Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log File


  • This topic is locked This topic is locked
21 replies to this topic

#1 hypnotix00

hypnotix00

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 07 April 2009 - 01:44 PM

First, my computer is experiencing multiple problems:

1.) After an idle period, the machine makes a system beep, then everything freezes except for the mouse. The only way I have found to fix this is via a restart.
2.) My computer does not boot correctly. After seeing the Windows XP icon with the loading bar underneath it (before the select user screen), the screen goes completely black minus the mouse. I can see the mouse pointer and move it around. Buttons on my keyboard such as "Num Lock", "Caps Lock", and "Scroll Lock" lights do not come up when hitting the appropriate button. The solution I have found to this is starting my computer up in Safe Mode. After starting it in Safe Mode, going to the Start menu, then doing a Restart, the computer will boot in its proper mode.

Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.


Logfile of random's system information tool 1.06 (written by random/random)
Run by Matt at 2009-04-07 14:33:08
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 60 GB (39%) free of 153 GB
Total RAM: 2047 MB (64% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:14 PM, on 4/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\PROGRA~1\FLOCK\FLOCK.EXE
C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\HJTInstall.exe
C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\RSIT.exe
C:\Program Files\trend micro\Matt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1576177
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
R3 - URLSearchHook: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tbliv1.dll
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tbliv1.dll
O3 - Toolbar: livetvbar Toolbar - {ad55c869-668e-457c-b270-0cfb2f61116f} - C:\Program Files\livetvbar\tbliv1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: kHAsRIxy - kHAsRIxy.dll (file missing)
O20 - Winlogon Notify: xneoio - xneoio32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5612 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\pxtducgd.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad55c869-668e-457c-b270-0cfb2f61116f}]
livetvbar Toolbar - C:\Program Files\livetvbar\tbliv1.dll [2009-04-01 1883672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{ad55c869-668e-457c-b270-0cfb2f61116f} - livetvbar Toolbar - C:\Program Files\livetvbar\tbliv1.dll [2009-04-01 1883672]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-05-18 843776]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2006-05-18 729088]
"JMB36X Configure"=C:\WINDOWS\system32\JMRaidTool.exe [2006-06-02 385024]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-02-18 13680640]
"nwiz"=nwiz.exe /install []
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2007-10-10 39792]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-22 136600]
"Launch LCDMon"=C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe [2007-12-13 2051096]
"Launch LGDCore"=C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe [2007-12-13 2095640]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-02-18 86016]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-13 169984]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe [2009-02-24 1103216]
"system tool"=C:\WINDOWS\sysguard.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
C:\Program Files\Ares\Ares.exe -h []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
C:\Program Files\DAEMON Tools Lite\daemon.exe -autorun []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ASUS WiFi-AP Solo.lnk]
C:\PROGRA~1\ASUSWI~1\RtWLan.exe [2006-06-16 987136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Matt.MATTSCOMPUTER^Start Menu^Programs^Startup^hamachi.lnk]
C:\Program Files\Hamachi\hamachi.exe  []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="wbsys.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-03 352256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kHAsRIxy]
kHAsRIxy.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
C:\Program Files\AlienGUIse\fastload.dll [2001-12-20 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xneoio]
xneoio32.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WINDOW~4\MpShHook.dll [2006-11-03 83224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati3paxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati8ytxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati3paxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\ati8ytxx.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"AllowLegacyWebView"=
"AllowUnhashedWebView"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\keyclone\keyclone.exe"="C:\Program Files\keyclone\keyclone.exe:*:Enabled:keyclone"
"C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\New Folder\MultiBoxServer.exe"="C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\New Folder\MultiBoxServer.exe:*:Enabled:MultiBoxServer"
"C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\New Folder\MultiBoxClient.exe"="C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\New Folder\MultiBoxClient.exe:*:Enabled:MultiBoxClient"
"C:\Program Files\World of Warcraft\Repair.exe"="C:\Program Files\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe"="C:\Program Files\Sony\Station\LaunchPad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\wowclient-downloader.exe"="C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\Program Files\FrostWire\FrostWire.exe"="C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire"
"C:\My Games\Monopoly 3\Monopoly.exe"="C:\My Games\Monopoly 3\Monopoly.exe:*:Enabled:Monopoly"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Curse\CurseClient.exe"="C:\Program Files\Curse\CurseClient.exe:*:Enabled:Curse Client"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Ventrilo\Ventrilo.exe"="C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-04-07 14:33:08 ----D---- C:\rsit
2009-04-07 14:33:08 ----D---- C:\Program Files\trend micro
2009-04-05 18:20:17 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Trymedia
2009-04-05 18:12:09 ----D---- C:\Documents and Settings\Matt.MATTSCOMPUTER\Application Data\InstallShield Installation Information
2009-04-05 18:12:09 ----D---- C:\Documents and Settings\Matt.MATTSCOMPUTER\Application Data\Firaxis Games
2009-04-05 18:11:38 ----D---- C:\WINDOWS\LastGood
2009-04-05 14:31:44 ----ASH---- C:\BOOT.BAK
2009-04-05 14:31:35 ----D---- C:\$WIN_NT$.~BT
2009-04-05 14:31:20 ----D---- C:\WINDOWS\setupupd
2009-04-05 14:25:55 ----A---- C:\WINDOWS\UPGRADE.TXT
2009-03-31 20:08:01 ----D---- C:\Program Files\Common Files\Stardock
2009-03-31 20:08:01 ----A---- C:\WINDOWS\wb.ini
2009-03-27 06:48:33 ----A---- C:\WINDOWS\wininit.ini
2009-03-20 22:23:01 ----A---- C:\WINDOWS\ODBC.INI
2009-03-17 16:15:14 ----A---- C:\WINDOWS\Sysvxd.exe
2009-03-15 10:10:39 ----D---- C:\WINDOWS\system32\AGEIA
2009-03-15 10:10:39 ----D---- C:\Program Files\AGEIA Technologies
2009-03-15 10:07:37 ----D---- C:\Program Files\SystemRequirementsLab
2009-03-15 10:07:37 ----D---- C:\Documents and Settings\Matt.MATTSCOMPUTER\Application Data\SystemRequirementsLab
2009-03-15 09:46:48 ----A---- C:\WINDOWS\_MSRSTRT.EXE
2009-03-12 03:00:29 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-12 03:00:27 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-03-12 03:00:22 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-11 18:03:12 ----D---- C:\Program Files\livetvbar
2009-03-11 18:03:11 ----A---- C:\WINDOWS\unins000.exe
2009-03-11 17:50:34 ----D---- C:\Program Files\DivX
2009-03-09 22:50:57 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Digsby
2009-03-09 22:48:52 ----D---- C:\Documents and Settings\Matt.MATTSCOMPUTER\Application Data\Digsby
2009-03-09 22:48:23 ----D---- C:\Program Files\Digsby
2009-03-08 18:40:38 ----A---- C:\WINDOWS\ntbtlog.txt

======List of files/folders modified in the last 1 months======

2009-04-07 14:33:08 ----RD---- C:\Program Files
2009-04-07 02:14:00 ----D---- C:\WINDOWS\Temp
2009-04-07 00:24:31 ----D---- C:\WINDOWS\Prefetch
2009-04-06 14:41:13 ----D---- C:\WINDOWS\system32
2009-04-06 14:41:08 ----D---- C:\WINDOWS\system32\drivers
2009-04-06 14:13:45 ----D---- C:\Program Files\Flock
2009-04-05 18:20:11 ----D---- C:\WINDOWS\system
2009-04-05 18:11:54 ----HD---- C:\WINDOWS\inf
2009-04-05 18:11:38 ----D---- C:\WINDOWS
2009-04-05 18:11:26 ----D---- C:\WINDOWS\system32\DirectX
2009-04-05 18:11:10 ----D---- C:\Program Files\Warhammer
2009-04-05 17:55:08 ----D---- C:\Program Files\Download Manager
2009-04-05 17:55:08 ----D---- C:\Documents and Settings\Matt.MATTSCOMPUTER\Application Data\IGN_DLM
2009-04-05 16:56:34 ----D---- C:\Program Files\Sony
2009-04-05 14:40:51 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-05 14:40:49 ----SD---- C:\WINDOWS\Tasks
2009-04-05 14:38:45 ----RASH---- C:\boot.ini
2009-04-05 14:38:45 ----A---- C:\WINDOWS\win.ini
2009-04-05 14:38:45 ----A---- C:\WINDOWS\system.ini
2009-04-05 14:32:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-03 18:59:25 ----SHD---- C:\WINDOWS\Installer
2009-04-03 18:59:24 ----SHD---- C:\Config.Msi
2009-04-03 18:59:06 ----D---- C:\WINDOWS\WinSxS
2009-03-31 20:09:36 ----D---- C:\Program Files\AlienGUIse
2009-03-31 20:08:01 ----D---- C:\Program Files\Common Files
2009-03-24 06:51:23 ----A---- C:\WINDOWS\RTacDbg.txt
2009-03-21 19:56:06 ----D---- C:\WINDOWS\pss
2009-03-20 22:29:12 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-20 22:22:44 ----RSD---- C:\WINDOWS\Fonts
2009-03-20 22:22:44 ----HD---- C:\WINDOWS\ShellNew
2009-03-20 22:22:33 ----SD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2009-03-20 22:22:33 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-20 22:15:08 ----SD---- C:\Documents and Settings\Matt.MATTSCOMPUTER\Application Data\Microsoft
2009-03-20 22:12:49 ----RSD---- C:\WINDOWS\assembly
2009-03-15 10:31:20 ----D---- C:\WINDOWS\nview
2009-03-15 10:28:49 ----D---- C:\WINDOWS\Help
2009-03-15 10:10:34 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-15 10:10:19 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-15 10:09:51 ----D---- C:\NVIDIA
2009-03-15 09:51:32 ----D---- C:\Program Files\Mozilla Firefox
2009-03-15 00:18:42 ----D---- C:\Documents and Settings
2009-03-12 14:33:05 ----HD---- C:\Program Files\InstallShield Installation Information
2009-03-12 03:00:31 ----A---- C:\WINDOWS\imsins.BAK
2009-03-11 18:03:13 ----D---- C:\Program Files\Conduit
2009-03-11 04:44:50 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-08 18:48:19 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-07-08 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2008-07-08 26824]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2008-04-13 21035]
R2 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-08 76040]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2006-02-28 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2006-02-28 55936]
R3 ADIDTSFiltService;ADI DTS Filter Service; C:\WINDOWS\system32\drivers\adidts.sys [2006-06-15 142464]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-05-02 229376]
R3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-04-26 93824]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-02-28 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-02-18 6308224]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-06-16 176128]
R3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 MCSTRM;MCSTRM; C:\WINDOWS\system32\drivers\MCSTRM.sys []
S3 anfl1ol7;anfl1ol7; C:\WINDOWS\system32\drivers\anfl1ol7.sys []
S3 araefuci;araefuci; \??\C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\glider\araefuci.sys []
S3 frylew;frylew; \??\C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\glider\frylew.sys []
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-06-18 25280]
S3 mbcjww;mbcjww; \??\C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\glider\mbcjww.sys []
S3 psiqudypho;psiqudypho; \??\C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\glider\psiqudypho.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 TIEHDUSB;TIEHDUSB; C:\WINDOWS\system32\drivers\tiehdusb.sys [2004-02-04 49536]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 yrmalj;yrmalj; \??\C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\glider\yrmalj.sys []
S3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\system32\DRIVERS\yk51x86.sys [2006-05-23 245248]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-12-22 152984]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-02-18 163908]
R2 NwSapAgent;SAP Agent; C:\WINDOWS\system32\svchost.exe [2008-12-22 14336]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 avg8emc;AVG8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-08 873752]
S4 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 231192]

-----------------EOF-----------------


log.txt is attached.

Edited by hypnotix00, 07 April 2009 - 01:45 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:23 PM

Posted 18 April 2009 - 03:56 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 18 April 2009 - 06:30 PM

I managed to fix the boot error, so now it is just a problem of running certain programs such as Malwarebytes.
I also get random radio playing on my computer. I have narrowed it to the process: iexplore.exe , however would like to stop getting these random outbursts as well.

I downloaded and ran Avira AntiVir, and moved all suspicious files to the suggested location, I believe it quarantined most of them.

Here is my updated DDS log

DDS (Ver_09-03-16.01) - NTFSx86  
Run by Matt at 19:24:59.17 on Sat 04/18/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1376 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\AlienGUIse\wbload.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\FLOCK\FLOCK.EXE
C:\Program Files\Digsby\lib\digsby-app.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Digsby\lib\aspell\bin\aspell.exe
C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1576177
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
TB: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: kHAsRIxy - kHAsRIxy.dll
Notify: WB - c:\program files\alienguise\fastload.dll
Notify: xneoio - xneoio32.dll
AppInit_DLLs: wbsys.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt~1.mat\applic~1\mozilla\firefox\profiles\t02ucs1h.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-16 11608]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-27 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-16 55640]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-27 76040]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-13 176128]
S3 araefuci;araefuci;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys [?]
S3 frylew;frylew;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys [?]
S3 mbcjww;mbcjww;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys [?]
S3 psiqudypho;psiqudypho;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 yrmalj;yrmalj;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys [?]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-8 873752]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-8 231192]

=============== Created Last 30 ================

2009-04-16 23:03	10,752	a-------	c:\windows\system32\iehelper.dll
2009-04-16 14:23	55,640	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-04-16 14:23	<DIR>	--d-----	c:\program files\Avira
2009-04-16 14:23	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Avira
2009-04-16 03:02	197	a-------	c:\windows\system32\MRT.INI
2009-04-15 00:43	0	a-------	C:\LHT21.tmp
2009-04-14 13:36	<DIR>	--d-----	c:\program files\DNA
2009-04-14 13:36	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\DNA
2009-04-10 12:13	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.thumbnails
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gimp-2.6
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gegl-0.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Gimp-2.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Free Offers from Freeze.com
2009-04-07 14:33	<DIR>	--d-----	c:\program files\trend micro
2009-04-05 18:20	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Trymedia
2009-04-05 18:20	499,712	a-------	c:\windows\system\MSVCP71.DLL
2009-04-05 18:18	348,160	a-------	c:\windows\system\msvcr71.dll
2009-04-05 18:12	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\Firaxis Games
2009-04-05 14:31	450,758	a----r--	C:\txtsetup.sif
2009-04-05 14:31	260,272	a----r--	C:\$LDR$
2009-04-05 14:31	<DIR>	--d-----	C:\$WIN_NT$.~BT
2009-04-05 14:31	<DIR>	--d-----	c:\windows\setupupd
2009-03-31 20:08	56	a-------	c:\windows\wb.ini
2009-03-31 20:08	<DIR>	--d-----	c:\program files\common files\Stardock
2009-03-27 06:48	69	a-------	c:\windows\wininit.ini
2009-03-21 10:06	989,696	-c------	c:\windows\system32\dllcache\kernel32.dll
2009-03-20 22:23	376	a-------	c:\windows\ODBC.INI

==================== Find3M  ====================

2009-03-17 16:15	56,722	a-------	c:\windows\Sysvxd.exe
2009-03-17 14:36	81,408	a-------	c:\documents and settings\matt.mattscomputer\nah_qdgk.exe
2009-03-15 09:46	2,560	a-------	c:\windows\_MSRSTRT.EXE
2009-03-11 18:03	9,590	a-------	c:\windows\unins000.dat
2009-03-11 18:03	674,138	a-------	c:\windows\unins000.exe
2009-03-06 10:22	284,160	a-------	c:\windows\system32\pdh.dll
2009-02-20 04:10	666,112	a-------	c:\windows\system32\wininet.dll
2009-02-20 04:10	81,920	a-------	c:\windows\system32\ieencode.dll
2009-02-16 23:17	453,152	a-------	c:\windows\system32\NVUNINST.EXE
2009-02-09 08:10	729,088	a-------	c:\windows\system32\lsasrv.dll
2009-02-09 08:10	714,752	a-------	c:\windows\system32\ntdll.dll
2009-02-09 08:10	617,472	a-------	c:\windows\system32\advapi32.dll
2009-02-09 08:10	401,408	a-------	c:\windows\system32\rpcss.dll
2009-02-09 07:13	1,846,784	a-------	c:\windows\system32\win32k.sys
2009-02-06 07:11	110,592	a-------	c:\windows\system32\services.exe
2009-02-06 07:06	2,145,280	a-------	c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39	35,328	a-------	c:\windows\system32\sc.exe
2009-02-06 06:32	2,023,936	a-------	c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59	56,832	a-------	c:\windows\system32\secur32.dll
2006-06-23 14:48	32,768	a-------	c:\windows\inf\UpdateUSB.exe

============= FINISH: 19:25:39.76 ===============

Attached is the Attach.txt

I thought my Avira AntiVir log might help aswell:

Avira AntiVir Personal
Report file date: Thursday, April 16, 2009  14:28

Scanning for 1284893 virus strains and unwanted programs.

Licensee		: Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform		: Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode	   : Normally booted
Username		: SYSTEM
Computer name   : MATTSCOMPUTER

Version information:
BUILD.DAT	   : 9.0.0.386	 17962 Bytes   3/11/2009 15:55:00
AVSCAN.EXE	  : 9.0.3.3	  464641 Bytes   2/24/2009 16:13:26
AVSCAN.DLL	  : 9.0.3.0	   40705 Bytes   2/27/2009 14:58:24
LUKE.DLL		: 9.0.3.2	  209665 Bytes   2/20/2009 15:35:49
LUKERES.DLL	 : 9.0.2.0	   12033 Bytes   2/27/2009 14:58:52
ANTIVIR0.VDF	: 7.1.0.0	15603712 Bytes  10/27/2008 16:30:36
ANTIVIR1.VDF	: 7.1.2.12	3336192 Bytes   2/11/2009 00:33:26
ANTIVIR2.VDF	: 7.1.2.105	513536 Bytes	3/3/2009 11:41:14
ANTIVIR3.VDF	: 7.1.2.127	110592 Bytes	3/5/2009 18:58:20
Engineversion   : 8.2.0.100
AEVDF.DLL	   : 8.1.1.0	  106868 Bytes   1/27/2009 21:36:42
AESCRIPT.DLL	: 8.1.1.56	 352634 Bytes   2/27/2009 00:01:56
AESCN.DLL	   : 8.1.1.7	  127347 Bytes   2/12/2009 15:44:25
AERDL.DLL	   : 8.1.1.3	  438645 Bytes  10/29/2008 22:24:41
AEPACK.DLL	  : 8.1.3.10	 397686 Bytes	3/4/2009 17:06:10
AEOFFICE.DLL	: 8.1.0.36	 196987 Bytes   2/27/2009 00:01:56
AEHEUR.DLL	  : 8.1.0.100   1618295 Bytes   2/25/2009 19:49:16
AEHELP.DLL	  : 8.1.2.2	  119158 Bytes   2/27/2009 00:01:56
AEGEN.DLL	   : 8.1.1.24	 336244 Bytes	3/4/2009 17:06:10
AEEMU.DLL	   : 8.1.0.9	  393588 Bytes   10/9/2008 18:32:40
AECORE.DLL	  : 8.1.6.6	  176501 Bytes   2/17/2009 18:22:44
AEBB.DLL		: 8.1.0.3	   53618 Bytes   10/9/2008 18:32:40
AVWINLL.DLL	 : 9.0.0.3	   18177 Bytes  12/12/2008 12:47:59
AVPREF.DLL	  : 9.0.0.1	   43777 Bytes   12/5/2008 14:32:15
AVREP.DLL	   : 8.0.0.3	  155905 Bytes   1/20/2009 18:34:28
AVREG.DLL	   : 9.0.0.0	   36609 Bytes   12/5/2008 14:32:09
AVARKT.DLL	  : 9.0.0.1	  292609 Bytes	2/9/2009 11:52:24
AVEVTLOG.DLL	: 9.0.0.7	  167169 Bytes   1/30/2009 14:37:08
SQLITE3.DLL	 : 3.6.1.0	  326401 Bytes   1/28/2009 19:03:49
SMTPLIB.DLL	 : 9.2.0.25	  28417 Bytes	2/2/2009 12:21:33
NETNT.DLL	   : 9.0.0.0	   11521 Bytes   12/5/2008 14:32:10
RCIMAGE.DLL	 : 9.0.0.21	2438401 Bytes	2/9/2009 15:45:45
RCTEXT.DLL	  : 9.0.35.0	  87297 Bytes   3/11/2009 19:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, 
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Thursday, April 16, 2009  14:28

Initiating scan of system files:
Signed -> 'C:\WINDOWS\system32\svchost.exe'
Signed -> 'C:\WINDOWS\system32\winlogon.exe'
Signed -> 'C:\WINDOWS\explorer.exe'
Signed -> 'C:\WINDOWS\system32\smss.exe'
Signed -> 'C:\WINDOWS\system32\wininet.DLL'
Signed -> 'C:\WINDOWS\system32\wsock32.DLL'
Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'
Signed -> 'C:\WINDOWS\system32\services.exe'
Signed -> 'C:\WINDOWS\system32\lsass.exe'
Signed -> 'C:\WINDOWS\system32\csrss.exe'
Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'
Signed -> 'C:\WINDOWS\system32\spoolsv.exe'
Signed -> 'C:\WINDOWS\system32\alg.exe'
Signed -> 'C:\WINDOWS\system32\wuauclt.exe'
Signed -> 'C:\WINDOWS\system32\advapi32.DLL'
Signed -> 'C:\WINDOWS\system32\user32.DLL'
Signed -> 'C:\WINDOWS\system32\gdi32.DLL'
Signed -> 'C:\WINDOWS\system32\kernel32.DLL'
Signed -> 'C:\WINDOWS\system32\ntdll.DLL'
Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'
Signed -> 'C:\WINDOWS\system32\ctfmon.exe'
The system files were scanned ('21' files)

Starting search for hidden objects.
c:\windows\temp\uac7a85.tmp
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4a4a9294.qua'  ( QUARANTINE )
c:\windows\temp\uacad5d.tmp
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4360d175.qua'  ( QUARANTINE )
c:\windows\system32\uacinit.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e29016d.qua'  ( QUARANTINE )
c:\windows\system32\uacjkcdihrs.dat
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e2f294d.qua'  ( QUARANTINE )
c:\windows\system32\uaclyaisjko.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e2d712d.qua'  ( QUARANTINE )
c:\windows\system32\uacnevsswex.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e20990d.qua'  ( QUARANTINE )
c:\windows\system32\uacobxymyvf.db
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e26a1ed.qua'  ( QUARANTINE )
c:\windows\system32\uacruwpathw.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e24c9cd.qua'  ( QUARANTINE )
c:\windows\system32\uacrxlipftb.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e3a11ad.qua'  ( QUARANTINE )
c:\windows\system32\uactbicagjk.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4e3b1995.qua'  ( QUARANTINE )
c:\windows\system32\uactmp.db
	[INFO]	  The file is not visible.
	[DETECTION] Contains HEUR/HTML.Malware suspicious code
	[INFO]	  No SpecVir entry was found!
	[NOTE]	  A backup was created as '4c2db6c5.qua'  ( QUARANTINE )
c:\windows\system32\uacxpinwodp.log
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4a4a9295.qua'  ( QUARANTINE )
c:\windows\system32\uacxsxidvra.dll
	[INFO]	  The file is not visible.
	[DETECTION] Is the TR/PCK.Tdss.F.264 Trojan
	[INFO]	  No SpecVir entry was found!
	[NOTE]	  A backup was created as '4c21e686.qua'  ( QUARANTINE )
c:\windows\system32\drivers\uacbctewxrb.sys
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4c270966.qua'  ( QUARANTINE )
c:\documents and settings\matt.mattscomputer\local settings\temp\uac415b.tmp
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4a4a9296.qua'  ( QUARANTINE )
c:\documents and settings\matt.mattscomputer\local settings\temp\nsba91.tmp\uac.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4c3b7927.qua'  ( QUARANTINE )
c:\documents and settings\matt.mattscomputer\local settings\temp\nse14.tmp\uac.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4c3e8107.qua'  ( QUARANTINE )
c:\documents and settings\matt.mattscomputer\local settings\temp\nsk48.tmp\uac.dll
	[INFO]	  The file is not visible.
	[NOTE]	  A backup was created as '4c3ca9e7.qua'  ( QUARANTINE )
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\modules
	[INFO]	  The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\start
	[INFO]	  The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\type
	[INFO]	  The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\imagepath
	[INFO]	  The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet003\Services\UACd.sys\group
	[INFO]	  The registry entry is invisible.
'69961' objects were checked, '23' hidden objects were found.

The scan of running processes will be started
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ScanningProcess.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'aspell.exe' - '1' Module(s) have been scanned
Scan process 'Wow.exe' - '1' Module(s) have been scanned
Scan process 'jucheck.exe' - '1' Module(s) have been scanned
Scan process 'digsby-app.exe' - '1' Module(s) have been scanned
Scan process 'flock.exe' - '1' Module(s) have been scanned
Scan process 'aolsoftware.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LCDMedia.exe' - '1' Module(s) have been scanned
Scan process 'LCDPop3.exe' - '1' Module(s) have been scanned
Scan process 'LCDClock.exe' - '1' Module(s) have been scanned
Scan process 'btdna.exe' - '1' Module(s) have been scanned
Scan process 'aim6.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LGDCore.exe' - '1' Module(s) have been scanned
Scan process 'LCDMon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'SMax4.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wbload.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'MsMpEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

50 processes with 50 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '57' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\ekejy.exe
	[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
C:\pagefile.sys
	[WARNING]   The file could not be opened!
	[NOTE]	  This file is a Windows system file.
	[NOTE]	  This file cannot be opened for scanning.
C:\Documents and Settings\Matt.MATTSCOMPUTER\Local Settings\Temp\prun.tmp
	[DETECTION] Is the TR/Click.VB.cqq Trojan
C:\Documents and Settings\Matt.MATTSCOMPUTER\Local Settings\Temp\xcanmresow.tmp
	[DETECTION] Is the TR/Click.VB.cqq Trojan
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\Arctic Monkeys - Only Ones Who Know.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\bigger boys stolen sweetha.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\Bloc Party - Waiting For The 718.wma
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\do it all night cataldo.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\Everquest Titanium Edition.zip
  [0] Archive type: ZIP
	--> Setup.exe
	  [DETECTION] Is the TR/Crypt.CFI.Gen Trojan
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\here come warm jets brian eno .wma
	[DETECTION] Is the TR/Dldr.WMA.Wimad.N.3 Trojan
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\longing lili haydn.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\lying awake adrenaline.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\teardrop massive attack.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
C:\WINDOWS\SoftwareDistribution\Download\18747efdf3e3ba8f4180857f6841477d\BIT3.tmp
  [0] Archive type: CAB (Microsoft)
	--> nv3dFIN.chm
	  [WARNING]   No further files can be extracted from this archive. The archive will be closed
	[WARNING]   No further files can be extracted from this archive. The archive will be closed
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LTQJ9EQ6\us1[1].exe
	[DETECTION] Is the TR/FraudPack.igs Trojan
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SP857VOH\us1[1].exe
	[DETECTION] Is the TR/FraudPack.igs Trojan
C:\WINDOWS\system32\drivers\sptd.sys
	[WARNING]   The file could not be opened!

Beginning disinfection:
C:\ekejy.exe
	[DETECTION] Is the TR/Crypt.ULPM.Gen Trojan
	[NOTE]	  The file was moved to '4a4cba0b.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\Local Settings\Temp\prun.tmp
	[DETECTION] Is the TR/Click.VB.cqq Trojan
	[NOTE]	  The file was moved to '4a5cba12.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\Local Settings\Temp\xcanmresow.tmp
	[DETECTION] Is the TR/Click.VB.cqq Trojan
	[NOTE]	  The file was moved to '4a48ba03.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\Arctic Monkeys - Only Ones Who Know.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
	[NOTE]	  The file was moved to '4a4aba13.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\bigger boys stolen sweetha.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
	[NOTE]	  The file was moved to '4a4eba0a.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\Bloc Party - Waiting For The 718.wma
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
	[NOTE]	  The file was moved to '4a56ba0e.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\do it all night cataldo.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
	[NOTE]	  The file was moved to '4a07ba12.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\Everquest Titanium Edition.zip
	[NOTE]	  The file was moved to '4a4cba1b.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\here come warm jets brian eno .wma
	[DETECTION] Is the TR/Dldr.WMA.Wimad.N.3 Trojan
	[NOTE]	  The file was moved to '4a59ba0a.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\longing lili haydn.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
	[NOTE]	  The file was moved to '4a55ba15.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\lying awake adrenaline.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
	[NOTE]	  The file was moved to '4a50ba21.qua'!
C:\Documents and Settings\Matt.MATTSCOMPUTER\My Documents\FrostWire\Saved\teardrop massive attack.mp3
	[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
	[NOTE]	  The file was moved to '4a48ba0e.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LTQJ9EQ6\us1[1].exe
	[DETECTION] Is the TR/FraudPack.igs Trojan
	[NOTE]	  The file was moved to '4a18ba1e.qua'!
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SP857VOH\us1[1].exe
	[DETECTION] Is the TR/FraudPack.igs Trojan
	[NOTE]	  The file was moved to '4e478197.qua'!


End of the scan: Thursday, April 16, 2009  19:05
Used time:  3:31:15 Hour(s)

The scan has been done completely.

  12223 Scanned directories
 630800 Files were scanned
	 15 Viruses and/or unwanted programs were found
	  1 Files were classified as suspicious
	  0 files were deleted
	  0 Viruses and unwanted programs were repaired
	 32 Files were moved to quarantine
	  0 Files were renamed
	  2 Files cannot be scanned
 630782 Files not concerned
   4043 Archives were scanned
	  4 Warnings
	 33 Notes
  69961 Objects were scanned with rootkit scan
	 23 Hidden objects were found

Attached Files


Edited by hypnotix00, 18 April 2009 - 06:34 PM.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:23 AM

Posted 19 April 2009 - 06:01 AM

Hi hypnotix00,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 19 April 2009 - 11:42 AM

It appears that ComboFix is another one of the programs that I am unable to run.

I was following your guide explicitly, got to the point where it said

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.


After hitting the run button, I see the hourglass on my mouse for a fraction of a second, then it goes away, leaving me with no windows on my desktop, as if the program had never run.

#6 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 19 April 2009 - 11:47 AM

Here is the DDS log you requested:

DDS (Ver_09-03-16.01) - NTFSx86  
Run by Matt at 12:45:11.20 on Sun 04/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1347 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\AlienGUIse\wbload.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Digsby\lib\digsby-app.exe
C:\PROGRA~1\FLOCK\FLOCK.EXE
C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1576177
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
TB: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: kHAsRIxy - kHAsRIxy.dll
Notify: WB - c:\program files\alienguise\fastload.dll
Notify: xneoio - xneoio32.dll
AppInit_DLLs: wbsys.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt~1.mat\applic~1\mozilla\firefox\profiles\t02ucs1h.default\
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-16 11608]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-27 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-16 55640]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-27 76040]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-13 176128]
S3 araefuci;araefuci;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys [?]
S3 frylew;frylew;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys [?]
S3 mbcjww;mbcjww;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys [?]
S3 psiqudypho;psiqudypho;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 yrmalj;yrmalj;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys [?]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-8 873752]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-8 231192]

=============== Created Last 30 ================

2009-04-16 23:03	10,752	a-------	c:\windows\system32\iehelper.dll
2009-04-16 14:23	55,640	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-04-16 14:23	<DIR>	--d-----	c:\program files\Avira
2009-04-16 14:23	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Avira
2009-04-16 03:02	197	a-------	c:\windows\system32\MRT.INI
2009-04-15 00:43	0	a-------	C:\LHT21.tmp
2009-04-14 13:36	<DIR>	--d-----	c:\program files\DNA
2009-04-14 13:36	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\DNA
2009-04-10 12:13	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.thumbnails
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gimp-2.6
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gegl-0.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Gimp-2.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Free Offers from Freeze.com
2009-04-07 14:33	<DIR>	--d-----	c:\program files\trend micro
2009-04-05 18:20	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Trymedia
2009-04-05 18:20	499,712	a-------	c:\windows\system\MSVCP71.DLL
2009-04-05 18:18	348,160	a-------	c:\windows\system\msvcr71.dll
2009-04-05 18:12	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\Firaxis Games
2009-04-05 14:31	450,758	a----r--	C:\txtsetup.sif
2009-04-05 14:31	260,272	a----r--	C:\$LDR$
2009-04-05 14:31	<DIR>	--d-----	C:\$WIN_NT$.~BT
2009-04-05 14:31	<DIR>	--d-----	c:\windows\setupupd
2009-03-31 20:08	56	a-------	c:\windows\wb.ini
2009-03-31 20:08	<DIR>	--d-----	c:\program files\common files\Stardock
2009-03-27 06:48	69	a-------	c:\windows\wininit.ini
2009-03-21 10:06	989,696	-c------	c:\windows\system32\dllcache\kernel32.dll
2009-03-20 22:23	376	a-------	c:\windows\ODBC.INI

==================== Find3M  ====================

2009-03-17 16:15	56,722	a-------	c:\windows\Sysvxd.exe
2009-03-17 14:36	81,408	a-------	c:\documents and settings\matt.mattscomputer\nah_qdgk.exe
2009-03-15 09:46	2,560	a-------	c:\windows\_MSRSTRT.EXE
2009-03-11 18:03	9,590	a-------	c:\windows\unins000.dat
2009-03-11 18:03	674,138	a-------	c:\windows\unins000.exe
2009-03-06 10:22	284,160	a-------	c:\windows\system32\pdh.dll
2009-02-20 04:10	666,112	a-------	c:\windows\system32\wininet.dll
2009-02-20 04:10	81,920	a-------	c:\windows\system32\ieencode.dll
2009-02-16 23:17	453,152	a-------	c:\windows\system32\NVUNINST.EXE
2009-02-09 08:10	729,088	a-------	c:\windows\system32\lsasrv.dll
2009-02-09 08:10	714,752	a-------	c:\windows\system32\ntdll.dll
2009-02-09 08:10	617,472	a-------	c:\windows\system32\advapi32.dll
2009-02-09 08:10	401,408	a-------	c:\windows\system32\rpcss.dll
2009-02-09 07:13	1,846,784	a-------	c:\windows\system32\win32k.sys
2009-02-06 07:11	110,592	a-------	c:\windows\system32\services.exe
2009-02-06 07:06	2,145,280	a-------	c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39	35,328	a-------	c:\windows\system32\sc.exe
2009-02-06 06:32	2,023,936	a-------	c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59	56,832	a-------	c:\windows\system32\secur32.dll
2006-06-23 14:48	32,768	a-------	c:\windows\inf\UpdateUSB.exe

============= FINISH: 12:45:46.96 ===============

And the attach log that came with it:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/14/2008 1:02:00 AM
System Uptime: 4/18/2009 7:06:06 PM (17 hours ago)

Motherboard: ASUSTeK Computer INC. |  | P5B-Deluxe
Processor: Intel(R) Core(TM)2 CPU		  6700  @ 2.66GHz | LGA 775 | 2666/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 27.381 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&24CAFEBD&0&00E5
Manufacturer: Marvell
Name: Marvell Yukon 88E8056 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4364&SUBSYS_81F81043&REV_12\4&24CAFEBD&0&00E5
Service: yukonwxp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&1FAF5EA3&0&20F0
Manufacturer: Marvell
Name: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4320&SUBSYS_811A1043&REV_13\4&1FAF5EA3&0&20F0
Service: yukonwxp

Class GUID: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Description: ANFL1OL7 IDE Controller
Device ID: ACPI\PNPA000\4&5D18F2DF&0
Manufacturer: Unknown Manufacturer
Name: ANFL1OL7 IDE Controller
PNP Device ID: ACPI\PNPA000\4&5D18F2DF&0
Service: azkc0em1

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: MCSTRM
Device ID: ROOT\LEGACY_MCSTRM\0000
Manufacturer: 
Name: MCSTRM
PNP Device ID: ROOT\LEGACY_MCSTRM\0000
Service: MCSTRM

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Hamachi Network Interface
Device ID: ROOT\NET\0000
Manufacturer: LogMeIn, Inc.
Name: Hamachi Network Interface
PNP Device ID: ROOT\NET\0000
Service: hamachi

==== System Restore Points ===================

RP272: 1/19/2009 9:46:29 PM - Software Distribution Service 3.0
RP273: 1/21/2009 12:07:05 AM - System Checkpoint
RP274: 1/22/2009 8:54:57 AM - Matt Set 1
RP275: 1/23/2009 1:43:09 AM - Software Distribution Service 3.0
RP276: 1/24/2009 5:05:29 AM - System Checkpoint
RP277: 1/25/2009 6:05:30 AM - System Checkpoint
RP278: 1/26/2009 3:06:15 PM - System Checkpoint
RP279: 1/27/2009 4:23:57 AM - Software Distribution Service 3.0
RP280: 1/28/2009 5:35:53 AM - System Checkpoint
RP281: 1/29/2009 5:43:37 AM - System Checkpoint
RP282: 1/29/2009 6:53:55 PM - Software Distribution Service 3.0
RP283: 1/30/2009 7:16:09 PM - System Checkpoint
RP284: 1/31/2009 8:16:09 PM - System Checkpoint
RP285: 2/1/2009 11:05:39 PM - System Checkpoint
RP286: 2/2/2009 10:01:39 PM - Software Distribution Service 3.0
RP287: 2/4/2009 1:55:42 AM - System Checkpoint
RP288: 2/5/2009 2:12:25 AM - System Checkpoint
RP289: 2/6/2009 3:52:32 AM - Software Distribution Service 3.0
RP290: 2/8/2009 1:17:35 AM - System Checkpoint
RP291: 2/9/2009 1:50:52 AM - System Checkpoint
RP292: 2/9/2009 10:43:00 AM - Software Distribution Service 3.0
RP293: 2/10/2009 12:39:01 PM - System Checkpoint
RP294: 2/11/2009 1:03:01 PM - System Checkpoint
RP295: 2/12/2009 3:00:14 AM - Software Distribution Service 3.0
RP296: 2/13/2009 4:20:15 AM - System Checkpoint
RP297: 2/14/2009 7:50:59 AM - System Checkpoint
RP298: 2/15/2009 10:30:00 AM - System Checkpoint
RP299: 2/16/2009 3:07:31 PM - System Checkpoint
RP300: 2/17/2009 12:33:42 AM - Software Distribution Service 3.0
RP301: 2/17/2009 4:13:19 AM - Software Distribution Service 3.0
RP302: 2/18/2009 5:32:18 PM - System Checkpoint
RP303: 2/19/2009 10:36:25 AM - Software Distribution Service 3.0
RP304: 2/20/2009 10:40:14 AM - System Checkpoint
RP305: 2/21/2009 11:05:39 AM - System Checkpoint
RP306: 2/22/2009 11:17:40 AM - System Checkpoint
RP307: 2/23/2009 12:05:40 PM - System Checkpoint
RP308: 2/23/2009 12:16:14 PM - Software Distribution Service 3.0
RP309: 2/24/2009 1:05:41 PM - System Checkpoint
RP310: 2/25/2009 2:05:40 PM - System Checkpoint
RP311: 2/26/2009 3:00:12 AM - Software Distribution Service 3.0
RP312: 2/26/2009 6:33:55 PM - Software Distribution Service 3.0
RP313: 2/26/2009 10:07:31 PM - Installed Station Launcher
RP314: 2/28/2009 11:45:56 AM - System Checkpoint
RP315: 3/1/2009 4:51:15 PM - System Checkpoint
RP316: 3/2/2009 6:09:18 PM - System Checkpoint
RP317: 3/2/2009 7:12:14 PM - Software Distribution Service 3.0
RP318: 3/3/2009 7:59:48 PM - System Checkpoint
RP319: 3/4/2009 8:26:42 PM - System Checkpoint
RP320: 3/5/2009 8:54:33 PM - System Checkpoint
RP321: 3/6/2009 5:54:41 AM - Software Distribution Service 3.0
RP322: 3/7/2009 7:00:09 AM - System Checkpoint
RP323: 3/12/2009 2:21:53 AM - System Checkpoint
RP324: 3/12/2009 1:32:38 PM - Installed Station Launcher
RP325: 3/12/2009 1:32:52 PM - Removed Station Launcher
RP326: 3/12/2009 1:33:05 PM - Installed Station Launcher
RP327: 3/15/2009 11:13:15 AM - System Checkpoint
RP328: 3/16/2009 3:41:03 PM - System Checkpoint
RP329: 4/5/2009 6:11:26 PM - Installed DirectX
RP330: 4/5/2009 6:12:09 PM - Installed Sid Meier's Civilization 4
RP331: 4/6/2009 10:53:20 PM - System Checkpoint
RP332: 4/7/2009 12:24:26 AM - Software Distribution Service 3.0
RP333: 4/8/2009 1:29:32 AM - System Checkpoint
RP334: 4/9/2009 2:01:05 AM - System Checkpoint
RP335: 4/10/2009 3:01:06 AM - System Checkpoint
RP336: 4/11/2009 4:01:06 AM - System Checkpoint
RP337: 4/12/2009 4:01:33 AM - System Checkpoint
RP338: 4/13/2009 6:05:33 AM - System Checkpoint
RP339: 4/13/2009 2:15:31 PM - Software Distribution Service 3.0
RP340: 4/14/2009 1:13:12 PM - Installed EverQuest Titanium
RP341: 4/16/2009 2:22:43 PM - Avira AntiVir Personal - 4/16/2009 14:22
RP342: 4/19/2009 2:32:10 AM - System Checkpoint

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AIM 6
AIM Search
AlienGUIse Theme Manager
Apple Mobile Device Support
Apple Software Update
ASUS WiFi-AP Solo
AVG Free 8.0
Avira AntiVir Personal - Free Antivirus
Bonjour
Cheat Engine 5.1.1
Digsby
DivX Web Player
DNA
Download Manager 2.3.7
Flock (2.0.3)
FrostWire 4.17.2
Gimp 2.6.2 Debug
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
JRAID
LIVETV4PC
livetvbar Toolbar
Logitech GamePanel Software 2.02
Marvell Miniport Driver
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Excel Viewer 2003
Microsoft Office Standard Edition 2003
Microsoft Office Word Viewer 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Mozilla Firefox (3.0.8)
NVIDIA Drivers
NVIDIA PhysX
QuickTime
Recuva (remove only)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Sid Meier's Civilization 4
SoundMAX
Station Launcher
SUPERAntiSpyware Free Edition
System Requirements Lab
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
WebFldrs XP
Windows Defender
Windows Genuine Advantage Validation Tool (KB892130)
Windows XP Service Pack 3
WinRAR archiver
World of Warcraft

==== Event Viewer Messages From Past Week ========

4/18/2009 7:07:05 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.102 for the Network Card with network address 0015AF03B399 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/16/2009 11:11:49 PM, error: Service Control Manager [7031]  - The Print Spooler service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
4/14/2009 1:27:50 PM, error: SideBySide [59]  - Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system. .
4/14/2009 1:27:50 PM, error: SideBySide [59]  - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgoff2k.dll. Reference error message: The operation completed successfully. .
4/14/2009 1:27:50 PM, error: SideBySide [32]  - Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
4/12/2009 6:50:00 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.100 for the Network Card with network address 0015AF03B399 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
4/12/2009 12:05:10 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.103 for the Network Card with network address 0015AF03B399 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================


#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:23 AM

Posted 19 April 2009 - 01:09 PM

Hi

Please rename ComboFix.exe file -> CombFxx.exe and try running again. Post back its log and dds.txt log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 19 April 2009 - 03:29 PM

Here is the ComboFix log. I had a couple problems while running the program. First, it said that I had RootKits and the computer needed to restart. I wrote them down and they were:

system32\drivers\UACbctewxrb.sys
system32\UACnevsswex.dll
system32\UACjkcdihrs.dll
system32\UACruwpathw.dll
system32\UACrxlipftb.dll
system32\UACobxymyvg.dll
system32\UACxsxidvra.dll
system32\UAClyaisjko.dll
system32\UACxpinwodp.log
system32\UACxrldkryc.log
system32\UACxqecqfox.log
system32\UACbticagjk.dll

Also, multiple times during the scan, I got a "bleep" dialog box and had to hit okay to close it.

Anyways, here are the logs:
Combofix

path=c:\documents and settings\Matt.MATTSCOMPUTER\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 araefuci;araefuci; [x]
R3 frylew;frylew; [x]
R3 mbcjww;mbcjww; [x]
R3 psiqudypho;psiqudypho; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R3 yrmalj;yrmalj; [x]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-08 873752]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 231192]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2008-07-08 96520]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2008-07-08 76040]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-12-23 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2006-06-16 176128]

.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
Notify-kHAsRIxy - kHAsRIxy.dll
Notify-xneoio - xneoio32.dll
SafeBoot-ati3paxx.sys
SafeBoot-ati8ytxx.sys

DDS
DDS (Ver_09-03-16.01) - NTFSx86  
Run by Matt at 16:28:43.78 on Sun 04/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1604 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\PROGRA~1\FLOCK\FLOCK.EXE
C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1576177
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
TB: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt~1.mat\applic~1\mozilla\firefox\profiles\t02ucs1h.default\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-16 11608]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 96520]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-27 26824]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-16 55640]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-27 76040]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-13 176128]
S3 araefuci;araefuci;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys [?]
S3 frylew;frylew;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys [?]
S3 mbcjww;mbcjww;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys [?]
S3 psiqudypho;psiqudypho;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 yrmalj;yrmalj;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys [?]
S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-8 873752]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-8 231192]

=============== Created Last 30 ================

2009-04-19 16:06	<DIR>	a-dshr--	C:\cmdcons
2009-04-19 16:05	161,792	a-------	c:\windows\SWREG.exe
2009-04-19 16:05	98,816	a-------	c:\windows\sed.exe
2009-04-16 14:23	55,640	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-04-16 14:23	<DIR>	--d-----	c:\program files\Avira
2009-04-16 14:23	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Avira
2009-04-16 03:02	197	a-------	c:\windows\system32\MRT.INI
2009-04-15 00:43	0	a-------	C:\LHT21.tmp
2009-04-14 13:36	<DIR>	--d-----	c:\program files\DNA
2009-04-14 13:36	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\DNA
2009-04-10 12:13	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.thumbnails
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gimp-2.6
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gegl-0.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Gimp-2.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Free Offers from Freeze.com
2009-04-07 14:33	<DIR>	--d-----	c:\program files\trend micro
2009-04-05 18:20	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Trymedia
2009-04-05 18:20	499,712	a-------	c:\windows\system\MSVCP71.DLL
2009-04-05 18:18	348,160	a-------	c:\windows\system\msvcr71.dll
2009-04-05 18:12	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\Firaxis Games
2009-04-05 14:31	450,758	a----r--	C:\txtsetup.sif
2009-04-05 14:31	260,272	a----r--	C:\$LDR$
2009-04-05 14:31	<DIR>	--d-----	C:\$WIN_NT$.~BT
2009-04-05 14:31	<DIR>	--d-----	c:\windows\setupupd
2009-03-31 20:08	56	a-------	c:\windows\wb.ini
2009-03-31 20:08	<DIR>	--d-----	c:\program files\common files\Stardock
2009-03-27 06:48	69	a-------	c:\windows\wininit.ini
2009-03-21 10:06	989,696	-c------	c:\windows\system32\dllcache\kernel32.dll
2009-03-20 22:23	376	a-------	c:\windows\ODBC.INI

==================== Find3M  ====================

2009-04-19 04:27	5,246	a-------	c:\windows\system32\uacinit.dll
2009-03-17 16:15	56,722	a-------	c:\windows\Sysvxd.exe
2009-03-17 14:36	81,408	a-------	c:\documents and settings\matt.mattscomputer\nah_qdgk.exe
2009-03-15 09:46	2,560	a-------	c:\windows\_MSRSTRT.EXE
2009-03-11 18:03	9,590	a-------	c:\windows\unins000.dat
2009-03-11 18:03	674,138	a-------	c:\windows\unins000.exe
2009-03-06 10:22	284,160	a-------	c:\windows\system32\pdh.dll
2009-02-20 04:10	666,112	a-------	c:\windows\system32\wininet.dll
2009-02-20 04:10	81,920	a-------	c:\windows\system32\ieencode.dll
2009-02-16 23:17	453,152	a-------	c:\windows\system32\NVUNINST.EXE
2009-02-09 08:10	729,088	a-------	c:\windows\system32\lsasrv.dll
2009-02-09 08:10	714,752	a-------	c:\windows\system32\ntdll.dll
2009-02-09 08:10	617,472	a-------	c:\windows\system32\advapi32.dll
2009-02-09 08:10	401,408	a-------	c:\windows\system32\rpcss.dll
2009-02-09 07:13	1,846,784	a-------	c:\windows\system32\win32k.sys
2009-02-06 07:11	110,592	a-------	c:\windows\system32\services.exe
2009-02-06 07:06	2,145,280	a-------	c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39	35,328	a-------	c:\windows\system32\sc.exe
2009-02-06 06:32	2,023,936	a-------	c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59	56,832	a-------	c:\windows\system32\secur32.dll
2006-06-23 14:48	32,768	a-------	c:\windows\inf\UpdateUSB.exe

============= FINISH: 16:28:49.75 ===============


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:23 AM

Posted 19 April 2009 - 03:40 PM

Hi

Please post whole logs :thumbup2: Now it looks like ComboFix log was only partial.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 19 April 2009 - 03:44 PM

ComboFix 09-04-20.01 - Matt 04/19/2009 16:16.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1640 [GMT -4:00]
Running from: c:\documents and settings\Matt.MATTSCOMPUTER\Desktop\ComboFxx.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
 * Created a new restore point
.
	/wow section not completed

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_TDSSSERV.SYS



(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABD45510-9B22-41cd-9ACD-8182A2DA7C63}]
2009-04-17 03:03	10752	----a-w	c:\windows\system32\iehelper.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{AD55C869-668E-457C-B270-0CFB2F61116F}"= "c:\program files\livetvbar\tbliv1.dll" [2009-04-01 1883672]

[HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-02-24 1103216]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 19:56	352256	----a-w	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34	24576	----a-w	c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ   	autocheck autochk /r \??\C:\[u]0[/u]autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ASUS WiFi-AP Solo.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ASUS WiFi-AP Solo.lnk
backup=c:\windows\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matt.MATTSCOMPUTER^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Matt.MATTSCOMPUTER\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 araefuci;araefuci; [x]
R3 frylew;frylew; [x]
R3 mbcjww;mbcjww; [x]
R3 psiqudypho;psiqudypho; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R3 yrmalj;yrmalj; [x]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-08 873752]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-08 231192]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2008-07-08 96520]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2008-07-08 76040]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-12-23 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2006-06-16 176128]

.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
Notify-kHAsRIxy - kHAsRIxy.dll
Notify-xneoio - xneoio32.dll
SafeBoot-ati3paxx.sys
SafeBoot-ati8ytxx.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1576177
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\Mozilla\Firefox\Profiles\t02ucs1h.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url=http://www.gmer.net]http://www.gmer.net[/url]
Rootkit scan 2009-04-19 16:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-606747145-1500820517-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5F238BA8-1DB8-49C3-B8A2-9850A56C6255}\InprocServer32]
@DACL=(02 0000)
@="c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Microsoft\\Internet Explorer\\DLLs\\ieModule.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_ATI3PAXX\[u]0[/u]000]
@DACL=(02 0000)
"Service"="ati3paxx"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="ati3paxx"
"Capabilities"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2009-04-19 16:20
ComboFix-quarantined-files.txt  2009-04-19 20:19

Pre-Run: 33,438,117,888 bytes free
Post-Run: 33,421,246,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[Boot Loader]
Timeout=2
Default=c:\$win_nt$.~bt\BOOTSECT.DAT
[Operating Systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Setup"

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
164	--- E O F ---	2009-04-16 07:03

Sorry about that =)

Edited by hypnotix00, 19 April 2009 - 03:45 PM.


#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:23 AM

Posted 20 April 2009 - 10:27 AM

Hi again,

Uninstall one of your two antivirus programs. Also, you seem to have P2P file sharing software there. I recommend uninstalling those to reduce a risk getting reinfected.


Before we go further with cleaning, I'd like to know, are you familiar with this folder:
c:\documents and settings\matt.mattscomputer\desktop\glider

Another question is that is this added to your boot.ini on purpose:
c:\$win_nt$.~bt\BOOTSECT.DAT="Microsoft Windows XP Setup"

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 20 April 2009 - 12:58 PM

I am familiar with that desktop folder. Should I remove it?

I did not intentionally add that to my boot. I believe it was from when I tried to reinstall XP.

Thanks,
Hypnotix00

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:23 AM

Posted 21 April 2009 - 09:12 AM

Ok. If you know the folder then you may leave it there.

Please decide which one of your two antivirus programs you want to use. Remove not needed one.

Make sure security programs are disabled before doing following steps.

Open notepad and copy/paste the text in the quotebox below into it:

Driver::
ATI3PAXX

File::
c:\windows\system32\iehelper.dll
c:\documents and settings\matt.mattscomputer\nah_qdgk.exe
C:\LHT21.tmp
c:\windows\system32\uacinit.dll
c:\windows\Sysvxd.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABD45510-9B22-41cd-9ACD-8182A2DA7C63}]

RegLock::
[HKEY_USERS\S-1-5-21-606747145-1500820517-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_ATI3PAXX\[u]0[/u]000]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleanerę by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 21 April 2009 - 03:05 PM

I was unable to uninstall Adobe Reader because:

Posted Image

I attempted to install without uninstalling and encountered the same error.

Here is the ComboFxx log:

ComboFix 09-04-21.A8 - Matt 04/21/2009 15:34.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1473 [GMT -4:00]
Running from: c:\documents and settings\Matt.MATTSCOMPUTER\Desktop\ComboFxx.exe
Command switches used :: c:\documents and settings\Matt.MATTSCOMPUTER\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Outdated)
 * Created a new restore point

FILE ::
c:\documents and settings\matt.mattscomputer\nah_qdgk.exe
C:\LHT21.tmp
c:\windows\system32\iehelper.dll
c:\windows\system32\uacinit.dll
c:\windows\Sysvxd.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LHT21.tmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\ctsooclo.ini

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI3PAXX
-------\Legacy_ICF


(((((((((((((((((((((((((   Files Created from 2009-03-21 to 2009-04-21  )))))))))))))))))))))))))))))))
.

2009-04-20 04:08 . 2009-04-06 19:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-20 04:08 . 2009-04-06 19:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 04:08 . 2009-04-20 04:09	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware1
2009-04-19 21:53 . 2009-04-19 21:53	414144	----a-w	c:\windows\system32\uacobxymyvf.db
2009-04-19 21:44 . 2009-04-19 21:44	--------	d-----w	c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2009-04-19 21:44 . 2009-04-19 21:44	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\Yahoo!
2009-04-19 21:44 . 2009-04-19 21:44	--------	d-----w	c:\program files\Yahoo!
2009-04-16 21:33 . 2009-04-16 21:33	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Local Settings\Application Data\Blizzard Entertainment
2009-04-16 18:23 . 2009-02-13 15:31	55640	----a-w	c:\windows\system32\drivers\avgntflt.sys
2009-04-16 18:23 . 2009-04-16 18:23	--------	d-----w	c:\program files\Avira
2009-04-16 18:23 . 2009-04-16 18:23	--------	d-----w	c:\documents and settings\All Users.WINDOWS\Application Data\Avira
2009-04-16 07:02 . 2009-04-16 07:02	197	----a-w	c:\windows\system32\MRT.INI
2009-04-15 10:54 . 2009-03-06 14:22	284160	-c----w	c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:54 . 2009-02-09 12:10	729088	-c----w	c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:54 . 2009-02-09 12:10	714752	-c----w	c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:54 . 2009-02-09 12:10	617472	-c----w	c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:54 . 2009-02-09 12:10	473600	-c----w	c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:54 . 2009-02-09 12:10	453120	-c----w	c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:54 . 2009-02-09 12:10	401408	-c----w	c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:54 . 2009-02-06 11:11	110592	-c----w	c:\windows\system32\dllcache\services.exe
2009-04-15 10:54 . 2009-02-06 10:10	227840	-c----w	c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:54 . 2008-05-03 11:55	2560	------w	c:\windows\system32\xpsp4res.dll
2009-04-15 10:54 . 2009-03-27 06:58	1203922	-c----w	c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 10:54 . 2008-04-21 12:08	215552	-c----w	c:\windows\system32\dllcache\wordpad.exe
2009-04-14 17:36 . 2009-04-14 17:36	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Local Settings\Application Data\DNA
2009-04-14 17:36 . 2009-04-18 17:20	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\DNA
2009-04-14 17:36 . 2009-04-16 16:15	--------	d-----w	c:\program files\DNA
2009-04-10 16:13 . 2009-04-10 16:13	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\.thumbnails
2009-04-10 16:02 . 2009-04-20 03:51	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\gtk-2.0
2009-04-10 15:51 . 2009-04-20 03:52	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\.gimp-2.6
2009-04-10 15:51 . 2009-04-10 15:51	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\.gegl-0.0
2009-04-10 15:50 . 2009-04-10 15:51	--------	d-----w	c:\program files\Gimp-2.0
2009-04-10 15:50 . 2009-04-10 15:50	--------	d-----w	c:\program files\Free Offers from Freeze.com
2009-04-07 18:33 . 2009-04-07 18:33	--------	d-----w	C:\rsit
2009-04-07 18:33 . 2009-04-07 18:33	--------	d-----w	c:\program files\trend micro
2009-04-05 22:20 . 2009-04-05 22:20	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Local Settings\Application Data\My Games
2009-04-05 22:20 . 2009-04-05 22:20	--------	d-----w	c:\documents and settings\All Users.WINDOWS\Application Data\Trymedia
2009-04-05 22:20 . 2003-03-19 07:14	499712	----a-w	c:\windows\system\MSVCP71.DLL
2009-04-05 22:18 . 2004-01-12 04:00	348160	----a-w	c:\windows\system\msvcr71.dll
2009-04-05 22:12 . 2009-04-05 22:12	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\InstallShield Installation Information
2009-04-05 22:12 . 2009-04-05 22:12	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\Firaxis Games
2009-04-05 18:31 . 2006-02-28 12:00	450758	----a-r	C:\txtsetup.sif
2009-04-05 18:31 . 2006-02-28 12:00	260272	----a-r	C:\$LDR$
2009-04-05 18:31 . 2009-04-05 18:31	--------	d-----w	C:\$WIN_NT$.~BT
2009-04-01 00:08 . 2009-04-01 00:08	56	----a-w	c:\windows\wb.ini
2009-04-01 00:08 . 2009-04-01 00:08	--------	d-----w	c:\program files\Common Files\Stardock
2009-03-27 10:48 . 2009-03-27 10:48	69	----a-w	c:\windows\wininit.ini

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-21 19:40 . 2009-04-21 19:39	23904	----a-w	C:\avenger.txt
2009-04-21 00:00 . 2007-03-01 19:49	--------	d-----w	c:\program files\Flock
2009-04-20 18:40 . 2008-06-28 00:38	--------	d-----w	c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2009-04-15 23:09 . 2009-03-10 02:48	--------	d-----w	c:\program files\Digsby
2009-04-15 15:02 . 2008-09-14 16:05	--------	d-----w	c:\program files\World of Warcraft
2009-04-15 03:09 . 2008-04-14 05:04	17784	----a-w	c:\documents and settings\Matt.MATTSCOMPUTER\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 00:53 . 2006-10-17 00:25	--------	d-----w	c:\program files\Common Files\Blizzard Entertainment
2009-04-14 22:49 . 2007-02-14 20:31	--------	d-----w	c:\program files\BitTorrent
2009-04-14 20:52 . 2009-01-15 21:49	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\Move Networks
2009-04-14 17:34 . 2008-08-11 04:04	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\FrostWire
2009-04-14 17:13 . 2009-02-27 03:07	--------	d-----w	c:\program files\Sony
2009-04-14 17:13 . 2006-10-16 04:13	--------	d--h--w	c:\program files\InstallShield Installation Information
2009-04-09 15:47 . 2009-01-14 23:53	--------	d-----w	c:\program files\FrostWire
2009-04-05 22:11 . 2008-08-18 17:24	--------	d-----w	c:\program files\Warhammer
2009-04-05 21:55 . 2008-08-18 17:23	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\IGN_DLM
2009-04-05 21:55 . 2008-08-18 17:06	--------	d-----w	c:\program files\Download Manager
2009-04-01 00:09 . 2007-03-01 19:34	--------	d-----w	c:\program files\AlienGUIse
2009-03-15 14:10 . 2009-03-15 14:10	--------	d-----w	c:\program files\AGEIA Technologies
2009-03-15 14:10 . 2008-02-27 22:15	--------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-03-15 14:07 . 2009-03-15 14:07	--------	d-----w	c:\program files\SystemRequirementsLab
2009-03-15 14:07 . 2009-03-15 14:07	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\SystemRequirementsLab
2009-03-15 13:46 . 2009-03-15 13:46	2560	----a-w	c:\windows\_MSRSTRT.EXE
2009-03-11 22:04 . 2009-03-11 22:03	--------	d-----w	c:\program files\livetvbar
2009-03-11 22:03 . 2009-03-11 22:03	9590	----a-w	c:\windows\unins000.dat
2009-03-11 22:03 . 2008-08-13 18:17	--------	d-----w	c:\program files\Conduit
2009-03-11 22:03 . 2009-03-11 22:03	674138	----a-w	c:\windows\unins000.exe
2009-03-11 21:50 . 2009-03-11 21:50	--------	d-----w	c:\program files\DivX
2009-03-10 02:50 . 2009-03-10 02:50	--------	d-----w	c:\documents and settings\All Users.WINDOWS\Application Data\Digsby
2009-03-10 02:50 . 2009-03-10 02:48	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\Digsby
2009-03-08 01:29 . 2009-03-08 01:29	--------	d-----w	c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\Flock
2009-03-06 14:22 . 2006-02-28 12:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-03-04 00:39 . 2009-03-01 22:27	--------	d-----w	c:\program files\iWin
2009-02-25 22:18 . 2009-01-27 20:18	--------	d-----w	c:\program files\CoH
2009-02-20 08:10 . 2006-02-28 12:00	666112	----a-w	c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2006-02-28 12:00	81920	----a-w	c:\windows\system32\ieencode.dll
2009-02-17 03:17 . 2008-07-09 17:32	453152	----a-w	c:\windows\system32\NVUNINST.EXE
2009-02-09 12:10 . 2006-02-28 12:00	729088	----a-w	c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-02-28 12:00	714752	----a-w	c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-02-28 12:00	617472	----a-w	c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2006-02-28 12:00	401408	----a-w	c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2006-02-28 12:00	1846784	----a-w	c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2006-02-28 12:00	110592	----a-w	c:\windows\system32\services.exe
2009-02-06 11:06 . 2006-02-28 12:00	2145280	----a-w	c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2006-02-28 12:00	35328	----a-w	c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59	2023936	----a-w	c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2006-02-28 12:00	56832	----a-w	c:\windows\system32\secur32.dll
.

(((((((((((((((((((((((((((((   SnapShot@2009-04-19_20.18.17   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-21 19:40 . 2009-04-21 19:40	16384			  c:\windows\Temp\Perflib_Perfdata_4c0.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{AD55C869-668E-457C-B270-0CFB2F61116F}"= "c:\program files\livetvbar\tbliv1.dll" [2009-04-01 1883672]

[HKEY_CLASSES_ROOT\clsid\{ad55c869-668e-457c-b270-0cfb2f61116f}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-02-24 1103216]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-07 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-18 843776]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-06-02 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-03 19:56	352256	----a-w	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 03:34	24576	----a-w	c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^ASUS WiFi-AP Solo.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\ASUS WiFi-AP Solo.lnk
backup=c:\windows\pss\ASUS WiFi-AP Solo.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Matt.MATTSCOMPUTER^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\documents and settings\Matt.MATTSCOMPUTER\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\World of Warcraft\\Repair.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"6112:TCP"= 6112:TCP:Blizzard Downloader

R3 araefuci;araefuci; [x]
R3 frylew;frylew; [x]
R3 mbcjww;mbcjww; [x]
R3 psiqudypho;psiqudypho; [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]
R3 yrmalj;yrmalj; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-03-05 108289]
S2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe [2008-12-23 14336]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2006-06-16 176128]

.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1576177
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Matt.MATTSCOMPUTER\Application Data\Mozilla\Firefox\Profiles\t02ucs1h.default\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-21 15:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5F238BA8-1DB8-49C3-B8A2-9850A56C6255}\InprocServer32]
@DACL=(02 0000)
@="c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\Microsoft\\Internet Explorer\\DLLs\\ieModule.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Enum\Root\LEGACY_ATI3PAXX\[u]0[/u]000]
@DACL=(02 0000)
"Service"="ati3paxx"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="ati3paxx"
"Capabilities"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\AlienGUIse\fastload.dll

- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\windows\system32\rundll32.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-21 15:44 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-21 19:43
ComboFix2.txt  2009-04-19 20:20

Pre-Run: 34,021,662,720 bytes free
Post-Run: 33,952,305,152 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
267	--- E O F ---	2009-04-16 07:03

Here is the updated DDS log
DDS (Ver_09-03-16.01) - NTFSx86  
Run by Matt at 15:55:35.68 on Tue 04/21/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.2047.1490 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\FLOCK\FLOCK.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Matt.MATTSCOMPUTER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com/?SearchSource=10&ctid=CT1576177
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: livetvbar Toolbar: {ad55c869-668e-457c-b270-0cfb2f61116f} - c:\program files\livetvbar\tbliv1.dll
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt~1.mat\applic~1\mozilla\firefox\profiles\t02ucs1h.default\

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);
============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-16 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-16 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-16 55640]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-4-13 176128]
S3 araefuci;araefuci;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\araefuci.sys [?]
S3 frylew;frylew;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\frylew.sys [?]
S3 mbcjww;mbcjww;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\mbcjww.sys [?]
S3 psiqudypho;psiqudypho;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\psiqudypho.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S3 yrmalj;yrmalj;\??\c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys --> c:\documents and settings\matt.mattscomputer\desktop\glider\yrmalj.sys [?]

=============== Created Last 30 ================

2009-04-21 15:53	73,728	a-------	c:\windows\system32\javacpl.cpl
2009-04-20 00:08	15,504	a-------	c:\windows\system32\drivers\mbam.sys
2009-04-20 00:08	38,496	a-------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 00:08	<DIR>	--d-----	c:\program files\Malwarebytes' Anti-Malware1
2009-04-19 17:53	414,144	a-------	c:\windows\system32\uacobxymyvf.db
2009-04-19 17:44	<DIR>	--d-----	c:\program files\Yahoo!
2009-04-19 16:06	<DIR>	a-dshr--	C:\cmdcons
2009-04-19 16:05	161,792	a-------	c:\windows\SWREG.exe
2009-04-19 16:05	98,816	a-------	c:\windows\sed.exe
2009-04-16 14:23	55,640	a-------	c:\windows\system32\drivers\avgntflt.sys
2009-04-16 14:23	<DIR>	--d-----	c:\program files\Avira
2009-04-16 14:23	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Avira
2009-04-16 03:02	197	a-------	c:\windows\system32\MRT.INI
2009-04-14 13:36	<DIR>	--d-----	c:\program files\DNA
2009-04-14 13:36	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\DNA
2009-04-10 12:13	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.thumbnails
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gimp-2.6
2009-04-10 11:51	<DIR>	--d-----	c:\documents and settings\matt.mattscomputer\.gegl-0.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Gimp-2.0
2009-04-10 11:50	<DIR>	--d-----	c:\program files\Free Offers from Freeze.com
2009-04-07 14:33	<DIR>	--d-----	c:\program files\trend micro
2009-04-05 18:20	<DIR>	--d-----	c:\docume~1\alluse~1.win\applic~1\Trymedia
2009-04-05 18:20	499,712	a-------	c:\windows\system\MSVCP71.DLL
2009-04-05 18:18	348,160	a-------	c:\windows\system\msvcr71.dll
2009-04-05 18:12	<DIR>	--d-----	c:\docume~1\matt~1.mat\applic~1\Firaxis Games
2009-04-05 14:31	450,758	a----r--	C:\txtsetup.sif
2009-04-05 14:31	260,272	a----r--	C:\$LDR$
2009-04-05 14:31	<DIR>	--d-----	C:\$WIN_NT$.~BT
2009-04-05 14:31	<DIR>	--d-----	c:\windows\setupupd
2009-03-31 20:08	56	a-------	c:\windows\wb.ini
2009-03-31 20:08	<DIR>	--d-----	c:\program files\common files\Stardock
2009-03-27 06:48	69	a-------	c:\windows\wininit.ini

==================== Find3M  ====================

2009-04-21 15:53	410,984	a-------	c:\windows\system32\deploytk.dll
2009-03-15 09:46	2,560	a-------	c:\windows\_MSRSTRT.EXE
2009-03-11 18:03	9,590	a-------	c:\windows\unins000.dat
2009-03-11 18:03	674,138	a-------	c:\windows\unins000.exe
2009-03-06 10:22	284,160	a-------	c:\windows\system32\pdh.dll
2009-02-20 04:10	666,112	a-------	c:\windows\system32\wininet.dll
2009-02-20 04:10	81,920	a-------	c:\windows\system32\ieencode.dll
2009-02-16 23:17	453,152	a-------	c:\windows\system32\NVUNINST.EXE
2009-02-09 08:10	729,088	a-------	c:\windows\system32\lsasrv.dll
2009-02-09 08:10	714,752	a-------	c:\windows\system32\ntdll.dll
2009-02-09 08:10	617,472	a-------	c:\windows\system32\advapi32.dll
2009-02-09 08:10	401,408	a-------	c:\windows\system32\rpcss.dll
2009-02-09 07:13	1,846,784	a-------	c:\windows\system32\win32k.sys
2009-02-06 07:11	110,592	a-------	c:\windows\system32\services.exe
2009-02-06 07:06	2,145,280	a-------	c:\windows\system32\ntoskrnl.exe
2009-02-06 06:39	35,328	a-------	c:\windows\system32\sc.exe
2009-02-06 06:32	2,023,936	a-------	c:\windows\system32\ntkrnlpa.exe
2009-02-03 15:59	56,832	a-------	c:\windows\system32\secur32.dll
2006-06-23 14:48	32,768	a-------	c:\windows\inf\UpdateUSB.exe

============= FINISH: 15:55:41.59 ===============

I will report back once the Kaspersky Virus Scanner finishes.

Thanks,
Hypnotix

#15 hypnotix00

hypnotix00
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 21 April 2009 - 03:38 PM

Another question:

It seemed ComboFxx.exe emptied my Recycle Bin after it ran the first time, is there anyway to restore items that it deleted?
I attempted to run Recuva but it did not work.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users