 2009-02-27 01:38 <DIR> d-------- C:\Program Files\RegCure
2009-02-27 01:07 . 2009-02-27 01:07 <DIR> d-------- C:\Program Files\PSTRUH
2009-02-26 23:47 . 2009-02-26 23:47 <DIR> d-------- C:\Documents and Settings\Administrator.ZAC-PC
2009-02-25 21:07 . 2009-02-25 19:27 15,688 --a------ C:\WINDOWS\system32\lsdelete.exe
2009-02-25 19:49 . 2009-02-25 19:49 <DIR> d-------- C:\Program Files\Trend Micro
2009-02-25 19:27 . 2009-02-25 19:27 64,160 --a------ C:\WINDOWS\system32\drivers\Lbd.sys
2009-02-25 19:26 . 2009-02-25 19:26 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-25 19:05 . 2009-02-25 19:05 268 --ah----- C:\sqmdata07.sqm
2009-02-25 19:05 . 2009-02-25 19:05 244 --ah----- C:\sqmnoopt07.sqm
2009-02-17 07:57 . 2009-02-17 07:57 268 --ah----- C:\sqmdata06.sqm
2009-02-17 07:57 . 2009-02-17 07:57 244 --ah----- C:\sqmnoopt06.sqm
2009-01-27 16:55 . 2009-01-27 16:55 <DIR> d-------- C:\Program Files\iTunes
2009-01-27 16:55 . 2009-01-27 16:55 <DIR> d-------- C:\Program Files\iPod
2009-01-27 16:55 . 2009-01-27 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-27 16:52 . 2009-01-27 16:52 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-27 07:08 --------- d-----w C:\Program Files\Full Tilt Poker
2009-02-27 05:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2009-02-26 18:01 --------- d-----w C:\Documents and Settings\SugaTux\Application Data\AVGTOOLBAR
2009-02-26 07:42 --------- d-----w C:\Documents and Settings\SugaTux\Application Data\Azureus
2009-02-26 00:28 --------- d-----w C:\Program Files\Microsoft Silverlight
2009-02-26 00:26 --------- d-----w C:\Program Files\Lavasoft
2009-02-26 00:26 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-02-26 00:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-01-27 21:55 --------- d-----w C:\Program Files\Common Files\Apple
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 17:35 202024]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 14:34 5724184]
"System Mechanic Popup Stopper"="C:\Program Files\iolo\System Mechanic 4\PopupStopper.exe" [2004-03-31 13:12 417280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 07:00 455168]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 03:07 8491008]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 03:27 144784]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 11:51 1836328]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 03:07 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-01-05 16:18 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-01-06 13:06 290088]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-02-25 19:27 509784]
"nwiz"="nwiz.exe" [2007-09-17 03:07 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcYoLEv]
ddcYoLEv.dll [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\NVIDIA\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\lennywinx\\counter-strike\\hl.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Sierra Entertainment\\Empire Earth III\\EE3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [2009-02-25 19:27:37 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [2008-12-14 13:25:15 97928]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\drivers\avgtdix.sys [2008-12-14 13:25:21 76040]
S2 avg8emc;AVG Free8 E-mail Scanner; [x]
S2 avg8wd;AVG Free8 WatchDog; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 16:34:37 950096]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-02-25 19:27]

2009-01-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 14:34]

2009-02-27 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2009-02-27 01:29]

2009-02-27 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2009-02-27 01:29]

2009-02-27 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-03-05 03:03]

2009-01-24 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-03-05 03:03]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5192A517-02B5-4DEA-8C72-B026329057E7} - (no file)
BHO-{bba900ac-f315-41f1-a414-154d4a8105d5} - (no file)
BHO-{F6BB0E4E-AC9D-496A-8984-74AE48321127} - (no file)
ShellExecuteHooks-{F6BB0E4E-AC9D-496A-8984-74AE48321127} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
Name-Space Handler: ftp\DBoost - {3BF4771A-18F5-4EAB-80B7-AC254D3C7503} - C:\PROGRA~1\BOOSTY~1.COM\DOWNLO~1\fdcatch.dll
Name-Space Handler: http\DBoost - {3BF4771A-18F5-4EAB-80B7-AC254D3C7503} - C:\PROGRA~1\BOOSTY~1.COM\DOWNLO~1\fdcatch.dll
FF - ProfilePath - C:\Documents and Settings\SugaTux\Application Data\Mozilla\Firefox\Profiles\l5iwpjfr.default\
FF - component: C:\Program Files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 02:34:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(636)
C:\WINDOWS\system32\adsldpc.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G Wireless Network Monitor\WMP54GS.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-27 2:36:58 - machine was rebooted [SugaTux]
ComboFix-quarantined-files.txt 2009-02-27 07:36:55

Pre-Run: 16,066,412,544 bytes free
Post-Run: 16,079,499,264 bytes free

197 --- E O F --- 2009-02-26 00:17:39

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 27 February 2009 - 02:57 PM

Hello there,

Looking better. :thumbup2: I suspect AdWatch had something to do with the difficult time you had with AVG. It interferes with any changes you try to make as it does not discern between good and bad when it comes to changes.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5192A517-02B5-4DEA-8C72-B026329057E7} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: {5d5018a4-d451-414a-1f14-513fca009abb} - {bba900ac-f315-41f1-a414-154d4a8105d5} - (no file)
O2 - BHO: (no name) - {F6BB0E4E-AC9D-496A-8984-74AE48321127} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O20 - Winlogon Notify: ddcYoLEv - ddcYoLEv.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Your Java is out of date, which leaves your computer vulnerable.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6_u_12.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
How is it running now please? :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Sugatux

Sugatux
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 27 February 2009 - 03:33 PM

Hi, I did everything you asked and it's running awesome!
The only remaining thing id like to get rid of is that darn avg file, and also would you happen to have have any suggestion's of good free anti-virus programs i could download to help protect my pc...

Thanks a lot! :thumbup2:

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 27 February 2009 - 03:44 PM

Hi,

That's great! :thumbup2: You're most welcome. :)

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Try this nifty little tool to uninstall AVG : http://www.revouninstaller.com/

Just open Revo and it'll bring up everything in your Add/Remove list. Choose AVG and the medium setting and then follow the prompts. Reboot afterwards. I'm assuming at this point it is still in the Add/Remove Programs list?

I use Avira on my system. It's lighter than AVG, and MUCH less hassle. http://www.free-av.com/

Let me know how you come out. :step4:

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Sugatux

Sugatux
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 27 February 2009 - 04:38 PM

Well still no luck getting rid of avg, iv'e been looking around and can't find anything that works... The thing about it is that it is not in the add/remove programs anymore, and the last file is a dll that keeps running so i can't stop it to delete... Thanks for the suggestin free-av to me. Anyway let me know if you think of any other way of removing the avgse.dll file.

Thanks a million. :thumbup2:

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 27 February 2009 - 04:47 PM

Is that the exact name of the file, or is it avgssie.dll? Give me the full path also and we'll kill the little sucker. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Sugatux

Sugatux
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 27 February 2009 - 04:55 PM

Lol, k here is the full path from my c: drive.

C:\Program Files\AVG\AVG8\avgse.dll

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:09:48 PM

Posted 27 February 2009 - 05:00 PM

Yay! :thumbup2:

Open HijackThis. It should open to a "New users quickstart" menu
Click "Open the Misc Tools section"
Click "Delete a file on reboot..."
In the "Enter file to delete on reboot..." window, navigate to:

C:\Program Files\AVG\AVG8

And select the file

avgse.dll

Then click Open. After you click Open, HiJackThis will ask you if you want to restart your computer now. You do, so click Yes.

You can also delete the folder C:\Program Files\AVG
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Sugatux

Sugatux
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada, mtl
  • Local time:10:48 PM

Posted 27 February 2009 - 05:11 PM

Omg perfect... Thank you very much, you are very kind and know what you're doing if theres anywhere i can throw in a good word for you I'd be more then happy, just let me know where. I hope next time i have a problem with something, that person knows as much and is as kind as you.

Thank you!!!

:) :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users