Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirected, security programs won't run, etc


  • Please log in to reply
71 replies to this topic

#1 bwoodwth

bwoodwth

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 29 March 2009 - 12:45 AM

Referred here from: http://www.bleepingcomputer.com/forums/t/211713/google-redirected-spybot-wont-start-startup-problems-moved/ ~ OB

Was directed to move this from the "Am I Infected"Forum. Below is brief history and RSIT log
Some of the major problems
1. Redirects everything from Google or Yahoo search
2. Spybot, MBAM, HJT/DSS and others won't run and can't download due to being redirected. Also won't run even when copied onto the computer.
3. Can't delete or update AVG (error refers to a registry issue) I believe related to admin/std user rights
4. Get error "application or dll C:\windows\system32\digeste.dll is not a valid windows image"
5. Will not allow Windows Updates.
5. Sometimes won't fully boot up

I tried the Prep Guide as directed on the "Am I Infected" Forum but was unable to get DDS to run. I was then directed to run RSIT. It ran and the log is below but would not allow Hijack this to download. Thanks for any help.


Logfile of random's system information tool 1.06 (written by random/random)
Run by David at 2009-03-28 12:59:34
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 52 GB (71%) free of 73 GB
Total RAM: 510 MB (50% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\hikgjrmo.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72FAE0C3-8FDC-4B41-9D50-2657C7847722}]
C:\WINDOWS\system32\xxyyWMDU.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5BF4552-94F1-42BD-F434-3604812C807D}]
C:\WINDOWS\system32\gsdrgfdrrgnd.dll - C:\WINDOWS\system32\gsdrgfdrrgnd.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E0357A18-C821-4072-89E0-C9B9F84FDCF4}]
C:\WINDOWS\system32\urqPiHyA.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{DE9C389F-3316-41A7-809B-AA305ED9D922}
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - []
{A057A204-BACC-4D26-9990-79A187E2698E} - AVG Security Toolbar - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP []
"AVG7_EMC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe -atboottime []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-01-01 136600]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe /min []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AIM"=C:\Program Files\AIM\aim.exe -cnetwait.odl []
"Spyware Doctor"=C:\Program Files\Spyware Doctor\swdoctor.exe /Q []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe []
"Uniblue RegistryBooster 2"=C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
C:\Program Files\CCleaner\ccleaner.exe [2008-10-23 1336560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe /startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch]
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\filecroc]
C:\Program Files\FileCroc\FileCroc.exe -h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1148677974\ee\AOLSoftware.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe [2003-09-03 221184]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaGateway]
C:\Program Files\MediaGateway\MediaGateway.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Notification Utility]
C:\Program Files\altpayV2\altpayV2.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
Rundll32 P17.dll,P17Helper []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
C:\Program Files\Dell\Media Experience\PCMService.exe [2004-04-11 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
C:\Program Files\PC Tools AntiVirus\PCTAV.exe /MONITORSCAN []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOProc_SoRefRegSoAlertWxLiteNnAj]
rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~1\soproc.exe -pack SoRefRegSoAlertWxLiteNnAj []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\Program Files\Spyware Doctor\swdoctor.exe /Q []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareTerminator]
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\stratas]
lockx.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe [2005-03-04 36975]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~2.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
C:\Program Files\America Online 9.0\aoltray.exe -check []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MICROS~4\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MTV Networks Video Optimizer.lnk]
C:\PROGRA~1\MTVNET~1\VOpt\MTVOPT~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
C:\PROGRA~1\INTERM~1\SPYSUB~1\SpySub.exe -autostart []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
C:\PROGRA~1\WinZip\WZQKPICK.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^BitTorrent.lnk]
C:\PROGRA~1\BITTOR~2\BITTOR~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
C:\PROGRA~1\LimeWire\LimeWire.exe -startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^MP3 Downloads (silent).lnk]
C:\PROGRA~1\MP3DOW~1\MP3DOW~2.EXE []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5e]
reset5e.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
C:\WINDOWS\system32\WRLogonNTF.dll [2006-10-20 209408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
gVJIMOdxrp - {163E6B09-245A-4803-8DF2-5517F4CCF02A} - C:\WINDOWS\system32\lanmlxhvgye.dll [2009-02-16 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\gsdrgfdrrgnd.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\xxyyWMDU
"notification packages"=
scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"AllowLegacyWebView"=
"AllowUnhashedWebView"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Music Planet\Main.exe"="C:\Program Files\Music Planet\Main.exe:*:Disabled:LaunchAnywhere GUI"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\AIM\AIM95_c0\aim.exe"="C:\Program Files\AIM\AIM95_c0\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\AIM\AIM95_c1\aim.exe"="C:\Program Files\AIM\AIM95_c1\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\AIM\AIM95_c2\aim.exe"="C:\Program Files\AIM\AIM95_c2\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\BearShare\BearShare.exe"="C:\Program Files\BearShare\BearShare.exe:*:Disabled:BearShare"
"C:\Program Files\FileCroc\FileCroc.exe"="C:\Program Files\FileCroc\FileCroc.exe:*:Disabled:FileCroc"
"C:\Documents and Settings\Daniel\Desktop\My Music\FileCroc\FileCroc.exe"="C:\Documents and Settings\Daniel\Desktop\My Music\FileCroc\FileCroc.exe:*:Disabled:FileCroc"
"C:\Program Files\iMesh\iMesh5\iMesh.exe"="C:\Program Files\iMesh\iMesh5\iMesh.exe:*:Disabled:iMesh 5"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\Program Files\LimeWire Download Client\LimeWireClient.exe"="C:\Program Files\LimeWire Download Client\LimeWireClient.exe:*:Disabled:LimeWireClient"
"C:\Program Files\MP3 Search And Play\MP3P2P.exe"="C:\Program Files\MP3 Search And Play\MP3P2P.exe:*:Disabled:MP3P2P"
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Disabled:SoulSeek Client"
"C:\Program Files\Turbo Torrent\ttorrent.exe"="C:\Program Files\Turbo Torrent\ttorrent.exe:*:Disabled:ttorrent"
"C:\Program Files\WinMX\WinMX.exe"="C:\Program Files\WinMX\WinMX.exe:*:Disabled:WinMX Application"
"C:\Program Files\AIM\AIM95_c3\aim.exe"="C:\Program Files\AIM\AIM95_c3\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Common Files\AOL\1132928138\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1132928138\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1132928138\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1132928138\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\BitComet\BitComet.exe"="C:\Program Files\BitComet\BitComet.exe:*:Disabled:BitComet - a BitTorrent Client"
"C:\Program Files\Common Files\AOL\1144177529\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1144177529\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1144177529\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1144177529\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Common Files\AOL\1144351054\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1144351054\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1144351054\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1144351054\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Common Files\AOL\1144351679\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1144351679\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1144351679\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1144351679\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Common Files\AOL\1148677974\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1148677974\ee\aolsoftware.exe:*:Enabled:AOL Services"
"C:\Program Files\Common Files\AOL\1148677974\ee\aim6.exe"="C:\Program Files\Common Files\AOL\1148677974\ee\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe"="C:\Program Files\Java\jre1.5.0_02\bin\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe"="C:\Program Files\Java\jre1.6.0_02\bin\javaw.exe:*:Enabled:Java™ Platform SE binary"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent"
"C:\Program Files\BitTorrent\btdownloadgui.exe"="C:\Program Files\BitTorrent\btdownloadgui.exe:*:Disabled:btdownloadgui"
"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Disabled:btdownloadgui"
"C:\Program Files\Morpheus\Morpheus.exe"="C:\Program Files\Morpheus\Morpheus.exe:*:Disabled:Morpheus"
"C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\DUV5LNZR\utorrent[1].exe"="C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\DUV5LNZR\utorrent[1].exe:*:Disabled:utorrent[1]"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Disabled:µTorrent"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Disabled:FrostWire"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"
"C:\Program Files\V CAST Music with Rhapsody\rhapsody.exe"="C:\Program Files\V CAST Music with Rhapsody\rhapsody.exe:*:Enabled:Rhapsody Media Player"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======File associations======

.txt - open - Notepad.exe %1

======List of files/folders created in the last 1 months======

2009-03-28 12:59:35 ----D---- C:\Program Files\trend micro
2009-03-28 12:59:34 ----D---- C:\rsit
2009-03-28 10:00:17 ----D---- C:\WINDOWS\LastGood
2009-03-21 01:42:42 ----D---- C:\Program Files\Symantec AntiVirus
2009-03-21 01:42:06 ----A---- C:\WINDOWS\VPC32.INI
2009-03-15 22:29:58 ----D---- C:\WINDOWS\system32\MpEngineStore
2009-03-15 22:11:17 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-15 22:11:09 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-15 22:10:53 ----HDC---- C:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-15 21:53:18 ----DC---- C:\Documents and Settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-15 21:28:15 ----D---- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2009-03-15 21:23:20 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-03-15 19:11:04 ----D---- C:\Program Files\Yahoo!
2009-03-14 15:24:13 ----A---- C:\WINDOWS\system32\b4be2783-65de-c289-8445-5cfbb3a35c8b.exe
2009-03-14 15:24:00 ----A---- C:\WINDOWS\system32\pdvfbjcebpirszx.exe
2009-03-14 12:45:16 ----A---- C:\WINDOWS\system32\hhrmjter.dll
2009-03-13 20:02:46 ----ASH---- C:\WINDOWS\system32\bqjhxphj.ini
2009-03-13 20:02:45 ----A---- C:\WINDOWS\system32\jhpxhjqb.dll
2009-03-13 20:02:38 ----A---- C:\WINDOWS\system32\oonflexr.dll
2009-03-11 18:52:54 ----SH---- C:\WINDOWS\system32\iqjnbxxs.ini
2009-03-11 18:52:54 ----N---- C:\WINDOWS\system32\sxxbnjqi.dll
2009-03-11 18:52:48 ----A---- C:\WINDOWS\system32\owgccbmp.dll
2009-03-08 22:43:55 ----A---- C:\WINDOWS\system32\tanipjma.dll
2009-03-08 22:43:49 ----ASH---- C:\WINDOWS\system32\cxxvtxvv.ini
2009-03-08 22:43:49 ----A---- C:\WINDOWS\system32\vvxtvxxc.dll
2009-03-04 09:03:16 ----A---- C:\WINDOWS\system32\nsa9.dll

======List of files/folders modified in the last 1 months======

2009-03-28 12:59:35 ----D---- C:\Program Files
2009-03-28 10:00:39 ----HD---- C:\WINDOWS\inf
2009-03-28 10:00:36 ----SHD---- C:\WINDOWS\Installer
2009-03-28 10:00:36 ----D---- C:\Config.Msi
2009-03-28 10:00:17 ----D---- C:\WINDOWS
2009-03-28 10:00:16 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-27 22:26:33 ----D---- C:\WINDOWS\Temp
2009-03-25 22:11:07 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-25 21:57:35 ----D---- C:\WINDOWS\network diagnostic
2009-03-24 02:00:03 ----D---- C:\WINDOWS\Prefetch
2009-03-21 01:41:19 ----D---- C:\WINDOWS\Debug
2009-03-20 23:29:20 ----SD---- C:\Documents and Settings\David\Application Data\Microsoft
2009-03-16 20:43:17 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-16 19:52:46 ----D---- C:\WINDOWS\system32
2009-03-15 22:29:59 ----A---- C:\WINDOWS\system32\MRT.INI
2009-03-15 22:29:58 ----D---- C:\WINDOWS\system32\drivers
2009-03-15 22:29:40 ----SD---- C:\WINDOWS\Tasks
2009-03-15 22:11:16 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-15 22:11:11 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-03-15 21:53:10 ----SH---- C:\WINDOWS\system32\jcbfjuuw.ini
2009-03-15 21:29:14 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-15 19:50:00 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-15 19:42:15 ----D---- C:\Program Files\Google
2009-03-15 19:37:48 ----SHD---- C:\RECYCLER
2009-03-15 19:35:50 ----D---- C:\Program Files\Viewpoint
2009-03-15 19:35:36 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2009-03-15 19:12:18 ----D---- C:\Program Files\CCleaner
2009-03-15 18:51:48 ----D---- C:\WINDOWS\system
2009-03-15 18:51:47 ----D---- C:\Documents and Settings\All Users\Application Data\AVG7
2009-03-15 18:46:51 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-15 18:01:20 ----D---- C:\WINDOWS\system32\Macromed
2009-03-15 17:54:03 ----A---- C:\WINDOWS\vmreg.dll
2009-03-15 17:54:03 ----A---- C:\WINDOWS\sysexplorer.exe
2009-03-15 17:54:03 ----A---- C:\WINDOWS\syscert.exe
2009-03-15 17:54:03 ----A---- C:\WINDOWS\sys.com
2009-03-15 17:54:03 ----A---- C:\WINDOWS\spoolsystem.exe
2009-03-15 17:54:03 ----A---- C:\WINDOWS\reged.exe
2009-03-14 15:23:57 ----D---- C:\Program Files\GetModule
2009-03-14 13:28:47 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-14 12:45:10 ----ASH---- C:\WINDOWS\system32\UDMWyyxx.ini
2009-03-14 12:45:09 ----A---- C:\WINDOWS\system32\7fc72eec-.txt
2009-03-14 12:44:05 ----ASH---- C:\WINDOWS\system32\UDMWyyxx.ini2
2009-03-11 18:52:45 ----ASH---- C:\WINDOWS\system32\debakpnh.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-04-03 4224]
R1 AvgClean;AVG Clean Driver; C:\WINDOWS\system32\drivers\avgclean.sys [2007-12-21 10760]
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 sdcplh;sdcplh; C:\WINDOWS\System32\drivers\sdcplh.sys [2005-09-13 40576]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 AvgTdi;AVG Network Redirector; \??\C:\WINDOWS\System32\Drivers\avgtdi.sys []
R2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys [2007-10-07 8413]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2004-08-04 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2004-08-04 55936]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R2 SbcpHid;SbcpHid; \??\C:\WINDOWS\system32\Drivers\SbcpHid.sys []
R2 SVKP;SVKP; \??\C:\WINDOWS\system32\SVKP.sys []
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys [2003-09-22 130192]
R3 E100B;Intel® PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 IntelC51;IntelC51; C:\WINDOWS\system32\DRIVERS\IntelC51.sys [2004-03-06 1233525]
R3 IntelC52;IntelC52; C:\WINDOWS\system32\DRIVERS\IntelC52.sys [2004-03-06 647929]
R3 IntelC53;IntelC53; C:\WINDOWS\system32\DRIVERS\IntelC53.sys [2004-06-16 61157]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mohfilt;mohfilt; C:\WINDOWS\system32\DRIVERS\mohfilt.sys [2004-03-06 37048]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\DRIVERS\ctoss2k.sys [2003-09-22 178672]
R3 P17;Sound Blaster Live! 24-bit; C:\WINDOWS\system32\drivers\P17.sys [2004-06-09 840960]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-12-06 10368]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys []
S1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-10-23 821856]
S1 Avg7RsXP;AVG7 Rezident Driver; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-04-03 27776]
S2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
S3 59da0368-445d-40af-b68a-db6eb45fcfee;59da0368-445d-40af-b68a-db6eb45fcfee; \??\D:\CDS300\cds300.dll []
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 cdrmkaun;cdrmkaun; \??\C:\DOCUME~1\Daniel\LOCALS~1\Temp\cdrmkaun.sys []
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 KLIF;KLIF; \??\C:\PROGRA~1\PCTOOL~1\KLIF.SYS []
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 motport;Motorola USB Diagnostic Port; C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 23680]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
S3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050921.017\NAVENG.sys []
S3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050921.017\NAVEX15.sys []
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\SCFIDS~1\20050720.010\symidsco.sys []
S3 TSP;TSP; \??\C:\PROGRA~1\PCTOOL~1\KLIF.SYS []
S3 usbcm;USB Cable Modem 351000 NDIS Driver; C:\WINDOWS\system32\DRIVERS\usbcm.sys [2002-04-11 13335]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]
S4 vsdatant;vsdatant; C:\WINDOWS\system32\drivers\vsdatant.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-04 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe []
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe []
R2 CCALib8;Canon Camera Access Library 8; C:\Program Files\Canon\CAL\CALMAIN.exe []
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.EXE [1999-12-13 44032]
R2 Iomega App Services;Iomega App Services; C:\PROGRA~1\Iomega\System32\AppServices.exe [2005-05-16 77907]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-01-01 152984]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINDOWS\system32\MsPMSPSv.exe [2000-06-26 53520]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe []
S2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe []
S2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe []
S2 CWShredder Service;CWShredder Service; C:\Documents and Settings\Daniel\Desktop\CWShredder.exe service []
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe []
S2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2003-12-17 143360]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []
S4 Iomega Activity Disk2;Iomega Activity Disk2; []

-----------------EOF-----------------

Edited by Orange Blossom, 29 March 2009 - 01:00 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:10 AM

Posted 29 March 2009 - 05:23 PM

Hello bwoodwth,

This computer is quite a mess. :thumbup2:

Navigate to C:\Program Files\Trend Micro\HijackThis\HijackThis.exe using My Computer or Windows Explorer and right-click on the HijackThis.exe file.
Select the Rename option from the right-click menu and rename HijackThis.exe to fluffybunny.exe and press Enter
Scan with HijackThis (fluffybunny.exe) again and post a new HijackThis log.


Download Security Check by screen317 from here or here and save it to your Desktop.
Unzip SecurityCheck.zip and a folder named Security Check should appear.
Open the Security Check folder and double-click Security Check.bat
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Download Lop S&D
Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D.
To see how to disable security programs visit this tutorial:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

You can enable them after the scan.

You can find a detailed instructions with visuals here

Double-click Lop S&D.exe

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Edited by SifuMike, 29 March 2009 - 05:28 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bwoodwth

bwoodwth
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 31 March 2009 - 09:46 PM

I had to download these files to my computer and then transfer to the infected computer since I can't get to any websites due to being redirected etc. But I think I finally acccomplished what you requested. Tried to disable all anti-virus/firewall but Avira file will not let me access it and it is not in the system tray. Not really sure if Avira came on the computer, was added, or why it is the antivirus being used, I normally use symantec or AVG. Thanks

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:01 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\trend micro\fluffybunny.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {72FAE0C3-8FDC-4B41-9D50-2657C7847722} - C:\WINDOWS\system32\xxyyWMDU.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\gsdrgfdrrgnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\gsdrgfdrrgnd.dll (file missing)
O2 - BHO: (no name) - {E0357A18-C821-4072-89E0-C9B9F84FDCF4} - C:\WINDOWS\system32\urqPiHyA.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [stratas]
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - http://www.mtv.com/overdrive/bin/setup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...432/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: reset5e - reset5e.dll (file missing)
O21 - SSODL: gVJIMOdxrp - {163E6B09-245A-4803-8DF2-5517F4CCF02A} - lanmlxhvgye.dll (file missing)
O22 - SharedTaskScheduler: erajhsf8743kjrngjnf - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\gsdrgfdrrgnd.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Daniel\Desktop\CWShredder.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 8958 bytes


Security Check Log:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Disabled!
AviraAntiVirPersonal-FreeAntivirus
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Out of date Spybot installed!
Ad-Aware
Spybot - Search & Destroy 1.4
Windows Defender
HijackThis 2.0.2
CCleaner (remove only)
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_06
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

Windows Defender MsMpEng.exe is disabled!
Windows Defender MSASCui.exe is disabled!
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Avira Antivir avguard.exe
Spybot SDHelper is disabled!
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 18 seconds.
`````````End of Log```````````



Lop S&D Log:

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 2
X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.00GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A02
USER : David ( Administrator )
BOOT : Normal boot
Antivirus : Avira AntiVir PersonalEdition 8.0.1.30 (Activated)
C:\ (Local Disk) - NTFS - Total:71 Go (Free:50 Go)
D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
E:\ (CD or DVD)
F:\ (USB) - FAT - Total:122 Mo (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Tue 03/31/2009|22:10 )

--------------------\\ Listing folders in APPLIC~1

[02/19/2005|11:37] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Creative
[01/08/2006|10:51] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Gtek
[01/04/2006|10:54] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft


[02/19/2005|11:37] C:\DOCUME~1\ADMINI~1.000\APPLIC~1\<DIR> Creative
[02/19/2005|11:29] C:\DOCUME~1\ADMINI~1.000\APPLIC~1\<DIR> Gtek
[01/04/2006|10:54] C:\DOCUME~1\ADMINI~1.000\APPLIC~1\<DIR> Microsoft
[02/19/2005|11:23] C:\DOCUME~1\ADMINI~1.000\APPLIC~1\<DIR> Sun

[03/15/2009|09:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
[03/09/2007|05:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[06/08/2008|12:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[06/08/2008|01:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads
[12/14/2006|08:15] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP
[12/25/2006|11:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[03/15/2009|06:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AVG7
[03/15/2009|06:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> avg8
[01/25/2009|11:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avira
[08/06/2007|05:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Azureus
[02/19/2005|11:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink
[01/07/2006|11:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Grisoft
[02/28/2005|09:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Grisoft(2)
[07/26/2005|05:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek
[02/19/2005|11:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[04/24/2005|10:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee.com
[03/28/2007|09:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[06/21/2005|04:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[08/10/2004|03:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI
[03/15/2009|09:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[12/14/2006|06:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spyware Terminator
[01/04/2006|10:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[01/04/2006|10:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[03/15/2009|07:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[09/11/2005|01:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[12/23/2008|02:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ZoomBrowser

[12/27/2007|11:46] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Adobe
[07/20/2007|11:36] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> AdobeUM
[11/02/2007|04:38] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Aim
[06/03/2008|12:31] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> AVG7
[05/04/2008|11:02] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> AVGTOOLBAR
[05/20/2008|10:33] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Azureus
[02/20/2007|11:55] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Creative
[12/11/2006|10:03] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> DivX
[11/21/2007|06:23] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> FrostWire
[12/11/2006|05:17] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Google
[02/19/2005|11:29] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Gtek
[12/20/2006|11:48] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Help
[12/13/2006|11:59] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Lavasoft
[02/12/2007|09:01] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Macromedia
[01/11/2008|05:41] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Microsoft
[04/29/2008|06:10] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Mozilla
[01/27/2007|12:00] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> MP3Downloads
[11/21/2007|07:17] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> MP3Rocket
[02/17/2007|01:52] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Real
[02/19/2005|11:23] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Sun
[01/11/2007|12:19] C:\DOCUME~1\Daniel\APPLIC~1\<DIR> Viewpoint

[02/19/2005|11:37] C:\DOCUME~1\DANIEL~1.EUB\APPLIC~1\<DIR> Creative
[02/19/2005|11:29] C:\DOCUME~1\DANIEL~1.EUB\APPLIC~1\<DIR> Gtek
[12/09/2006|08:51] C:\DOCUME~1\DANIEL~1.EUB\APPLIC~1\<DIR> Lavasoft
[12/09/2006|08:48] C:\DOCUME~1\DANIEL~1.EUB\APPLIC~1\<DIR> Macromedia
[12/09/2006|10:24] C:\DOCUME~1\DANIEL~1.EUB\APPLIC~1\<DIR> Microsoft


[12/30/2005|11:57] C:\DOCUME~1\David\APPLIC~1\<DIR> .bittorrent
[06/08/2008|12:08] C:\DOCUME~1\David\APPLIC~1\<DIR> Adobe
[01/17/2007|12:48] C:\DOCUME~1\David\APPLIC~1\<DIR> AdobeUM
[01/04/2006|10:54] C:\DOCUME~1\David\APPLIC~1\<DIR> Aim
[01/08/2006|10:53] C:\DOCUME~1\David\APPLIC~1\<DIR> AVG7
[06/08/2008|12:35] C:\DOCUME~1\David\APPLIC~1\<DIR> AVGTOOLBAR
[02/19/2005|11:37] C:\DOCUME~1\David\APPLIC~1\<DIR> Creative
[11/08/2006|10:52] C:\DOCUME~1\David\APPLIC~1\<DIR> Google
[02/19/2005|11:29] C:\DOCUME~1\David\APPLIC~1\<DIR> Gtek
[07/30/2007|11:06] C:\DOCUME~1\David\APPLIC~1\<DIR> Lavasoft
[06/04/2005|07:52] C:\DOCUME~1\David\APPLIC~1\<DIR> Macromedia
[02/23/2005|09:49] C:\DOCUME~1\David\APPLIC~1\<DIR> McAfee.com Personal Firewall
[03/20/2009|11:29] C:\DOCUME~1\David\APPLIC~1\<DIR> Microsoft
[02/16/2009|12:15] C:\DOCUME~1\David\APPLIC~1\<DIR> Real
[02/19/2005|11:23] C:\DOCUME~1\David\APPLIC~1\<DIR> Sun
[02/16/2009|02:14] C:\DOCUME~1\David\APPLIC~1\<DIR> Uniblue

[02/19/2005|11:37] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Creative
[02/19/2005|11:29] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Gtek
[01/04/2006|10:54] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[02/19/2005|11:23] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun

[02/11/2009|10:53] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> AVG7
[11/11/2007|10:14] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Google
[02/22/2005|07:26] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> McAfee.com Personal Firewall
[03/15/2009|06:51] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[03/22/2008|09:14] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Mozilla

[09/26/2007|08:00] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> AVG7
[03/15/2009|06:51] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[01/02/2006|10:07] C:\DOCUME~1\Owner\APPLIC~1\<DIR> Creative

[03/28/2005|12:07] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Aim
[01/04/2006|10:54] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> AVG7
[05/06/2005|02:53] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Corel
[02/19/2005|11:37] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Creative
[02/19/2005|11:29] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Gtek
[05/07/2005|09:11] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Macromedia
[03/29/2005|10:47] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> McAfee.com Personal Firewall
[01/04/2006|10:54] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Microsoft
[04/29/2005|04:33] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Real
[02/19/2005|11:23] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Sun
[04/21/2005|03:06] C:\DOCUME~1\Taylor\APPLIC~1\<DIR> Webroot

[12/14/2006|08:16] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> acccore
[12/28/2007|11:42] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Adobe
[06/29/2008|06:24] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> AdobeUM
[07/24/2006|05:41] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Aim
[01/13/2007|12:18] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Apple Computer
[12/25/2006|11:30] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> ArcSoft
[06/08/2008|12:18] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> AVG7
[12/27/2006|04:30] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Azureus
[12/23/2008|03:38] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> CameraWindowDC
[12/23/2008|03:15] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> CANON INC
[08/01/2006|12:16] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Creative
[01/12/2007|08:29] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> DivX
[09/17/2006|10:26] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Google
[02/19/2005|11:29] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Gtek
[07/27/2006|12:50] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Help
[10/07/2007|06:32] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Lavasoft
[04/22/2008|09:56] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> LimeWire
[08/06/2006|12:34] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Macromedia
[10/24/2007|07:33] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Microsoft
[08/27/2008|08:31] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Mozilla
[10/07/2007|09:56] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Real
[02/19/2005|11:23] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Sun
[08/27/2008|08:17] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Thunderbird
[01/11/2007|04:01] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> Viewpoint
[09/14/2008|03:46] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> WinRAR
[12/23/2008|03:43] C:\DOCUME~1\TAYLOR~1.EUB\APPLIC~1\<DIR> ZoomBrowser EX

[02/18/2009|11:51] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> Adobe
[02/16/2009|10:23] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> AVG7
[02/19/2005|11:37] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> Creative
[02/19/2005|11:29] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> Gtek
[02/16/2009|10:39] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> Lavasoft
[03/15/2009|06:51] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> Microsoft
[02/19/2009|08:13] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> Real
[02/19/2005|11:23] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> Sun
[02/16/2009|10:27] C:\DOCUME~1\TAYLOR~1.000\APPLIC~1\<DIR> WinRAR


--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[03/31/2009 10:00 PM][--a------] C:\WINDOWS\tasks\hikgjrmo.job
[03/31/2009 09:50 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/04/2004 07:00 AM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[02/16/2009|10:28] C:\Program Files\<DIR> Ad-Aware SE Personal
[04/22/2007|10:34] C:\Program Files\<DIR> Adobe
[04/30/2008|05:09] C:\Program Files\<DIR> AIM
[06/08/2008|12:08] C:\Program Files\<DIR> AIM Search
[06/08/2008|01:02] C:\Program Files\<DIR> AIM6
[10/20/2007|09:51] C:\Program Files\<DIR> AOD
[06/08/2008|11:17] C:\Program Files\<DIR> AOL
[01/25/2009|11:40] C:\Program Files\<DIR> Avira
[05/20/2008|04:53] C:\Program Files\<DIR> Azureus
[06/08/2008|12:07] C:\Program Files\<DIR> Azureus2
[12/23/2008|02:50] C:\Program Files\<DIR> Canon
[03/15/2009|07:12] C:\Program Files\<DIR> CCleaner
[10/08/2007|11:26] C:\Program Files\<DIR> CitrixWire
[02/16/2009|12:16] C:\Program Files\<DIR> Common Files
[06/08/2008|12:08] C:\Program Files\<DIR> Creative
[02/19/2005|11:25] C:\Program Files\<DIR> Dell
[02/19/2005|11:31] C:\Program Files\<DIR> Dell Inc
[10/07/2007|12:18] C:\Program Files\<DIR> Dell Support
[04/29/2008|04:15] C:\Program Files\<DIR> DivX
[02/19/2005|11:35] C:\Program Files\<DIR> EarthLink Setup
[08/19/2006|05:11] C:\Program Files\<DIR> Electronic Arts
[03/14/2009|03:23] C:\Program Files\<DIR> GetModule
[03/15/2009|07:42] C:\Program Files\<DIR> Google
[01/24/2009|07:23] C:\Program Files\<DIR> iCheck
[05/18/2005|07:26] C:\Program Files\<DIR> Image-Line
[11/01/2008|09:39] C:\Program Files\<DIR> InstallShield Installation Information
[01/04/2006|10:54] C:\Program Files\<DIR> Intel
[12/23/2008|02:45] C:\Program Files\<DIR> Internet Explorer
[11/27/2006|06:41] C:\Program Files\<DIR> Iomega
[11/26/2006|10:15] C:\Program Files\<DIR> Iomega HotBurn Pro
[12/24/2006|01:26] C:\Program Files\<DIR> IrfanView
[02/19/2005|11:30] C:\Program Files\<DIR> Jasc Software Inc
[01/01/2009|11:28] C:\Program Files\<DIR> Java
[06/22/2005|01:50] C:\Program Files\<DIR> Lavasoft
[09/14/2008|02:10] C:\Program Files\<DIR> Messenger
[09/21/2005|07:53] C:\Program Files\<DIR> Microsoft ActiveSync
[08/27/2005|09:00] C:\Program Files\<DIR> microsoft frontpage
[09/21/2005|07:52] C:\Program Files\<DIR> Microsoft Office
[02/19/2005|11:29] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition
[01/04/2006|10:54] C:\Program Files\<DIR> Microsoft Plus! Photo Story 2 LE
[01/25/2009|11:22] C:\Program Files\<DIR> Mjcore
[01/04/2006|10:54] C:\Program Files\<DIR> Modem Helper
[02/19/2005|11:23] C:\Program Files\<DIR> Modem On Hold
[09/14/2008|02:09] C:\Program Files\<DIR> Movie Maker
[12/28/2007|10:32] C:\Program Files\<DIR> Mozilla Firefox
[10/30/2005|10:52] C:\Program Files\<DIR> Mpeg2Decoder
[08/05/2008|05:54] C:\Program Files\<DIR> msn
[08/10/2004|03:01] C:\Program Files\<DIR> MSN Gaming Zone
[11/16/2006|08:09] C:\Program Files\<DIR> MSXML 4.0
[11/11/2008|11:16] C:\Program Files\<DIR> MSXML 6.0
[09/14/2008|02:05] C:\Program Files\<DIR> NetMeeting
[01/17/2007|12:48] C:\Program Files\<DIR> NewDotNet
[09/14/2008|02:05] C:\Program Files\<DIR> Outlook Express
[12/25/2006|11:29] C:\Program Files\<DIR> QuickTime
[10/08/2007|10:54] C:\Program Files\<DIR> Rhapsody
[10/07/2007|09:52] C:\Program Files\<DIR> SanDisk
[03/16/2009|08:08] C:\Program Files\<DIR> Spybot - Search & Destroy
[03/21/2009|01:42] C:\Program Files\<DIR> Symantec AntiVirus
[03/15/2009|09:28] C:\Program Files\<DIR> TeaTimer (Spybot - Search & Destroy)
[11/27/2006|12:02] C:\Program Files\<DIR> Temp
[03/31/2009|09:58] C:\Program Files\<DIR> trend micro
[12/26/2008|04:35] C:\Program Files\<DIR> V CAST Music with Rhapsody
[03/15/2009|07:35] C:\Program Files\<DIR> Viewpoint
[01/25/2009|11:43] C:\Program Files\<DIR> VnrPack
[01/25/2009|11:27] C:\Program Files\<DIR> WebShow
[10/07/2007|12:23] C:\Program Files\<DIR> WinBudget
[10/07/2007|12:18] C:\Program Files\<DIR> Windows Defender
[12/14/2006|06:46] C:\Program Files\<DIR> Windows Media Connect 2
[09/14/2008|02:05] C:\Program Files\<DIR> Windows Media Player
[04/08/2006|06:16] C:\Program Files\<DIR> Windows NT
[09/14/2008|03:46] C:\Program Files\<DIR> WinRAR
[09/05/2008|08:48] C:\Program Files\<DIR> WinSpyKiller
[08/10/2004|03:04] C:\Program Files\<DIR> xerox
[03/15/2009|07:11] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[10/08/2007|09:55] C:\Program Files\Common Files\<DIR> Adobe
[12/14/2006|08:13] C:\Program Files\Common Files\<DIR> AOL
[12/14/2006|08:13] C:\Program Files\Common Files\<DIR> aolshare
[10/07/2007|09:52] C:\Program Files\Common Files\<DIR> ArcSoft
[12/23/2008|02:37] C:\Program Files\Common Files\<DIR> Canon
[09/21/2005|07:53] C:\Program Files\Common Files\<DIR> Designer
[02/19/2005|11:29] C:\Program Files\Common Files\<DIR> InstallShield
[02/19/2005|11:30] C:\Program Files\Common Files\<DIR> Jasc Software Inc
[02/19/2005|11:22] C:\Program Files\Common Files\<DIR> Java
[03/28/2007|09:05] C:\Program Files\Common Files\<DIR> Microsoft Shared
[12/27/2008|06:59] C:\Program Files\Common Files\<DIR> Motorola Shared
[08/10/2004|03:02] C:\Program Files\Common Files\<DIR> MSSoap
[12/14/2006|08:13] C:\Program Files\Common Files\<DIR> Nullsoft
[10/02/2006|06:10] C:\Program Files\Common Files\<DIR> ODBC
[02/16/2009|12:16] C:\Program Files\Common Files\<DIR> Real
[08/06/2006|11:01] C:\Program Files\Common Files\<DIR> Services
[08/10/2004|02:57] C:\Program Files\Common Files\<DIR> SpeechEngines
[10/08/2007|10:55] C:\Program Files\Common Files\<DIR> Symantec Shared
[09/14/2008|02:05] C:\Program Files\Common Files\<DIR> System
[12/05/2006|05:58] C:\Program Files\Common Files\<DIR> Viewpoint

--------------------\\ Process

( 33 Processes )

iexplore.exe ~ [PID:2108]

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme


--------------------\\ Searching for other infections

C:\WINDOWS\system32\AyHiPqru.ini
C:\WINDOWS\system32\AyHiPqru.ini2
C:\WINDOWS\system32\UDMWyyxx.ini
C:\WINDOWS\system32\UDMWyyxx.ini2
C:\WINDOWS\system32\xxyyWMDU.dll.vir
==> VUNDO <==

--------------------\\ ROOTKIT !!

Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TDSSSERV.SYS]
Rootkit Tibs ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TDSSSERV.SYS]



[F:10][D:2]-> C:\DOCUME~1\David\LOCALS~1\Temp
[F:34][D:0]-> C:\DOCUME~1\David\Cookies
[F:619][D:5]-> C:\DOCUME~1\David\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Tue 03/31/2009|22:13 - Option : [1]

--------------------\\ Scan completed at 22:13:48

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:10 AM

Posted 31 March 2009 - 10:11 PM

Hi bwoodwth,



This is the most infected computer I have seen in a long time. :)

Is this your computer?
How many users are there on this computer?

I see many items deleted in your log. :thumbup2: Have you been attemping to "fix" this with Hijackthis?


Someone installed AVG7, then AVG8, tried to remove it but only partially removed it. :step4:
Then they downloaded Avira and downloaded it.

I think the rootkit is preventing it from running.


Download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note:  It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------

Disable your Avira AntiVirus and AntiSpyware applications as they may prevent ComboFix from working correctly.


To disable Avira Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background (looks to this: Posted Image )
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background (looks to this: Posted Image )
You succesfully disabled the AntiVir Guard.


If you cannot disalbe Avira AntiVir, then uninstall it. DO NOT surf the web while we are in process of removing the malware on this computer. You need to have an active Antivirus running before you surf the web.


Disable Spyware Doctor
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.


Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

Edited by SifuMike, 31 March 2009 - 10:41 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bwoodwth

bwoodwth
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 01 April 2009 - 05:06 PM

Yes, it's been messed up a long time. No, the computer is now used mainly by my son. I have 2 other computers that I keep cleaned up at all times. Unfortunately I didn't do the same for the infected computer and the antivirus software wasn't updated. They started with Limeware and other junk and it got really messed up!
I did delete some items but only after it was in a big mess, I think it was My Documents stuff that belonged to my 2 sons. (I believe I saved those files to the hard-drive). The reason was that it would not let me delete or update most programs including the AVG. Kept getting errors that the "files were in use" and seemed to be a problem with numerous users. I did try to delete AVG by numeroous methods and Upgrade AVG but would not let me do either. I believe I have tried to deete Avira as well. My goal was to remove all existing AV software and install Symantec or possibly go back to AVG.

We have always seemed to have issues with programs due to the different users, if I ever get it straightend out there will be only one user account or none if that is possible (just straight boot-up to main screen if that is possible?)

I have not done anything with HJT, it actually was not even on the computer, the Micro Trends Folder was empty, I had to copy it from my computer yesterday.

I will attempt to do all of this but it is unlikely I can download anything from the internet such as ComboFix since it redirects me away from every site.

If I cannot download Combio Fix or the other programs can I copy them from my computer to a stick like I did the HJT?

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:10 AM

Posted 01 April 2009 - 05:39 PM

If I cannot download Combio Fix or the other programs can I copy them from my computer to a stick like I did the HJT?


Yes, that will work. Make sure disable (or uninstall) all antivirus programs and registry protectors (like Teatimer, Winpatrol, Ad-Watch, Windows Defender) before you run ComobFix.

Edited by SifuMike, 01 April 2009 - 05:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bwoodwth

bwoodwth
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 02 April 2009 - 08:02 PM

Avira is not in the system tray and is not in the Add/Delete files on Control Panel. I did a search and did find an AVIRA exe file. When I right clicked there was no option to "disable". I deleted the exe file but when I go to "security" in control panel it still shows Avira as Working and/or up to date. Not sure how to delete or disable AVIRA. Searced but cannot find "Spyware Doctor" although did se references to Spysweeper and Counterspy.
Anyway, I saved ComboFix and the Windows Recovery Console for XP serv pack 2 to a stick and copied them to the desktop.
When I dragged and dropped the Console icon onto the Combofix icon nothing happened. I then tried just clicking on the ComboFix icon and nothing happened. Removed altogether and went thru the entire download process again, tried it again but ComboFix will not execute.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:10 AM

Posted 02 April 2009 - 08:48 PM

Hi bwoodwth,

If you cant uninstall a program, then download it again, install it, then uninstall it.
That removes the entire program.
Of course, you cant reach the Internet right now, but when you can you need to do that. Just deleting files will not work as the program has many registry enties that are still there.


Try running ComboFix in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Edited by SifuMike, 02 April 2009 - 09:01 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 bwoodwth

bwoodwth
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 04 April 2009 - 08:38 AM

Dang, no luck. Does nothing in Safe Mode when I click on ComboFix

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:10 AM

Posted 04 April 2009 - 10:10 AM

Hi bwoodwth,

Delete the version of ComboFix you have on your desktoop.

Disable (or uninstall) all antivirus programs and registry protectors (like Teatimer, Winpatrol, Ad-Watch, Windows Defender) before you run ComobFix

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
.

Edited by SifuMike, 04 April 2009 - 10:12 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bwoodwth

bwoodwth
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 04 April 2009 - 09:54 PM

AVG program was not in the Add/delete files in Control Panel. Did various searches but could not find it on the computer, but obviously it is on there somewhere. I went ahead and ran ComboFix it even though I could not find disable the AVG program.

ComboFix 09-04-04.01 - David 2009-04-04 22:04:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.337 [GMT -4:00]
Running from: c:\documents and settings\All Users\Desktop\Combo-Fix.exe
AV: 7.5.523 *On-access scanning enabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\winlogon.exe
c:\documents and settings\Taylor.EUBANKS\Desktop\A360.lnk
c:\documents and settings\Taylor.EUBANKS\Favorites\Online Security Test.url
c:\documents and settings\Taylor.EUBANKS\My Documents\My Documents.url
c:\documents and settings\Taylor.EUBANKS\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Taylor.EUBANKS\My Documents\My Videos\My Video.url
c:\documents and settings\Taylor.EUBANKS\Start Menu\A360
c:\documents and settings\Taylor.EUBANKS\Start Menu\A360\A360.lnk
c:\documents and settings\Taylor.EUBANKS\Start Menu\A360\Help.lnk
c:\documents and settings\Taylor.EUBANKS\Start Menu\A360\Registration.lnk
c:\program files\newdotnet
c:\program files\newdotnet\readme.txt
C:\smp.bat
c:\windows\reged.exe
c:\windows\spoolsystem.exe
c:\windows\sys.com
c:\windows\syscert.exe
c:\windows\sysexplorer.exe
c:\windows\system32\_004300_.tmp.dll
c:\windows\system32\_004301_.tmp.dll
c:\windows\system32\_004302_.tmp.dll
c:\windows\system32\_004303_.tmp.dll
c:\windows\system32\_004310_.tmp.dll
c:\windows\system32\_004311_.tmp.dll
c:\windows\system32\_004312_.tmp.dll
c:\windows\system32\_004313_.tmp.dll
c:\windows\system32\_004315_.tmp.dll
c:\windows\system32\_004316_.tmp.dll
c:\windows\system32\_004319_.tmp.dll
c:\windows\system32\_004320_.tmp.dll
c:\windows\system32\_004322_.tmp.dll
c:\windows\system32\_004323_.tmp.dll
c:\windows\system32\_004324_.tmp.dll
c:\windows\system32\_004326_.tmp.dll
c:\windows\system32\_004329_.tmp.dll
c:\windows\system32\_004330_.tmp.dll
c:\windows\system32\_004334_.tmp.dll
c:\windows\system32\_004335_.tmp.dll
c:\windows\system32\_004337_.tmp.dll
c:\windows\system32\_004340_.tmp.dll
c:\windows\system32\_004342_.tmp.dll
c:\windows\system32\_004343_.tmp.dll
c:\windows\system32\_004344_.tmp.dll
c:\windows\system32\_004345_.tmp.dll
c:\windows\system32\_004346_.tmp.dll
c:\windows\system32\_004349_.tmp.dll
c:\windows\system32\_004350_.tmp.dll
c:\windows\system32\_004351_.tmp.dll
c:\windows\system32\_004352_.tmp.dll
c:\windows\system32\_004353_.tmp.dll
c:\windows\system32\_004358_.tmp.dll
c:\windows\system32\_004360_.tmp.dll
c:\windows\system32\_004361_.tmp.dll
c:\windows\system32\~.exe
c:\windows\system32\834668
c:\windows\system32\834668\834668.dll
c:\windows\system32\ajsemytr.ini
c:\windows\system32\AyHiPqru.ini
c:\windows\system32\AyHiPqru.ini2
c:\windows\system32\bqjhxphj.ini
c:\windows\system32\cxxvtxvv.ini
c:\windows\system32\cyvxiijm.ini
c:\windows\system32\debakpnh.ini
c:\windows\system32\digeste.dll
c:\windows\system32\drivers\TDSSpqxt.sys
c:\windows\system32\dtclfsfq.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\gsyruvhg.ini
c:\windows\system32\hnpkabed.dll
c:\windows\system32\ieupdates.exe
c:\windows\system32\iqjnbxxs.ini
c:\windows\system32\jcbfjuuw.ini
c:\windows\system32\jhpxhjqb.dll
c:\windows\system32\mvuvvfon.ini
c:\windows\system32\oonflexr.dll
c:\windows\system32\oqkaliim.ini
c:\windows\system32\owgccbmp.dll
c:\windows\system32\pdylnyss.dll
c:\windows\system32\pevyvnni.ini
c:\windows\system32\Process.exe
c:\windows\system32\qlptlmop.ini
c:\windows\system32\rhtudpvr.ini
c:\windows\system32\rtymesja.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\sxxbnjqi.dll
c:\windows\system32\tanipjma.dll
c:\windows\system32\TDSScfgb.log
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSliqp.dll
c:\windows\system32\TDSSnrse.dll
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvn.dll
c:\windows\system32\TDSSpqxt.dat
c:\windows\system32\TDSSrmxa.log
c:\windows\system32\TDSSsbhc.log
c:\windows\system32\tmp.reg
c:\windows\system32\UDMWyyxx.ini
c:\windows\system32\UDMWyyxx.ini2
c:\windows\system32\ujdrgyfi.ini
c:\windows\system32\VACFix.exe
c:\windows\system32\vbmgatnd.ini
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vsyyxbyx.ini
c:\windows\system32\vvwarncl.ini
c:\windows\system32\vvxtvxxc.dll
c:\windows\system32\wpv351232808964.cpx
c:\windows\system32\wpv671232895578.cpx
c:\windows\system32\wpv991232809034.cpx
c:\windows\system32\WS2Fix.exe
c:\windows\system32\xbggcsfe.dll
c:\windows\system32\xtawilnh.dll
c:\windows\system32\xxyyWMDU.dll.vir
c:\windows\system32\yyuunbfl.ini
c:\windows\Tasks\hikgjrmo.job
c:\windows\vmreg.dll
c:\program files\GetModule . . . . failed to delete
c:\program files\iCheck . . . . failed to delete
c:\program files\Mjcore . . . . failed to delete
c:\program files\VnrPack . . . . failed to delete
c:\program files\WinBudget . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://sunmicro.ht.rd.llnw.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys
-------\Legacy_$SYS$ARIES
-------\Legacy_$SYS$DRMSERVER
-------\Legacy_CD_PROXY


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 20:01 . 2009-04-04 20:01 <DIR> d-------- c:\documents and settings\Administrator.EUBANKS.000\Application Data\Lavasoft
2009-04-04 19:58 . 2009-04-04 20:13 4,507 --a------ c:\windows\imsins.BAK
2009-03-31 22:28 . 2009-03-31 22:29 <DIR> d-------- c:\program files\Security Check
2009-03-31 21:38 . 2009-03-31 22:25 <DIR> d-------- C:\Lop SD
2009-03-28 12:59 . 2009-03-28 12:59 <DIR> d-------- C:\rsit
2009-03-28 12:59 . 2009-03-31 21:58 <DIR> d-------- c:\program files\trend micro
2009-03-21 01:42 . 2009-03-21 01:42 <DIR> d-------- c:\program files\Symantec AntiVirus
2009-03-21 01:42 . 2009-03-21 01:42 0 --a------ c:\windows\VPC32.INI
2009-03-20 23:29 . 2009-03-20 23:29 27,912 --a------ c:\documents and settings\David\Application Data\GDIPFONTCACHEV1.DAT
2009-03-15 22:29 . 2009-03-15 22:29 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-15 21:53 . 2009-03-15 21:53 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-15 21:28 . 2009-03-15 21:28 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-15 21:23 . 2009-04-04 21:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-15 19:11 . 2009-03-15 19:11 <DIR> d-------- c:\program files\Yahoo!
2009-03-14 15:24 . 2009-03-14 15:24 85,621 --a------ c:\windows\system32\b4be2783-65de-c289-8445-5cfbb3a35c8b.exe
2009-03-14 15:24 . 2009-03-14 15:24 48,266 --a------ c:\windows\system32\pdvfbjcebpirszx.exe
2009-03-14 12:45 . 2009-03-14 12:45 80,384 --a------ c:\windows\system32\hhrmjter.dll
2009-03-08 22:59 . 2009-03-08 22:59 <DIR> d---s---- c:\documents and settings\Taylor.EUBANKS.000\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 01:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-05 00:20 --------- d-----w c:\program files\Windows Defender
2009-03-15 23:42 --------- d-----w c:\program files\Google
2009-03-15 23:35 --------- d-----w c:\program files\Viewpoint
2009-03-15 23:35 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-15 23:12 --------- d-----w c:\program files\CCleaner
2009-03-14 19:23 --------- d-----w c:\program files\GetModule
2009-02-17 02:39 --------- d-----w c:\documents and settings\Taylor.EUBANKS.000\Application Data\Lavasoft
2009-02-17 02:28 --------- d-----w c:\program files\Ad-Aware SE Personal
2009-02-17 02:23 --------- d-----w c:\documents and settings\Taylor.EUBANKS.000\Application Data\AVG7
2009-02-16 18:14 --------- d-----w c:\documents and settings\David\Application Data\Uniblue
2009-02-16 16:16 --------- d-----w c:\program files\Common Files\Real
2009-02-11 14:53 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2008-11-16 16:06 27,912 ----a-w c:\documents and settings\Taylor.EUBANKS\Application Data\GDIPFONTCACHEV1.DAT
2007-01-06 16:54 49,304 ----a-w c:\documents and settings\Daniel\Application Data\GDIPFONTCACHEV1.DAT
2005-04-29 17:03 774,144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MTV Networks Video Optimizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MTV Networks Video Optimizer.lnk
backup=c:\windows\pss\MTV Networks Video Optimizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^MP3 Downloads (silent).lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\MP3 Downloads (silent).lnk
backup=c:\windows\pss\MP3 Downloads (silent).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-10-23 14:34 1336560 c:\program files\CCleaner\ccleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 22:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 22:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 03:36 36975 c:\program files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 03:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 18:51 60928 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOProc_SoRefRegSoAlertWxLiteNnAj]
--a------ 2008-04-13 20:12 8461312 c:\windows\system32\shell32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10846:TCP"= 10846:TCP:*:Disabled:BitComet 10846 TCP
"10846:UDP"= 10846:UDP:*:Disabled:BitComet 10846 UDP

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2005-07-19 2368]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 59da0368-445d-40af-b68a-db6eb45fcfee;59da0368-445d-40af-b68a-db6eb45fcfee;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Daniel\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\Daniel\LOCALS~1\Temp\cdrmkaun.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-12-27 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-12-27 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-12-27 23680]
.
- - - - ORPHANS REMOVED - - - -

BHO-{72FAE0C3-8FDC-4B41-9D50-2657C7847722} - c:\windows\system32\xxyyWMDU.dll
BHO-{D5BF4552-94F1-42BD-F434-3604812C807D} - c:\windows\system32\gsdrgfdrrgnd.dll
BHO-{E0357A18-C821-4072-89E0-C9B9F84FDCF4} - c:\windows\system32\urqPiHyA.dll
HKCU-Run-AIM - c:\program files\AIM\aim.exe
HKCU-Run-Spyware Doctor - c:\program files\Spyware Doctor\swdoctor.exe
HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-AVG7_CC - c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe
HKLM-Run-AVG7_EMC - c:\progra~1\Grisoft\AVGFRE~1\avgemc.exe
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
SharedTaskScheduler-{D5BF4552-94F1-42BD-F434-3604812C807D} - c:\windows\system32\gsdrgfdrrgnd.dll
SSODL-gVJIMOdxrp-{163E6B09-245A-4803-8DF2-5517F4CCF02A} - lanmlxhvgye.dll
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-Drag'n'Drop_Autolaunch - c:\program files\Iomega HotBurn Pro\Autolaunch.exe
MSConfigStartUp-filecroc - c:\program files\FileCroc\FileCroc.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1148677974\ee\AOLSoftware.exe
MSConfigStartUp-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
MSConfigStartUp-MediaGateway - c:\program files\MediaGateway\MediaGateway.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-Notification Utility - c:\program files\altpayV2\altpayV2.exe
MSConfigStartUp-PCTAVApp - c:\program files\PC Tools AntiVirus\PCTAV.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe
MSConfigStartUp-Spyware Doctor - c:\program files\Spyware Doctor\swdoctor.exe
MSConfigStartUp-SpywareTerminator - c:\program files\Spyware Terminator\SpywareTerminatorShield.exe
MSConfigStartUp-SunServer - c:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\SYMANT~2\VPTray.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe
MSConfigStartUp-stratas - lockx.exe


.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\about.htm
uStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://internetsearchservice.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: {{9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.getietool.com/redirect.php
Trusted Zone: whataboutadog.com
DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - hxxp://www.mtv.com/overdrive/bin/setup.exe
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 22:14:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.mfp]
@DACL=(02 0000)
@="MacromediaFlashPaper.MacromediaFlashPaper"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\software\Classes\.sol]
@DACL=(02 0000)
"Content Type"="text/plain"

[HKEY_LOCAL_MACHINE\software\Classes\.sor]
@DACL=(02 0000)
"Content Type"="text/plain"

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash.8]
@DACL=(02 0000)
@="Shockwave Flash Object"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\WRLogonNTF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-04 22:19:05 - machine was rebooted [David]
ComboFix-quarantined-files.txt 2009-04-05 02:19:03

Pre-Run: 55,114,612,736 bytes free
Post-Run: 55,083,003,904 bytes free

370 --- E O F --- 2009-04-05 00:20:45

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:10 AM

Posted 04 April 2009 - 10:19 PM

Hi bwoodwth,

Can you reach the Internet now?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 bwoodwth

bwoodwth
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 04 April 2009 - 11:37 PM

I will be able to attempt that shortly. I have always been able to get on just was redirected when I tried specific site.
I assume I should install AV software before getting back online?

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:10 AM

Posted 04 April 2009 - 11:57 PM

Hi bwoodwth,
No, do not install the antivirus yet.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\b4be2783-65de-c289-8445-5cfbb3a35c8b.exe
c:\windows\system32\pdvfbjcebpirszx.exe
c:\windows\system32\hhrmjter.dll
c:\docume~1\Daniel\LOCALS~1\Temp\cdrmkaun.sys
Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001
Driver:: 
cdrmkaun


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 bwoodwth

bwoodwth
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 06 April 2009 - 07:40 PM

AVG would not let me disable as described on the link you provided. Appears there are missing files. I can try reinstalling again if you think that will work, wouldn't let me do that previously.
I have attached required logs


ComboFix log:

ComboFix 09-04-04.01 - David 2009-04-06 20:22:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.262 [GMT -4:00]
Running from: c:\documents and settings\All Users\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\All Users\Desktop\cfscript.txt
AV: 7.5.523 *On-access scanning enabled* (Outdated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-05 10:00 . 2009-04-05 10:00 <DIR> d-------- c:\windows\LastGood
2009-04-04 20:01 . 2009-04-04 20:01 <DIR> d-------- c:\documents and settings\Administrator.EUBANKS.000\Application Data\Lavasoft
2009-04-04 19:58 . 2009-04-04 20:13 4,507 --a------ c:\windows\imsins.BAK
2009-03-31 22:28 . 2009-03-31 22:29 <DIR> d-------- c:\program files\Security Check
2009-03-31 21:38 . 2009-03-31 22:25 <DIR> d-------- C:\Lop SD
2009-03-28 12:59 . 2009-03-28 12:59 <DIR> d-------- C:\rsit
2009-03-28 12:59 . 2009-03-31 21:58 <DIR> d-------- c:\program files\trend micro
2009-03-21 01:42 . 2009-03-21 01:42 <DIR> d-------- c:\program files\Symantec AntiVirus
2009-03-21 01:42 . 2009-03-21 01:42 0 --a------ c:\windows\VPC32.INI
2009-03-20 23:29 . 2009-03-20 23:29 27,912 --a------ c:\documents and settings\David\Application Data\GDIPFONTCACHEV1.DAT
2009-03-15 22:29 . 2009-03-15 22:29 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-15 21:53 . 2009-03-15 21:53 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-15 21:28 . 2009-03-15 21:28 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-15 21:23 . 2009-04-04 21:11 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-15 19:11 . 2009-03-15 19:11 <DIR> d-------- c:\program files\Yahoo!
2009-03-14 15:24 . 2009-03-14 15:24 85,621 --a------ c:\windows\system32\b4be2783-65de-c289-8445-5cfbb3a35c8b.exe
2009-03-14 15:24 . 2009-03-14 15:24 48,266 --a------ c:\windows\system32\pdvfbjcebpirszx.exe
2009-03-14 12:45 . 2009-03-14 12:45 80,384 --a------ c:\windows\system32\hhrmjter.dll
2009-03-08 22:59 . 2009-03-08 22:59 <DIR> d---s---- c:\documents and settings\Taylor.EUBANKS.000\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 01:11 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-05 00:20 --------- d-----w c:\program files\Windows Defender
2009-03-15 23:42 --------- d-----w c:\program files\Google
2009-03-15 23:35 --------- d-----w c:\program files\Viewpoint
2009-03-15 23:35 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-15 23:12 --------- d-----w c:\program files\CCleaner
2009-03-14 19:23 --------- d-----w c:\program files\GetModule
2009-03-04 13:03 619,520 ----a-w c:\windows\system32\nsa9.dll
2009-02-20 00:12 72,704 ------w c:\windows\system32\miilakqo.dll
2009-02-20 00:12 129,024 ----a-w c:\windows\system32\nascdmqf.dll
2009-02-19 03:19 72,704 ----a-w c:\windows\system32\innvyvep.dll
2009-02-19 03:18 129,024 ----a-w c:\windows\system32\ipngidkq.dll
2009-02-17 02:39 --------- d-----w c:\documents and settings\Taylor.EUBANKS.000\Application Data\Lavasoft
2009-02-17 02:28 --------- d-----w c:\program files\Ad-Aware SE Personal
2009-02-17 02:23 --------- d-----w c:\documents and settings\Taylor.EUBANKS.000\Application Data\AVG7
2009-02-17 01:50 133,632 ----a-w c:\windows\system32\lanmlxhvgye.dll
2009-02-16 18:14 --------- d-----w c:\documents and settings\David\Application Data\Uniblue
2009-02-16 16:16 --------- d-----w c:\program files\Common Files\Real
2009-02-16 16:12 129,024 ----a-w c:\windows\system32\jswuhfna.dll
2009-02-16 02:33 129,024 ----a-w c:\windows\system32\yaidbxbh.dll
2009-02-16 02:33 129,024 ----a-w c:\windows\system32\cjavto.dll
2009-02-12 03:04 129,024 ----a-w c:\windows\system32\mgppjlsy.dll
2009-02-12 03:01 72,704 ----a-w c:\windows\system32\rvpduthr.dll
2009-02-12 03:01 1,584,074 --sha-w c:\windows\system32\gxsltvbe.tmp
2009-02-11 14:53 --------- d-----w c:\documents and settings\LocalService\Application Data\AVG7
2009-02-10 00:41 129,024 ----a-w c:\windows\system32\abhhvoxi.dll
2009-02-08 22:34 129,024 ----a-w c:\windows\system32\zjswrv.dll
2009-02-08 22:34 129,024 ----a-w c:\windows\system32\pmrylkmh.dll
2009-02-07 21:40 129,024 ----a-w c:\windows\system32\xmpueoqu.dll
2009-02-02 04:03 129,024 ----a-w c:\windows\system32\magyuusu.dll
2009-02-02 03:43 129,024 ----a-w c:\windows\system32\twoppvat.dll
2009-01-31 12:55 129,024 ----a-w c:\windows\system32\coaweqkx.dll
2009-01-31 12:52 72,704 ----a-w c:\windows\system32\xybxyysv.dll
2009-01-30 00:33 129,024 ----a-w c:\windows\system32\htndjdci.dll
2009-01-27 23:51 129,024 ----a-w c:\windows\system32\ocyxcjpr.dll
2009-01-27 23:49 72,704 ----a-w c:\windows\system32\dntagmbv.dll
2009-01-25 18:58 129,024 ----a-w c:\windows\system32\uhhnolnk.dll
2009-01-25 15:21 36,352 ----a-w c:\windows\system32\vtUmNDTJ.dll
2009-01-24 23:23 36,352 ----a-w c:\windows\system32\iifcCron.dll
2009-01-24 01:39 304,640 ----a-w c:\windows\system32\bvmfbtehggppuwms.dll
2008-11-16 16:06 27,912 ----a-w c:\documents and settings\Taylor.EUBANKS\Application Data\GDIPFONTCACHEV1.DAT
2007-01-06 16:54 49,304 ----a-w c:\documents and settings\Daniel\Application Data\GDIPFONTCACHEV1.DAT
2005-04-29 17:03 774,144 ----a-w c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-04_22.18.21.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-05 02:24:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_388.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-01 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MTV Networks Video Optimizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MTV Networks Video Optimizer.lnk
backup=c:\windows\pss\MTV Networks Video Optimizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpySubtract.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpySubtract.lnk
backup=c:\windows\pss\SpySubtract.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^BitTorrent.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\BitTorrent.lnk
backup=c:\windows\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^MP3 Downloads (silent).lnk]
path=c:\documents and settings\Daniel\Start Menu\Programs\Startup\MP3 Downloads (silent).lnk
backup=c:\windows\pss\MP3 Downloads (silent).lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
--a------ 2008-10-23 14:34 1336560 c:\program files\CCleaner\ccleaner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
--a------ 2003-09-03 22:12 221184 c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 22:15 290816 c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-03-04 03:36 36975 c:\program files\Java\jre1.5.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 03:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 18:51 60928 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOProc_SoRefRegSoAlertWxLiteNnAj]
--a------ 2008-04-13 20:12 8461312 c:\windows\system32\shell32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10846:TCP"= 10846:TCP:*:Disabled:BitComet 10846 TCP
"10846:UDP"= 10846:UDP:*:Disabled:BitComet 10846 UDP

R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2005-07-19 2368]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]
S3 59da0368-445d-40af-b68a-db6eb45fcfee;59da0368-445d-40af-b68a-db6eb45fcfee;\??\d:\cds300\cds300.dll --> d:\cds300\cds300.dll [?]
S3 cdrmkaun;cdrmkaun;\??\c:\docume~1\Daniel\LOCALS~1\Temp\cdrmkaun.sys --> c:\docume~1\Daniel\LOCALS~1\Temp\cdrmkaun.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-12-27 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-12-27 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-12-27 23680]
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\about.htm
uStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://internetsearchservice.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: whataboutadog.com
DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - hxxp://www.mtv.com/overdrive/bin/setup.exe
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 20:23:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.mfp]
@DACL=(02 0000)
@="MacromediaFlashPaper.MacromediaFlashPaper"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\software\Classes\.sol]
@DACL=(02 0000)
"Content Type"="text/plain"

[HKEY_LOCAL_MACHINE\software\Classes\.sor]
@DACL=(02 0000)
"Content Type"="text/plain"

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\ShockwaveFlash.ShockwaveFlash.8]
@DACL=(02 0000)
@="Shockwave Flash Object"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WRLogonNTF.dll
.
Completion time: 2009-04-06 20:26:11
ComboFix-quarantined-files.txt 2009-04-07 00:26:09
ComboFix2.txt 2009-04-05 02:19:06

Pre-Run: 57,699,741,696 bytes free
Post-Run: 57,680,347,136 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

229 --- E O F --- 2009-04-06 14:00:26

HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:55 PM, on 4/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
F:\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-21-1959850900-3338359627-809024244-1014\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-1959850900-3338359627-809024244-1014\..\Run: [74e4ea92] rundll32.exe "C:\WINDOWS\system32\sxxbnjqi.dll",b (User '?')
O4 - HKUS\S-1-5-21-1959850900-3338359627-809024244-1016\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - http://www.mtv.com/overdrive/bin/setup.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...432/mcfscan.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Daniel\Desktop\CWShredder.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 7097 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users