Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think I have some trojans.


  • This topic is locked This topic is locked
27 replies to this topic

#1 eddythepwner

eddythepwner

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 11 March 2009 - 03:55 AM

Hi, I've got some Trojans coming up in my AVG scans recently and I was wondering if you guys could check out my hijack this log. Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:50 PM, on 11/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\mabidwe.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101677&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {a057a204-bacc-4d26-9990-79a187e2698e} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Frag Ooze Cash Scr] C:\Documents and Settings\All Users\Application Data\close poke frag ooze\Each mapi.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\msrstart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [cash web] C:\DOCUME~1\Eddy\APPLIC~1\PUREMP~1\Cool flag.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_090305a.dll xccd16
O4 - Startup: Deer Hunter 2005 Registration.lnk = C:\Program Files\Atari\Deer Hunter 2005\ATR1.EXE
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,C:\WINDOWS\system32\cssdll32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent (avgidsagent) - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher (avgidswatcher) - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 11782 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:03:20 AM

Posted 22 March 2009 - 10:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 eddythepwner

eddythepwner
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 23 March 2009 - 12:55 AM

Hey, Thanks for the reply. Here is the DDS scan. I also attached the other one as requested.

Thanks for the help.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Eddy at 16:48:53.06 on Mon 23/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1362 [GMT 11:00]

AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: COMODO Firewall *disabled*
FW: AVG Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Eddy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uInternet Settings,ProxyServer = 0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [cash web] c:\docume~1\eddy\applic~1\puremp~1\Cool flag.exe
uRun: [Google Update] "c:\documents and settings\eddy\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Firewall Pro] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [COMODO Internet Security] "c:\program files\comodo\firewall\cfp.exe" -h
mRun: [Frag Ooze Cash Scr] c:\documents and settings\all users\application data\close poke frag ooze\Each mapi.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [A00F1C5DFB6.exe] c:\windows\temp\_A00F1C5DFB6.exe
mExplorerRun: [NoActiveDesktopChanges] 00000000
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
mExplorerRun: [xccinit] c:\windows\system32\inf\rundll33.exe c:\windows\xccdf16_090305a.dll xccd16
StartupFolder: c:\docume~1\eddy\startm~1\programs\startup\deerhu~1.lnk - c:\program files\atari\deer hunter 2005\ATR1.EXE
StartupFolder: c:\docume~1\eddy\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\eddy\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
uPolicies-explorer: NoActiveDesktopChanges = 00000000
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: __c00EB7D6 - c:\windows\system32\__c00EB7D6.dat
AppInit_DLLs: c:\windows\system32\guard32.dll,c:\windows\system32\cssdll32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eddy\applic~1\mozilla\firefox\profiles\697hg1i4.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\eddy\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 avgidserhr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-10 12552]
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2008-9-14 2915944]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-10 325640]
R1 avgmfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2009-3-9 27656]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-10 107912]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-9-30 101776]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-9-30 31504]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-10 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-3-10 1362784]
R2 avgidswatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\firewall\cmdagent.exe [2008-9-30 618232]
R3 avgfwdx;avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-3-10 29208]
R3 avgidsdriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 avgidsfilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 avgidsshim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S1 477b8106;477b8106;c:\windows\system32\drivers\477b8106.sys [2009-3-9 0]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\system32\appdrvrem01.exe svc --> c:\windows\system32\appdrvrem01.exe svc [?]
S2 avgidsagent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
S2 defaultlib;Service AntiVir;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 FCI;FCI;c:\windows\system32\svchost.exe:ext.exe --> c:\windows\system32\svchost.exe:ext.exe [?]
S2 imaewousdc;ImaeWousdc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-3-10 29208]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]
S3 pcistub;pcistub;\??\c:\windows\system32\pcistub.sys --> c:\windows\system32\pcistub.sys [?]

============== File Associations ===============

txtfile="c:\windows\system32\nxtepad.exe" "%1"

=============== Created Last 30 ================

2009-03-22 12:25 17,196 a------- c:\windows\system32\leeppcsetup.exe
2009-03-21 23:53 24,576 a------- c:\windows\system32\__c00EB7D6.dat
2009-03-21 23:53 35,840 a------- c:\windows\system32\gldx.exe
2009-03-17 18:11 <DIR> --d----- c:\documents and settings\eddy\Tracing
2009-03-17 18:10 <DIR> --d----- c:\program files\Microsoft
2009-03-17 18:09 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-17 18:05 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-15 03:29 20 a------- c:\windows\system32\NVCPL.DLL
2009-03-15 02:13 189,072 a------- c:\windows\system32\PnkBstrB.xtr
2009-03-13 23:31 17,196 a------- c:\windows\system32\303559.exe
2009-03-13 10:39 22,964 a------- c:\windows\system32\nDler.exe
2009-03-10 23:45 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-10 23:07 <DIR> --d----- c:\windows\system32\3361
2009-03-10 23:07 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-03-10 19:32 36,352 a------- c:\windows\xccdf16_090305a.dll
2009-03-10 18:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-03-10 18:10 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-10 18:10 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-10 18:10 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-10 18:10 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-10 18:10 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-10 18:10 <DIR> --d----- c:\docume~1\eddy\applic~1\AVGTOOLBAR
2009-03-10 18:08 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-03-10 18:08 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-03-10 17:17 217,600 a------- c:\windows\system32\w.exe
2009-03-10 17:17 8 a------- c:\windows\system32\comsa32.sys
2009-03-10 17:17 196 a------- c:\windows\system32\xcchit32.ini
2009-03-10 17:16 251,392 a------- c:\windows\xccdf32_090305a.dll
2009-03-10 17:16 610 a------- c:\windows\xccwinsys.ini
2009-03-10 17:16 <DIR> --d----- c:\windows\system32\inf
2009-03-10 17:16 130,204 a------- c:\windows\system32\icv.exe
2009-03-09 21:10 <DIR> --d----- c:\program files\Empire Total War
2009-03-09 20:40 0 a------- c:\windows\system32\drivers\477b8106.sys
2009-03-09 20:40 2 a------- C:\-669487300
2009-03-09 20:40 8,704 a------- C:\rbgv.exe
2009-03-09 20:40 15,000 a------- c:\windows\system32\hs3i7jdgfd.dll
2009-03-08 13:06 268 a---h--- C:\sqmdata11.sqm
2009-03-08 13:06 244 a---h--- C:\sqmnoopt11.sqm
2009-03-02 16:54 230,912 a------- c:\windows\system32\CNMLM9H.DLL
2009-02-27 05:46 42,320 a------- c:\windows\system32\xfcodec.dll
2009-02-26 12:46 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-21 17:01 <DIR> --d----- c:\docume~1\eddy\applic~1\The Creative Assembly

==================== Find3M ====================

2009-03-22 16:05 78,183 a------- c:\windows\War3Unin.dat
2009-03-15 02:13 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-03-15 01:51 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-15 01:51 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-09 20:40 14,336 a------- c:\windows\system32\svchost.exe
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-05 10:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-16 18:24 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-27 20:08 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-31 17:56 22,328 a------- c:\docume~1\eddy\applic~1\PnkBstrK.sys
2008-03-05 12:35 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-01-26 03:33 47,360 a------- c:\docume~1\eddy\applic~1\pcouffin.sys
2007-11-22 20:28 5,746 a------- c:\program files\install.log
2008-11-20 13:39 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-11-20 13:39 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-11-20 13:39 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:49:55.00 ===============

Attached Files



#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:20 AM

Posted 23 March 2009 - 04:13 PM

Hello, eddythepwner
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 eddythepwner

eddythepwner
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 24 March 2009 - 02:22 AM

Hey, Here is the ComboFix log.

Thanks.

ComboFix 09-03-22.01 - Eddy 2009-03-24 18:07:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1422 [GMT 11:00]
Running from: c:\documents and settings\Eddy\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *enabled*
FW: COMODO Firewall *disabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eddy\EULA.txt
c:\program files\INSTALL.LOG
c:\windows\Install.txt
c:\windows\system32\__c00EB7D6.dat
c:\windows\system32\303559.exe
c:\windows\system32\comsa32.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaaoroujnh.sys
c:\windows\system32\hs3i7jdgfd.dll
c:\windows\system32\inf\rundll33.exe
c:\windows\system32\inf\xccdfb16_090305.dll
c:\windows\system32\inf\xccefb090305.scr
c:\windows\system32\Install.txt
c:\windows\system32\NVCPL.DLL
c:\windows\system32\senekabdkrnyat.dat
c:\windows\system32\senekactewbpxi.dat
c:\windows\system32\senekajymnalcu.dll
c:\windows\system32\senekakbfxwpie.dat
c:\windows\system32\senekapjnukvky.dll
c:\windows\system32\senekaronahrke.dll
c:\windows\system32\senekatkospwcd.dat
c:\windows\system32\tpszxyd.sys
c:\windows\system32\w.exe
c:\windows\system32\xcchit32.ini
c:\windows\xccdf16_090305a.dll
c:\windows\xccdf32_090305a.dll
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_defaultlib
-------\Legacy_fci
-------\Legacy_softyinforwow1
-------\Service_6to4
-------\Service_defaultlib
-------\Service_FCI
-------\Service_seneka
-------\Service_softyinforwow1


((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-22 12:25 . 2009-03-22 12:40 17,196 --a------ c:\windows\system32\leeppcsetup.exe
2009-03-21 23:53 . 2009-03-21 23:53 35,840 --a------ c:\windows\system32\gldx.exe
2009-03-21 09:25 . 2009-03-21 09:25 41,808 --a------ c:\windows\system32\xfcodec.dll
2009-03-17 18:11 . 2009-03-24 18:14 <DIR> d-------- c:\documents and settings\Eddy\Tracing
2009-03-17 18:10 . 2009-03-17 18:10 <DIR> d-------- c:\program files\Microsoft
2009-03-17 18:09 . 2009-03-17 18:09 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-17 18:05 . 2009-03-17 18:05 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-15 02:13 . 2009-03-15 02:13 189,072 --a------ c:\windows\system32\PnkBstrB.xtr
2009-03-13 17:40 . 2009-03-13 17:40 <DIR> d-------- c:\documents and settings\Eddy\Application Data\vlc
2009-03-13 10:39 . 2009-03-13 10:39 22,964 --a------ c:\windows\system32\nDler.exe
2009-03-10 23:45 . 2009-03-11 19:08 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-10 23:07 . 2009-03-10 23:07 <DIR> d-------- c:\windows\system32\3361
2009-03-10 23:07 . 2009-03-10 23:07 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-03-10 18:10 . 2009-03-23 19:57 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-10 18:10 . 2009-03-10 23:05 <DIR> d-------- c:\documents and settings\Eddy\Application Data\AVGTOOLBAR
2009-03-10 18:10 . 2009-03-10 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-10 18:10 . 2009-03-10 18:10 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-10 18:10 . 2009-03-10 18:10 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-10 18:10 . 2009-03-10 18:10 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-10 18:10 . 2009-03-10 18:10 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-10 18:08 . 2009-03-10 18:08 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-03-10 18:08 . 2009-03-10 18:08 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-03-10 17:16 . 2009-03-24 18:08 <DIR> d-------- c:\windows\system32\inf
2009-03-10 17:16 . 2009-03-10 17:16 130,204 --a------ c:\windows\system32\icv.exe
2009-03-09 21:10 . 2009-03-09 22:50 <DIR> d-------- c:\program files\Empire Total War
2009-03-09 20:40 . 2009-03-09 20:40 8,704 --a------ C:\rbgv.exe
2009-03-09 20:40 . 2009-03-09 20:40 2 --a------ C:\-669487300
2009-03-09 20:40 . 2009-03-11 18:47 0 --a------ c:\windows\system32\drivers\477b8106.sys
2009-03-08 13:06 . 2009-03-08 13:06 268 --ah----- C:\sqmdata11.sqm
2009-03-08 13:06 . 2009-03-08 13:06 244 --ah----- C:\sqmnoopt11.sqm
2009-03-02 16:54 . 2009-03-02 16:54 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2009-03-02 16:54 . 2008-04-01 07:00 230,912 --a------ c:\windows\system32\CNMLM9H.DLL
2009-02-26 12:46 . 2009-02-26 12:46 74,760 --a------ c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 . 2009-02-26 12:46 25,608 --a------ c:\windows\system32\drivers\AVGIDSErHr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 06:54 --------- d-s---w c:\program files\Xfire
2009-03-24 06:33 --------- d-----w c:\documents and settings\Eddy\Application Data\Xfire
2009-03-23 13:17 --------- d-----w c:\program files\Warcraft III
2009-03-22 04:05 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-22 02:20 --------- d-----w c:\documents and settings\Eddy\Application Data\FrostWire
2009-03-17 07:09 --------- d-----w c:\program files\Windows Live
2009-03-14 14:51 138,920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-13 06:41 --------- d-----w c:\documents and settings\Eddy\Application Data\uTorrent
2009-03-12 05:30 --------- d-----w c:\program files\FrostWire
2009-03-11 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-10 13:01 --------- d-----w c:\documents and settings\NetworkService\Application Data\pure mp3 byte
2009-03-09 13:09 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-09 13:09 --------- d-----w c:\program files\SpywareBlaster
2009-03-09 10:34 --------- d-----w c:\documents and settings\Eddy\Application Data\The Creative Assembly
2009-03-09 08:36 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 08:36 --------- d-----w c:\program files\EA GAMES
2009-03-04 07:29 --------- d-----w c:\program files\Opera
2009-02-19 07:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 07:28 --------- d-----w c:\program files\AGEIA Technologies
2009-02-09 02:18 6,307,328 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-10-31 06:56 22,328 ----a-w c:\documents and settings\Eddy\Application Data\PnkBstrK.sys
2008-03-05 01:35 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-01-25 16:33 47,360 ----a-w c:\documents and settings\Eddy\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-08 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-18 486856]
"Google Update"="c:\documents and settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-20 185896]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-09-30 278264]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2008-12-06 1797880]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2008-12-06 1797880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-10 1932568]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NoActiveDesktopChanges"="00000000" [X]
"NoActiveDesktop"="0 (0x0)" [X]
"NoSaveSettings"="0 (0x0)" [X]
"ClassicShell"="0 (0x0)" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-11-05 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-10 18:10 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivirus-ashdisp.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivirus-ashserv.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivirus-ashsimpl.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defwatch.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\teh_ultimate_ity\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 avgidserhr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-02-26 25608]
R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-03-10 12552]
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2008-09-14 2915944]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-10 325640]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-10 107912]
R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-09-30 101776]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-09-30 31504]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-10 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-03-10 1362784]
R2 avgidsagent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-02-26 5576712]
R2 avgidswatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 563720]
R3 avgfwdx;avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-03-10 29208]
R3 avgidsdriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-02-26 121352]
R3 avgidsfilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-02-26 30216]
R3 avgidsshim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-02-26 27232]
S1 477b8106;477b8106;c:\windows\system32\drivers\477b8106.sys [2009-03-09 0]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]
S2 imaewousdc;ImaeWousdc;c:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-03-10 29208]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 pcistub;pcistub;\??\c:\windows\system32\pcistub.sys --> c:\windows\system32\pcistub.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - Nero BackItUp Scheduler 3
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NMIndexingService
*Deregistered* - NVSvc
*Deregistered* - PnkBstrA
*Deregistered* - PnkBstrB
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72850cc6-9b11-11dc-9a66-001a92822b2f}]
\Shell\1\Command - e:\.\readme.txt.exe
\Shell\2\Command - e:\.\readme.txt.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\readme.txt.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-299502267-839522115-1003.job
- c:\documents and settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 19:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-cash web - c:\docume~1\Eddy\APPLIC~1\PUREMP~1\Cool flag.exe
HKLM-Run-Frag Ooze Cash Scr - c:\documents and settings\All Users\Application Data\close poke frag ooze\Each mapi.exe
HKLM-Run-NvCplDaemon - c:\windows\system32\NvCpl.dll
HKU-Default-Run-A00F1C5DFB6.exe - c:\windows\TEMP\_A00F1C5DFB6.exe
HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
Notify-__c00EB7D6 - c:\windows\system32\__c00EB7D6.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uInternet Settings,ProxyServer = 0.0.0.0:80
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Eddy\Application Data\Mozilla\Firefox\Profiles\697hg1i4.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Eddy\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 18:15:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...


c:\windows\TEMP\6d6032eb-9f96-4801-bedd-2d2301dbdf4e.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-299502267-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ff,8b,51,00,cd,3b,ee,c2,36,86,11,9f,69,b0,33,15,e6,2f,1f,a3,f0,a0,dc,
29,64,fd,ac,11,16,cf,4c,cd,c7,df,4e,11,b8,d1,71,1b,28,14,68,a2,51,32,64,7d,\
"??"=hex:11,cc,a5,30,bd,3a,4c,ac,38,3b,27,b8,7c,7c,86,74

[HKEY_USERS\S-1-5-21-1547161642-299502267-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:80,0f,96,87,b3,73,88,fc,34,df,b8,d6,b8,d3,4c,22,86,1d,a8,3b,83,
3e,ef,e2,35,bd,a5,56,53,6b,69,b3,ef,cd,b6,c9,5a,a1,f2,8a,3d,a8,9b,4a,94,69,\
"rkeysecu"=hex:a9,99,9e,c5,a1,49,0b,49,f2,f9,50,b9,23,28,c2,a8
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
c:\program files\MagicDisc\MagicDisc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Xfire\Xfire.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\COMODO\Firewall\cmdagent.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-24 18:19:55 - machine was rebooted [Eddy]
ComboFix-quarantined-files.txt 2009-03-24 07:19:51
ComboFix2.txt 2008-09-27 06:12:16

Pre-Run: 5,745,184,768 bytes free
Post-Run: 6,473,367,552 bytes free

356 --- E O F --- 2009-03-05 13:01:18

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:20 AM

Posted 24 March 2009 - 02:18 PM

Hello, eddythepwner
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
I recomend you remove either AVG Internet Security, Comodo Internet Security.

Unless otherwise listed below, you can remove these AV programs from Add/Remove Programs.



We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    http://www.bleepingcomputer.com/forums/t/210235/think-i-have-some-trojans/
    collect::
    C:\rbgv.exe
    e:\readme.txt.exe
    file::
    c:\windows\system32\nDler.exe
    c:\windows\System32\appdrvrem01.exe
    folder::
    C:\-669487300
    registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "NoActiveDesktopChanges"=-
    "NoActiveDesktop"=-
    "NoSaveSettings"=-
    "ClassicShell"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoSimpleStartMenu"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivirus-ashdisp.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivirus-ashserv.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\antivirus-ashsimpl.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\defwatch.exe]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{72850cc6-9b11-11dc-9a66-001a92822b2f}]
    [-HKEY_CLASSES_ROOT\CLSID\{72850cc6-9b11-11dc-9a66-001a92822b2f}]
    driver::
    477b8106
    appdrvrem01
    dds::
    uInternet Settings,ProxyServer = 0.0.0.0:80
    rootkit::
    c:\windows\TEMP\6d6032eb-9f96-4801-bedd-2d2301dbdf4e.tmp
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 eddythepwner

eddythepwner
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 24 March 2009 - 10:43 PM

Hey Billy, Here's the new ComboFix log.

Thanks.


ComboFix 09-03-22.01 - Eddy 2009-03-25 14:31:18.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1432 [GMT 11:00]
Running from: c:\documents and settings\Eddy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eddy\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\System32\appdrvrem01.exe
c:\windows\system32\nDler.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\-669487300\

.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-22 12:25 . 2009-03-22 12:40 17,196 --a------ c:\windows\system32\leeppcsetup.exe
2009-03-21 23:53 . 2009-03-21 23:53 35,840 --a------ c:\windows\system32\gldx.exe
2009-03-21 09:25 . 2009-03-21 09:25 41,808 --a------ c:\windows\system32\xfcodec.dll
2009-03-17 18:11 . 2009-03-25 14:35 <DIR> d-------- c:\documents and settings\Eddy\Tracing
2009-03-17 18:10 . 2009-03-17 18:10 <DIR> d-------- c:\program files\Microsoft
2009-03-17 18:09 . 2009-03-17 18:09 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-17 18:05 . 2009-03-17 18:05 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-15 02:13 . 2009-03-15 02:13 189,072 --a------ c:\windows\system32\PnkBstrB.xtr
2009-03-13 17:40 . 2009-03-13 17:40 <DIR> d-------- c:\documents and settings\Eddy\Application Data\vlc
2009-03-10 23:45 . 2009-03-11 19:08 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-10 23:07 . 2009-03-10 23:07 <DIR> d-------- c:\windows\system32\3361
2009-03-10 23:07 . 2009-03-10 23:07 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
2009-03-10 18:10 . 2009-03-25 13:47 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-10 18:10 . 2009-03-10 23:05 <DIR> d-------- c:\documents and settings\Eddy\Application Data\AVGTOOLBAR
2009-03-10 18:10 . 2009-03-10 18:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-10 18:10 . 2009-03-10 18:10 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-10 18:10 . 2009-03-10 18:10 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-10 18:10 . 2009-03-10 18:10 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-03-10 18:10 . 2009-03-10 18:10 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-10 18:08 . 2009-03-10 18:08 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-03-10 18:08 . 2009-03-10 18:08 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-03-10 17:16 . 2009-03-24 18:08 <DIR> d-------- c:\windows\system32\inf
2009-03-10 17:16 . 2009-03-10 17:16 130,204 --a------ c:\windows\system32\icv.exe
2009-03-09 21:10 . 2009-03-09 22:50 <DIR> d-------- c:\program files\Empire Total War
2009-03-09 20:40 . 2009-03-09 20:40 2 --a------ C:\-669487300
2009-03-09 20:40 . 2009-03-11 18:47 0 --a------ c:\windows\system32\drivers\477b8106.sys
2009-03-08 13:06 . 2009-03-08 13:06 268 --ah----- C:\sqmdata11.sqm
2009-03-08 13:06 . 2009-03-08 13:06 244 --ah----- C:\sqmnoopt11.sqm
2009-03-02 16:54 . 2009-03-02 16:54 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2009-03-02 16:54 . 2008-04-01 07:00 230,912 --a------ c:\windows\system32\CNMLM9H.DLL
2009-02-26 12:46 . 2009-02-26 12:46 74,760 --a------ c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 . 2009-02-26 12:46 25,608 --a------ c:\windows\system32\drivers\AVGIDSErHr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 03:01 --------- d-----w c:\program files\COMODO
2009-03-25 03:01 --------- d-----w c:\documents and settings\Eddy\Application Data\Comodo
2009-03-24 13:07 --------- d-----w c:\program files\Warcraft III
2009-03-24 06:54 --------- d-s---w c:\program files\Xfire
2009-03-24 06:33 --------- d-----w c:\documents and settings\Eddy\Application Data\Xfire
2009-03-22 04:05 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-22 02:20 --------- d-----w c:\documents and settings\Eddy\Application Data\FrostWire
2009-03-17 07:09 --------- d-----w c:\program files\Windows Live
2009-03-14 14:51 138,920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-13 06:41 --------- d-----w c:\documents and settings\Eddy\Application Data\uTorrent
2009-03-12 05:30 --------- d-----w c:\program files\FrostWire
2009-03-11 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-10 13:01 --------- d-----w c:\documents and settings\NetworkService\Application Data\pure mp3 byte
2009-03-09 13:09 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-09 13:09 --------- d-----w c:\program files\SpywareBlaster
2009-03-09 10:34 --------- d-----w c:\documents and settings\Eddy\Application Data\The Creative Assembly
2009-03-09 08:36 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-09 08:36 --------- d-----w c:\program files\EA GAMES
2009-03-04 07:29 --------- d-----w c:\program files\Opera
2009-02-19 07:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-19 07:28 --------- d-----w c:\program files\AGEIA Technologies
2009-02-09 02:18 6,307,328 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-10-31 06:56 22,328 ----a-w c:\documents and settings\Eddy\Application Data\PnkBstrK.sys
2008-03-05 01:35 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-01-25 16:33 47,360 ----a-w c:\documents and settings\Eddy\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_18.18.48.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-25 03:36:05 16,384 ----atw c:\windows\temp\Perflib_Perfdata_db8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"Steam"="c:\program files\valve\steam\steam.exe" [2008-10-08 1410296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-14 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-09-20 202024]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-18 486856]
"Google Update"="c:\documents and settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="c:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-27 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-20 185896]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-07-07 167936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-10 1932568]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [BU]
"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2009-02-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-11-05 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-10 18:10 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\teh_ultimate_ity\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 avgidserhr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-02-26 25608]
R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-03-10 12552]
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2008-09-14 2915944]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-10 325640]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-10 107912]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-10 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-03-10 1362784]
R2 avgidsagent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-02-26 5576712]
R2 avgidswatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 563720]
R3 avgfwdx;avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-03-10 29208]
R3 avgidsdriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-02-26 121352]
R3 avgidsfilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-02-26 30216]
R3 avgidsshim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-02-26 27232]
S2 imaewousdc;ImaeWousdc;c:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-03-10 29208]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-07 34064]
S3 pcistub;pcistub;\??\c:\windows\system32\pcistub.sys --> c:\windows\system32\pcistub.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - Nero BackItUp Scheduler 3
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - NMIndexingService
*Deregistered* - NVSvc
*Deregistered* - PnkBstrA
*Deregistered* - PnkBstrB
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - WudfSvc
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-299502267-839522115-1003.job
- c:\documents and settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 19:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Eddy\Application Data\Mozilla\Firefox\Profiles\697hg1i4.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Eddy\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 14:36:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\f0c26cbf-c0ff-43b3-8dde-ba6b7e02aeb0.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-299502267-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ff,8b,51,00,cd,3b,ee,c2,36,86,11,9f,69,b0,33,15,e6,2f,1f,a3,f0,a0,dc,
29,64,fd,ac,11,16,cf,4c,cd,c7,df,4e,11,b8,d1,71,1b,28,14,68,a2,51,32,64,7d,\
"??"=hex:11,cc,a5,30,bd,3a,4c,ac,38,3b,27,b8,7c,7c,86,74

[HKEY_USERS\S-1-5-21-1547161642-299502267-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:80,0f,96,87,b3,73,88,fc,34,df,b8,d6,b8,d3,4c,22,86,1d,a8,3b,83,
3e,ef,e2,35,bd,a5,56,53,6b,69,b3,ef,cd,b6,c9,5a,a1,f2,8a,3d,a8,9b,4a,94,69,\
"rkeysecu"=hex:a9,99,9e,c5,a1,49,0b,49,f2,f9,50,b9,23,28,c2,a8
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
c:\program files\MagicDisc\MagicDisc.exe
c:\program files\Xfire\Xfire.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2009-03-25 14:40:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-25 03:40:50
ComboFix2.txt 2009-03-25 03:23:19
ComboFix3.txt 2009-03-24 07:19:56
ComboFix4.txt 2008-09-27 06:12:16

Pre-Run: 6,432,047,104 bytes free
Post-Run: 6,416,605,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

285 --- E O F --- 2009-03-05 13:01:18

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:20 AM

Posted 25 March 2009 - 07:51 PM

Hello, eddythepwner
That looks much better. How are things running?

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 eddythepwner

eddythepwner
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 26 March 2009 - 02:00 AM

Hey Billy, The computer is loading up a little quicker now. Here is the Scanner Log.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3964 (20090326)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=e8eb7ca930c67d4db0560214a4c903a7
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-03-26 06:57:12
# local_time=2009-03-26 05:57:12 (+1000, AUS Eastern Daylight Time)
# country="Australia"
# osver=5.1.2600 NT Service Pack 2
# scanned=324687
# found=15
# scan_time=2462
C:\Documents and Settings\Eddy\My Documents\FrostWire\Saved\anything dramarama.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Eddy\My Documents\FrostWire\Saved\long distance call phoenix - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) C6DFFEC828C6764DDFAD691EEC55C0D3
C:\Qoobox\Quarantine\[4]-Submit_2009-03-25@14.12.zip a variant of Win32/TrojanDownloader.Agent.OWQ trojan (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-03-25@14.12.zip ZIP rbgv.exe a variant of Win32/TrojanDownloader.Agent.OWQ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\xccdf16_090305a.dll.vir a variant of Win32/Spy.Pophot trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\xccdf32_090305a.dll.vir a variant of Win32/Spy.Pophot.NAQ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\hs3i7jdgfd.dll.vir a variant of Win32/Kryptik.JV trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekajymnalcu.dll.vir a variant of Win32/Kryptik.KU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekapjnukvky.dll.vir a variant of Win32/Kryptik.KU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaronahrke.dll.vir a variant of Win32/Kryptik.KU trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir a variant of Win32/Adware.Coolezweb application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\w.exe.vir a variant of Win32/Adware.Coolezweb application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\__c00EB7D6.dat.vir Win32/Adware.Virtumonde.NDH application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\inf\xccdfb16_090305.dll.vir a variant of Win32/Spy.Pophot trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\gldx.exe Win32/Small.NEB trojan (unable to clean - deleted) 00000000000000000000000000000000

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:20 AM

Posted 26 March 2009 - 08:53 PM

Hello, eddythepwner
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 12.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • A new DDS.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 eddythepwner

eddythepwner
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 27 March 2009 - 04:28 AM

Hey Billy, My automatic updater hasn't detected any new updates and the online link you gave me won't work in Internet Explorer. Here's the DDS log anyway.

Thanks.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Eddy at 20:21:13.93 on Fri 27/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1295 [GMT 11:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Eddy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Eddy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "c:\program files\valve\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Google Update] "c:\documents and settings\eddy\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [JMB36X Configure] c:\windows\system32\JMRaidSetup.exe boot
mRun: [nwiz] nwiz.exe /install
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\eddy\startm~1\programs\startup\deerhu~1.lnk - c:\program files\atari\deer hunter 2005\ATR1.EXE
StartupFolder: c:\docume~1\eddy\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\eddy\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\Xfire.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eddy\applic~1\mozilla\firefox\profiles\697hg1i4.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\eddy\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

============= SERVICES / DRIVERS ===============

R0 avgidserhr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-10 12552]
R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2008-9-14 2915944]
R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-10 325640]
R1 avgmfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2009-3-9 27656]
R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-10 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-10 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-3-10 1356616]
R2 avgidsagent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
R2 avgidswatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R3 avgfwdx;avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-3-10 29208]
R3 avgidsdriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 avgidsfilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 avgidsshim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
S2 imaewousdc;ImaeWousdc;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-3-10 29208]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-7 34064]
S3 pcistub;pcistub;\??\c:\windows\system32\pcistub.sys --> c:\windows\system32\pcistub.sys [?]

=============== Created Last 30 ================

2009-03-27 20:17 <DIR> --dsh--- c:\documents and settings\eddy\PrivacIE
2009-03-27 20:14 20 a------- c:\windows\system32\NVCPL.DLL
2009-03-27 20:14 <DIR> --dsh--- c:\documents and settings\eddy\IETldCache
2009-03-27 19:59 <DIR> -cd-h--- c:\windows\ie8
2009-03-27 18:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-26 17:12 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-03-25 14:30 <DIR> a-dshr-- C:\cmdcons
2009-03-22 12:25 17,196 a------- c:\windows\system32\leeppcsetup.exe
2009-03-21 09:25 41,808 a------- c:\windows\system32\xfcodec.dll
2009-03-17 18:11 <DIR> --d----- c:\documents and settings\eddy\Tracing
2009-03-17 18:10 <DIR> --d----- c:\program files\Microsoft
2009-03-17 18:09 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-17 18:05 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-15 02:13 189,072 a------- c:\windows\system32\PnkBstrB.xtr
2009-03-10 23:45 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-10 23:07 <DIR> --d----- c:\windows\system32\3361
2009-03-10 23:07 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-03-10 18:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-03-10 18:10 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-10 18:10 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-10 18:10 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-10 18:10 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-10 18:10 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-10 18:10 <DIR> --d----- c:\docume~1\eddy\applic~1\AVGTOOLBAR
2009-03-10 18:08 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-03-10 18:08 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-03-10 17:16 <DIR> --d----- c:\windows\system32\inf
2009-03-10 17:16 130,204 a------- c:\windows\system32\icv.exe
2009-03-09 21:10 <DIR> --d----- c:\program files\Empire Total War
2009-03-09 20:40 0 a------- c:\windows\system32\drivers\477b8106.sys
2009-03-09 20:40 2 a------- C:\-669487300
2009-03-08 14:22 49,152 -------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 2,560 -------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 4,096 -------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 81,920 -------- c:\windows\system32\iedkcs32.dll.mui
2009-03-08 13:06 268 a---h--- C:\sqmdata11.sqm
2009-03-08 13:06 244 a---h--- C:\sqmnoopt11.sqm
2009-03-02 16:54 230,912 a------- c:\windows\system32\CNMLM9H.DLL
2009-02-26 12:46 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys

==================== Find3M ====================

2009-03-27 18:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 16:05 78,183 a------- c:\windows\War3Unin.dat
2009-03-15 02:13 189,072 a------- c:\windows\system32\PnkBstrB.exe
2009-03-15 01:51 138,920 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-15 01:51 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-03-09 20:40 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-02-05 10:54 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-01-16 18:24 70,936 a------- c:\windows\system32\PhysXLoader.dll
2009-01-07 18:21 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-01-07 18:20 24,576 a------- c:\windows\system32\nlsdl.dll
2009-01-07 18:20 26,112 a------- c:\windows\system32\idndl.dll
2009-01-07 18:20 23,552 a------- c:\windows\system32\normaliz.dll
2009-01-07 18:20 265,720 a------- c:\windows\system32\msdbg2.dll
2008-10-31 17:56 22,328 a------- c:\docume~1\eddy\applic~1\PnkBstrK.sys
2008-03-05 12:35 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-01-26 03:33 47,360 a------- c:\docume~1\eddy\applic~1\pcouffin.sys

============= FINISH: 20:22:19.50 ===============

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:20 AM

Posted 27 March 2009 - 11:38 PM

Hello, eddythepwner

My automatic updater hasn't detected any new updates

That's likely because you're an entire service pack behind. You're wide open to this conflicker thing going around.. not a good situatuation to be in.

Please try manually installing SP3 from here: http://www.microsoft.com/downloads/details...;displaylang=en

"the online link you gave me won't work in Internet Explorer ."
It's designed only to work in internet explorer. Does it give you an error message? Does the browser hang? What about it "does not work"?

Billy3

Edited by Billy O'Neal, 27 March 2009 - 11:39 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 eddythepwner

eddythepwner
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 28 March 2009 - 02:38 AM

Hey Billy,
Sorry for the lack of detail, I get an error message saying "The website has encountered a problem and cannot display the page you are trying to view."
I got the newest IE but still failed to display the page. Also, The manual SP3 install gave me an error message saying that the setup cannot launch. This was after back ups and restore points were made. Once i was told it couldnt launch the SP3 installer, it undid all changes made and rebooted the computer.

Edited by eddythepwner, 28 March 2009 - 03:16 AM.


#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:12:20 AM

Posted 28 March 2009 - 02:43 PM

Hello, eddythepwner
Please run DialAFix and try the SP3 installer again.

We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 eddythepwner

eddythepwner
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 29 March 2009 - 01:40 AM

Hey Billy, I ran the Dial-a-Fix, but before I try re-installing SP3 I thought I should show you this list of error messages I got from Dial-a-Fix.

Error 127: C:\Windows\system32\iesetup.dll is not registerable or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\WINDOWS\system32\iesetup.dll is not DLLinstall-able or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\imgutil.dll is not registerable or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\inseng.dll is not registerable or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\inseng.dll is not DLLinstall-able or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\mshtml.dll is not registerable or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\mshtml.dll is not DLLinstall-able or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\msrating.dll is not registerable or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\occache.dll is not registerable or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\occache.dll is not DLLinstall-abl or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\pngfilt is not registerable or the file is corrupt. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\webcheck.dll is not registerable or the file is corrupted. Your versions of iesetup is : 8.00.6001.18702.
Error 127: C:\Windows\system32\webcheck.dll is not DLLinstall-able or the file is corrupted. Your versions of iesetup is : 8.00.6001.18702.

Just wanted to see if that will effect the install. Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users