Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

msb.dll infection (browser redirects) Worm.Autorun


  • This topic is locked This topic is locked
11 replies to this topic

#1 BigAxe49

BigAxe49

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 06 May 2009 - 10:48 PM

Hi I am having significant trouble getting rid of the msb.dll infection that I have seen other people deal with. I have included my MalwareBytes log and HijackThis log. Any help is greatly appreciated. (Also can you please delete my old topic "system settings keep getting changes" as that one was made in error)


Malwarebytes' Anti-Malware 1.36
Database version: 2085
Windows 5.1.2600 Service Pack 3

5/6/2009 8:46:00 PM
mbam-log-2009-05-06 (20-45-54).txt

Scan type: Quick Scan
Objects scanned: 93080
Time elapsed: 2 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Big Axe 49\protect.dll (Worm.Autorun) -> No action taken.
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Big Axe 49\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> No action taken.
C:\Documents and Settings\Big Axe 49\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:21 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Big Axe 49\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RuneHQ_Browser_Bar toolbar - {82de967b-6db5-4ac2-8450-c732f8358a43} - C:\Program Files\RuneHQ_Browser_Bar\tbRun0.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [NUDGEMANIA] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [RRT-Auto] C:\WINDOWS\system32\config\systemprofile\Desktop\RRT.exe auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
O4 - HKCU\..\Run: [TivoNotify] "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OurPictures] "C:\Program Files\RitzPix E-Z Print & Share\OurPictures.exe" /AutoStart
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\BIGAXE~1\protect.dll,_IWMPEvents@16
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mushroom%20Age/Images/stg_drm.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mushroom%20Age/Images/armhelper.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: wtfilm.dll dflxxp.dll
O20 - Winlogon Notify: secsrvrc - secsrvrc.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9b715f1a7b168) (gupdate1c9b715f1a7b168) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 15160 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:25 AM

Posted 21 May 2009 - 08:33 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 BigAxe49

BigAxe49
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 May 2009 - 02:30 AM

as you requested... here is my DDS log


DDS (Ver_09-05-14.01) - NTFSx86
Run by Big Axe 49 at 0:26:20.68 on Sun 05/24/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2543 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Documents and Settings\Big Axe 49\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: RuneHQ_Browser_Bar toolbar: {82de967b-6db5-4ac2-8450-c732f8358a43} - c:\program files\runehq_browser_bar\tbRun0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {8E1233B3-485A-4E51-B77E-9E075A68C588} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DellTouch] c:\windows\MMKeybd.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\docume~1\bigaxe~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\bigaxe~1\startm~1\programs\startup\hotlla~1.lnk - c:\program files\hotllama media\player\WiseUpdt.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoSetActiveDesktop = 30
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoViewOnDrive = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.19.0\gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: musicmatch.com\online
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Mushroom%20Age/Images/stg_drm.ocx
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} - hxxps://www.e-games.com.my/com/EGamesPlugin.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} - hxxp://messenger.zone.msn.com/binary/ZAxRcMgr.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Mushroom%20Age/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: secsrvrc - secsrvrc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bigaxe~1\applic~1\mozilla\firefox\profiles\gzxye4q7.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\google\google gears\firefox\components\gears.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.40115.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-18 11608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-7 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-7 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-7 108552]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-18 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-18 185089]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-7 298776]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-18 55640]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2006-10-19 70016]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-22 179856]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2006-7-11 857088]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-22 15504]
S0 dywiqfu;dywiqfu;c:\windows\system32\drivers\djin.sys --> c:\windows\system32\drivers\djin.sys [?]
S2 avast!Antivirus;avast!Antivirus;c:\windows\system32\avast!antivirus.exe -k netsvcs --> c:\windows\system32\avast!Antivirus.exe -k netsvcs [?]
S2 gupdate1c9b715f1a7b168;Google Update Service (gupdate1c9b715f1a7b168);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys --> c:\windows\system32\drivers\smrtdrv.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
SUnknown AshEvtSvc;AshEvtSvc; [x]

=============== Created Last 30 ================

2009-05-23 15:25 28,672 a------- c:\windows\system32\lmn_setup.exe
2009-05-23 14:24 23,552 a--sh--- c:\windows\system32\autochk.dll
2009-05-23 13:27 23,552 a--sh--- c:\documents and settings\big axe 49\protect.dll
2009-05-22 16:09 61,440 a------- c:\windows\system32\drivers\hoed.sys
2009-05-22 15:10 2,148 a------- c:\windows\system32\wpa.dbl
2009-05-21 06:40 <DIR> --d----- c:\program files\DivX
2009-05-21 06:40 <DIR> --d----- c:\program files\common files\DivX Shared
2009-05-20 22:45 <DIR> --d----- c:\program files\uTorrent
2009-05-19 15:38 <DIR> --d----- c:\program files\DOSBox-0.72
2009-05-19 15:37 254,196 a------- C:\DOS4GW.EXE
2009-05-19 15:37 92,475 a------- C:\INSTALL.EXE
2009-05-19 15:37 57,843 a------- C:\BOOTMKR.EXE
2009-05-19 15:37 42 a------- C:\LECDEMOS.BAT
2009-05-19 15:37 35 a------- C:\CD.ID
2009-05-19 15:36 <DIR> --d----- C:\LECDEMOS
2009-05-19 15:36 <DIR> --d----- C:\DARK
2009-05-18 22:07 188,960 a------- c:\windows\system32\WINGDE.DLL
2009-05-18 22:07 92,208 a------- c:\windows\system32\WING.DLL
2009-05-18 22:07 12,800 a------- c:\windows\system32\WING32.DLL
2009-05-18 22:07 6,736 a------- c:\windows\system32\WINGDIB.DRV
2009-05-18 22:07 5,024 a------- c:\windows\system32\WINGPAL.WND
2009-05-18 22:03 <DIR> --d----- c:\program files\LEGO Island
2009-05-18 21:35 30,048 a------- c:\windows\UNTONK.EXE
2009-05-18 21:35 78 a------- c:\windows\TONKA.INI
2009-05-18 21:35 <DIR> --d----- C:\HASBRO
2009-05-18 21:18 739,328 a------- c:\windows\system\ir50_32.dll
2009-05-18 21:18 142,848 a------- c:\windows\system\ivfsrc.ax
2009-05-18 21:18 199,680 a------- c:\windows\system\iac25_32.ax
2009-05-18 21:17 <DIR> --d----- c:\windows\solcache
2009-05-18 21:16 <DIR> --d----- C:\SIERRA
2009-05-18 21:16 <DIR> --d----- c:\program files\Sierra On-Line
2009-05-18 21:16 336 a------- c:\windows\SIERRA.INI
2009-05-18 18:25 61,440 a------- c:\windows\system32\drivers\tstqvgxe.sys
2009-05-18 17:39 55 a------- C:\xcrashdump.dat
2009-05-18 17:23 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-18 17:23 <DIR> --d----- c:\program files\Avira
2009-05-18 17:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-16 17:15 <DIR> --d----- c:\documents and settings\big axe 49\Tracing
2009-05-16 17:12 <DIR> --d----- c:\program files\Microsoft
2009-05-16 17:11 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-05-14 16:16 <DIR> --d----- c:\program files\CCleaner
2009-05-14 16:02 268 a---h--- C:\sqmdata16.sqm
2009-05-14 16:02 244 a---h--- C:\sqmnoopt16.sqm
2009-05-12 15:11 <DIR> --d----- C:\VundoFix Backups
2009-05-12 14:47 118 a------- c:\windows\system32\MRT.INI
2009-05-07 22:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-07 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-07 19:33 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-05-07 19:19 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-07 19:19 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-07 19:19 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-05-07 19:19 <DIR> --d----- c:\docume~1\bigaxe~1\applic~1\AVGTOOLBAR
2009-05-07 19:19 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 16:16 <DIR> --d----- c:\windows\system32\NtmsData
2009-05-06 16:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-06 16:00 <DIR> --d----- c:\program files\Bonjour
2009-05-06 15:49 61,440 a------- c:\windows\system32\drivers\xyqr.sys
2009-04-27 23:20 16,244 a------- c:\windows\system32\rrt_is.wav
2009-04-27 23:20 7,302 a------- c:\windows\system32\rrt_vf.wav
2009-04-27 23:20 7,148 a------- c:\windows\system32\rrt_tv.wav
2009-04-27 23:20 6,282 a------- c:\windows\system32\rrt_tn.wav

==================== Find3M ====================

2009-05-20 21:32 34 a------- c:\documents and settings\big axe 49\jagex_runescape_preferences.dat
2009-05-19 19:10 33,280 a------- c:\windows\system32\rundll32.exe
2009-05-19 19:10 33,280 a------- c:\windows\system32\dllcache\rundll32.exe
2009-05-18 18:25 2,568 a------- c:\program files\lkaqkyaw.txt
2009-04-18 22:11 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-04-18 22:11 22,328 a------- c:\docume~1\bigaxe~1\applic~1\PnkBstrK.sys
2009-04-18 22:11 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-04-18 22:11 669,184 a------- c:\windows\system32\pbsvc.exe
2009-04-18 22:11 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-04-06 17:29 129,784 -------- c:\windows\system32\pxafs.dll
2009-04-06 17:29 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-04-06 17:29 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-04-06 17:29 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-04-06 17:28 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-06 17:28 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-06 17:28 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-06 17:28 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-06 17:28 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-06 17:28 684,032 a------- c:\windows\system32\DivX.dll
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 07:04 89,367 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 02:36 1,945,600 a------- C:\Neuz.exe
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 14:09 638,816 -------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 -------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 -------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 -------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 -------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 -------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 -------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 72,704 -------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 -------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 -------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 -------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 -------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:31 183,808 a------- c:\windows\system32\dllcache\iepeers.dll
2009-03-08 04:31 348,160 a------- c:\windows\system32\dllcache\dxtmsft.dll
2009-03-08 04:31 216,064 a------- c:\windows\system32\dllcache\dxtrans.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 34,816 -------- c:\windows\system32\dllcache\imgutil.dll
2009-03-08 04:31 46,592 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-03-08 04:31 66,560 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 48,128 -------- c:\windows\system32\dllcache\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:31 45,568 -------- c:\windows\system32\dllcache\mshta.exe
2009-03-08 04:24 68,608 -------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 -------- c:\windows\system32\dllcache\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-27 21:55 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2006-05-26 13:29 1,172,774 a--sh--- c:\windows\system32\crvrsces.dat

============= FINISH: 0:26:56.51 ===============

Attached Files



#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:25 AM

Posted 24 May 2009 - 07:23 AM

Hello Bigaxe49,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a casual observer, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

=
Disable Spybot's Tea Timer and keep it that as long as we are trying to find and remove malwares.
Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
=


Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Close all browsers and all other programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\BIGAXE~1\protect.dll,_IWMPEvents@16
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:
Link 1
Link 2
Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
KILLALL::

File::
C:\WINDOWS\Temp\msb.dll 
C:\Documents and Settings\Big Axe 49\protect.dll
C:\Documents and Settings\Local Settings\protect.dll
C:\WINDOWS\system32\autochk.dll
C:\Documents and Settings\Big Axe 49\Start Menu\Programs\Startup\ChkDisk.dll
C:\Documents and Settings\Big Axe 49\Start Menu\Programs\Startup\ChkDisk.lnk
C:\WINDOWS\Temp\nsrbgxod.bak

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:
Posted Image
  • :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

=

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2171 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Once Complete, reboot! :!:

Run Hijackthis
Then close all windows/applications/browsers and run hijackthis, saving the log.

After following the above, post back with 1. Contents of C:\Combofix.txt;
2. the MBAM log
3. New Hijackthis log;
4. Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.

Edited by Maurice Naggar, 24 May 2009 - 07:27 AM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 BigAxe49

BigAxe49
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 May 2009 - 02:48 PM

hi again.. i followed all your steps and it seems to be fine now... my computer didnt flash the windows background before logging on like it did before when i had the infection. i am including all the logs you told me to include. i can also finally see all my removable disks in the My Computer menu. i couldnt see those before

ComboFix 09-05-23.04 - Big Axe 49 05/24/2009 12:00:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2846 [GMT -7:00]
Running from: C:\Documents and Settings\Big Axe 49\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Big Axe 49\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
C:\Documents and Settings\Big Axe 49\protect.dll
C:\Documents and Settings\Big Axe 49\Start Menu\Programs\Startup\ChkDisk.dll
C:\Documents and Settings\Big Axe 49\Start Menu\Programs\Startup\ChkDisk.lnk
C:\Documents and Settings\Local Settings\protect.dll
C:\WINDOWS\system32\autochk.dll
C:\WINDOWS\Temp\msb.dll
C:\WINDOWS\Temp\nsrbgxod.bak
.




========================= here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:29 PM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LxrSII1s.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Big Axe 49\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: RuneHQ_Browser_Bar toolbar - {82de967b-6db5-4ac2-8450-c732f8358a43} - C:\Program Files\RuneHQ_Browser_Bar\tbRun0.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - S-1-5-18 Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe (User 'Default user')
O4 - Startup: HOTLLAMA Update Check.lnk = C:\Program Files\HOTLLAMA MEDIA\Player\WiseUpdt.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.19.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Mushroom%20Age/Images/stg_drm.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Mushroom%20Age/Images/armhelper.ocx
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: secsrvrc - secsrvrc.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9b715f1a7b168) (gupdate1c9b715f1a7b168) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\WINDOWS\system32\CF11204.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

--
End of file - 12928 bytes

=============== here is the MalwareBytes log


Malwarebytes' Anti-Malware 1.36
Database version: 2175
Windows 5.1.2600 Service Pack 3

5/24/2009 12:47:07 PM
mbam-log-2009-05-24 (12-47-07).txt

Scan type: Quick Scan
Objects scanned: 82557
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:25 AM

Posted 24 May 2009 - 03:23 PM

Hello BiAxe49,
The MBAM result is very good. But there are some other issues to cover (and likely more later on).

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

Using Windows Start menu, select Logoff and then Restart. For a fresh start of Windows.

Don't start programs on your own.

Right click the Spybot Icon in the system tray (notification area).
  • If you have the new version 1.5, click once on Resident Protection and make sure it is Unchecked.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

    If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
    Exit Spybot S&D when done and reboot the system so the changes are in effect.
=
Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiem...orepolicies.zip
Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install.

Delete the download, the unzipped folder and all contents.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O20 - Winlogon Notify: secsrvrc - secsrvrc.dll (file missing)

O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\WINDOWS\system32\CF11204.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

This system shows 2 antivirus programs. Tell me which of Avira or AVG you intend as your real-time, always on, active AV program?
Have you purchased one of them? If so, keep the purchased one, and de-install the other.

At this time, I very much need for us to see the complete contents of the file C:\Combofix.txt

The copy you posted is very much truncated & does not look complete.
Start Notepad.
Open file C:\Combofix.txt
Select ALL lines, then COPY, then Paste all lines in here in a reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 BigAxe49

BigAxe49
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 May 2009 - 03:50 PM

i ran fixpolicies and the other policies thing. i ran hijackthis and deleted the checked values as you said. i intend on keeping AVG and deleting Avira AntiVir

as for the ComboFix.txt i cannot find that file in the C:\ directory it is only in the C:\ComboFix\ComboFix.txt

i included everything that was in that file last time

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:25 AM

Posted 24 May 2009 - 05:58 PM

I am encouraged by the last MBAM scan results.
We need one more run of Combofix but after you delete the combofix.exe on your Desktop (with red lion icon).
Please delete it.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Post back a copy of the C:\Combofix.txt
and tell me, How is your system ?

Edited by Maurice Naggar, 24 May 2009 - 06:00 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 BigAxe49

BigAxe49
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 24 May 2009 - 06:21 PM

i ran Combo-Fix and this time i found the full report log. also, my system seems to be doing fine now although i would like to know if there is anything else i can do to make it more secure. here is the ComboFix.txt



ComboFix 09-05-24.03 - Big Axe 49 05/24/2009 16:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2747 [GMT -7:00]
Running from: c:\documents and settings\Big Axe 49\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\tstqvgxe.sys
c:\windows\system32\drivers\xyqr.sys
.
---- Previous Run -------
.
c:\documents and settings\LocalService\Application Data\916653139.exe
C:\install.exe
C:\recycler
c:\recycler\S-1-5-21-1889046461-877503063-3486001853-1007\desktop.ini
c:\recycler\S-1-5-21-1889046461-877503063-3486001853-1007\INFO2
c:\windows\system32\drivers\ovfsthwrwffmekesbdfuqporolwocthvfmepal.sys
c:\windows\system32\ovfsthmeprxlvwykffqvifprpxoervyvqnaqyl.dll
c:\windows\system32\ovfsthmvglppbeisrwdioublrqdvfsgwicjiec.dat
c:\windows\system32\ovfsthviiuebvcobqxrieccfhxgomhvtypnawl.dll
c:\windows\system32\ovfsthxawsursjcdvpwwrwkhuqknshksngbxlc.dll
c:\windows\system32\ovfsthyxodjrpvvjmcwgalexncblnmjmxxkthk.dat
c:\windows\system32\TDSSorvd.dat
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthibsgqhjclsubsfegxvfkqyufkvpjwhjh
-------\Legacy_TDSSSERV.SYS
-------\Legacy_ASHEVTSVC
-------\Legacy_AVAST!ANTIVIRUS
-------\Service_avast!Antivirus


((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-24 18:41 . 2009-05-24 23:03 -------- d-s---w C:\ComboFix
2009-05-21 13:42 . 2009-05-21 13:42 -------- d-----w c:\documents and settings\Big Axe 49\Application Data\DivX
2009-05-21 13:40 . 2009-05-21 13:41 -------- d-----w c:\program files\DivX
2009-05-21 13:40 . 2009-05-21 13:40 -------- d-----w c:\program files\Common Files\DivX Shared
2009-05-21 05:45 . 2009-05-21 05:45 -------- d-----w c:\program files\uTorrent
2009-05-19 22:38 . 2009-05-19 22:40 -------- d-----w c:\program files\DOSBox-0.72
2009-05-19 22:37 . 1995-02-07 20:17 42 ----a-w C:\LECDEMOS.BAT
2009-05-19 22:37 . 1995-02-06 15:23 57843 ----a-w C:\BOOTMKR.EXE
2009-05-19 22:37 . 1993-11-23 20:36 254196 ----a-w C:\DOS4GW.EXE
2009-05-19 22:36 . 2009-05-19 22:36 -------- d-----w C:\LECDEMOS
2009-05-19 22:36 . 2009-05-19 22:36 -------- d-----w C:\DARK
2009-05-19 05:07 . 1994-09-21 07:00 92208 ----a-w c:\windows\system32\WING.DLL
2009-05-19 05:07 . 1994-09-21 07:00 6736 ----a-w c:\windows\system32\WINGDIB.DRV
2009-05-19 05:07 . 1994-09-21 07:00 12800 ----a-w c:\windows\system32\WING32.DLL
2009-05-19 05:07 . 1994-08-24 07:00 188960 ----a-w c:\windows\system32\WINGDE.DLL
2009-05-19 05:03 . 2009-05-19 05:09 -------- d-----w c:\program files\LEGO Island
2009-05-19 04:35 . 2009-05-19 04:35 -------- d-----w C:\HASBRO
2009-05-19 04:35 . 1995-09-30 03:37 30048 ----a-w c:\windows\UNTONK.EXE
2009-05-19 04:18 . 1998-10-22 11:48 739328 ----a-w c:\windows\system\ir50_32.dll
2009-05-19 04:17 . 2009-05-19 04:17 -------- d-----w c:\windows\solcache
2009-05-19 04:16 . 2009-05-19 04:17 -------- d-----w c:\program files\Sierra On-Line
2009-05-19 04:16 . 2009-05-19 04:17 -------- d-----w C:\SIERRA
2009-05-19 01:23 . 2009-05-19 01:23 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
2009-05-19 00:39 . 2009-05-19 00:39 -------- d-sh--w c:\documents and settings\NetworkService\PrivacIE
2009-05-19 00:38 . 2009-05-19 00:38 -------- d-sh--w c:\documents and settings\NetworkService\IECompatCache
2009-05-19 00:38 . 2009-05-19 00:38 -------- d-----w c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-05-19 00:23 . 2009-03-24 23:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-18 23:49 . 2009-05-08 02:19 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-18 23:49 . 2009-05-08 02:19 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-18 23:49 . 2009-05-08 02:19 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-18 23:49 . 2009-05-08 02:19 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-18 23:49 . 2009-05-08 02:19 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-18 23:49 . 2009-05-08 02:19 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-18 23:49 . 2009-05-08 02:19 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-18 23:48 . 2009-05-08 02:19 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-18 23:48 . 2009-05-08 02:19 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-17 19:06 . 2009-05-08 02:19 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-05-17 19:06 . 2009-05-08 02:19 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-05-17 00:15 . 2009-05-24 19:36 -------- d-----w c:\documents and settings\Big Axe 49\Tracing
2009-05-17 00:13 . 2009-05-17 00:13 -------- d-----w c:\program files\Microsoft Sync Framework
2009-05-17 00:12 . 2009-05-17 00:12 -------- d-----w c:\program files\Microsoft
2009-05-17 00:11 . 2009-05-17 00:11 -------- d-----w c:\program files\Windows Live SkyDrive
2009-05-15 22:07 . 2009-05-15 22:07 -------- d-----w c:\windows\system32\Macromed
2009-05-14 23:16 . 2009-05-14 23:16 -------- d-----w c:\program files\CCleaner
2009-05-12 22:11 . 2009-05-12 22:11 -------- d-----w C:\VundoFix Backups
2009-05-11 23:53 . 2009-05-15 23:12 -------- d-----w c:\program files\Windows Live Safety Center
2009-05-11 23:52 . 2008-12-04 08:25 120832 ----a-w c:\documents and settings\Big Axe 49\Application Data\Mozilla\Firefox\Profiles\gzxye4q7.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\npietab.dll
2009-05-10 05:45 . 2008-10-01 18:55 12800 ----a-w c:\documents and settings\Big Axe 49\Application Data\Mozilla\Firefox\Profiles\gzxye4q7.default\extensions\{FFA36170-80B1-4535-B0E3-A4569E497DD0}\platform\WINNT_x86-msvc\components\mgMouseService.dll
2009-05-09 04:37 . 2009-05-09 05:28 -------- d-----w c:\documents and settings\Big Axe 49\Application Data\Download Manager
2009-05-08 05:14 . 2009-05-24 19:50 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-08 05:14 . 2009-05-14 22:59 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-08 02:33 . 2009-05-23 21:28 -------- d--h--w C:\$AVG8.VAULT$
2009-05-08 02:19 . 2009-05-08 02:19 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-08 02:19 . 2009-05-08 02:19 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-08 02:19 . 2009-05-08 02:19 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-08 02:19 . 2009-05-24 19:49 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-08 02:19 . 2009-05-09 00:04 -------- d-----w c:\documents and settings\Big Axe 49\Application Data\AVGTOOLBAR
2009-05-08 02:19 . 2009-05-08 02:19 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-07 23:16 . 2009-05-24 23:09 -------- d-----w c:\windows\system32\NtmsData
2009-05-06 23:01 . 2009-05-06 23:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-06 23:00 . 2009-05-06 23:00 -------- d-----w c:\program files\Bonjour
2009-05-06 22:56 . 2009-05-06 22:56 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-06 14:08 . 2009-05-06 14:08 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-28 06:10 . 2009-04-28 06:10 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\HP
2009-04-28 06:08 . 2009-04-28 06:08 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Malwarebytes
2009-04-28 03:32 . 2009-04-28 03:32 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-28 03:31 . 2009-04-28 03:31 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 18:58 . 2008-12-21 04:58 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-24 04:52 . 2008-10-18 03:24 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-22 21:33 . 2007-11-28 23:27 -------- d-----w c:\documents and settings\Big Axe 49\Application Data\uTorrent
2009-05-21 13:28 . 2005-12-02 06:13 -------- d-----w c:\program files\Microsoft ActiveSync
2009-05-21 04:54 . 2008-01-31 23:09 -------- d-----w c:\program files\SwiftKit
2009-05-21 04:32 . 2008-07-01 14:54 34 ----a-w c:\documents and settings\Big Axe 49\jagex_runescape_preferences.dat
2009-05-20 02:10 . 2004-08-11 23:00 33280 ----a-w c:\windows\system32\rundll32.exe
2009-05-19 04:09 . 2006-11-05 05:55 -------- d-----w c:\program files\LucasArts
2009-05-19 01:25 . 2009-05-19 01:25 2568 ----a-w c:\program files\lkaqkyaw.txt
2009-05-17 00:14 . 2008-03-11 04:51 -------- d-----w c:\program files\Windows Live
2009-05-17 00:14 . 2006-08-28 04:54 -------- d-----w c:\program files\Windows Live Toolbar
2009-05-15 21:57 . 2009-01-02 01:08 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-05-14 02:36 . 2006-02-08 23:06 -------- d-----w c:\documents and settings\Big Axe 49\Application Data\AdobeUM
2009-05-14 01:14 . 2005-12-14 23:11 37568 ----a-w c:\documents and settings\Big Axe 49\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-12 22:14 . 2005-12-09 03:06 -------- d-----w c:\program files\Google
2009-05-10 23:30 . 2007-10-26 04:53 -------- d-----w c:\program files\ImgBurn
2009-05-08 00:48 . 2008-01-13 19:49 1324 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-06 23:02 . 2007-08-06 04:27 -------- d-----w c:\program files\iTunes
2009-05-06 23:01 . 2005-12-25 21:49 -------- d-----w c:\program files\iPod
2009-05-06 23:01 . 2007-08-06 04:22 -------- d-----w c:\program files\Common Files\Apple
2009-05-06 23:00 . 2007-08-06 04:24 -------- d-----w c:\program files\QuickTime
2009-04-22 00:26 . 2007-11-28 06:39 -------- d-----w c:\program files\Frets on Fire
2009-04-20 01:48 . 2007-03-22 22:55 -------- d-----w c:\documents and settings\Big Axe 49\Application Data\U3
2009-04-19 05:11 . 2009-04-19 05:11 22328 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-19 05:11 . 2009-04-19 05:11 22328 ----a-w c:\documents and settings\Big Axe 49\Application Data\PnkBstrK.sys
2009-04-19 05:11 . 2009-04-19 05:11 22328 ----a-w c:\documents and settings\Big Axe 49\Application Data\PnkBstrK.sys
2009-04-19 05:11 . 2009-04-19 05:11 103736 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-19 05:11 . 2009-04-19 05:11 669184 ----a-w c:\windows\system32\pbsvc.exe
2009-04-19 05:11 . 2009-04-19 05:11 66872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-18 20:27 . 2009-04-18 20:27 -------- d-----w c:\program files\Netropa
2009-04-18 20:27 . 2005-12-02 06:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-13 01:44 . 2009-04-13 01:44 10134 ----a-r c:\documents and settings\Big Axe 49\Application Data\Microsoft\Installer\{EA0B63C1-E579-43DD-A5F7-0DA5E9092554}\ARPPRODUCTICON.exe
2009-04-13 01:28 . 2008-12-23 05:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 01:28 . 2009-01-19 21:08 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-04-12 01:58 . 2008-07-25 00:23 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-12 01:57 . 2009-04-12 01:57 255488 ----a-w c:\documents and settings\Big Axe 49\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_d.dll
2009-04-12 01:57 . 2009-04-12 01:57 255488 ----a-w c:\documents and settings\Big Axe 49\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_c.dll
2009-04-12 01:57 . 2009-04-12 01:57 255488 ----a-w c:\documents and settings\Big Axe 49\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_b.dll
2009-04-12 01:57 . 2009-04-12 01:57 255488 ----a-w c:\documents and settings\Big Axe 49\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_a.dll
2009-04-12 01:57 . 2009-04-12 01:57 -------- d-----w c:\documents and settings\Big Axe 49\Application Data\SystemRequirementsLab
2009-04-09 18:20 . 2009-04-09 18:20 -------- d-----w c:\program files\Sun
2009-04-09 18:19 . 2005-12-02 05:59 -------- d-----w c:\program files\Java
2009-04-07 00:29 . 2007-01-22 23:46 129784 ------w c:\windows\system32\pxafs.dll
2009-04-07 00:29 . 2005-12-02 06:25 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-04-07 00:29 . 2005-12-02 06:25 118520 ------w c:\windows\system32\pxinsi64.exe
2009-04-07 00:29 . 2005-04-25 08:03 43528 ------w c:\windows\system32\drivers\pxhelp20.sys
2009-04-07 00:28 . 2009-04-07 00:28 90112 ----a-w c:\windows\system32\dpl100.dll
2009-04-07 00:28 . 2009-04-07 00:28 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-04-07 00:28 . 2009-04-07 00:28 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-04-07 00:28 . 2009-04-07 00:28 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-04-07 00:28 . 2009-04-07 00:28 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-04-07 00:28 . 2009-04-07 00:28 684032 ----a-w c:\windows\system32\DivX.dll
2009-04-06 22:32 . 2008-12-23 05:08 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2008-12-23 05:08 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 14:04 . 2004-08-11 23:14 89367 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-31 23:21 . 2009-03-31 23:21 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-29 01:14 . 2009-03-29 01:14 152576 ----a-w c:\documents and settings\Big Axe 49\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-29 01:13 . 2009-03-29 01:13 -------- d-----w c:\program files\Alwil Software
2009-03-27 03:21 . 2009-03-27 03:21 -------- d-----w c:\program files\Electronic Arts
2009-03-19 23:32 . 2009-03-19 23:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 09:36 . 2009-03-19 09:36 1945600 ----a-w C:\Neuz.exe
2009-03-09 12:19 . 2008-10-26 22:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 11:34 . 2004-08-11 23:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-11 23:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-11 23:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-11 23:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-11 23:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-11 23:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-11 23:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-11 23:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-11 23:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-11 23:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-11 23:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-04-07 00:29 . 2009-04-07 00:29 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-07 00:29 . 2009-04-07 00:29 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-05-26 20:29 . 2006-01-12 02:25 1172774 --sha-w c:\windows\system32\crvrsces.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-04-19 21:21 . 2007-04-19 21:21 198184 c:\program files\Comcast\Desktop Doctor\bin\bak\sprtcmd.exe
2008-04-24 04:25 . 2008-04-24 04:25 202560 c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

2005-06-10 16:44 . 2005-06-10 16:44 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2005-06-10 16:44 . 2005-06-10 16:44 249856 c:\program files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

2007-06-29 05:26 . 2007-06-29 05:26 69632 c:\program files\Common Files\Real\Update_OB\bak\RealOneMessageCenter.exe

2007-06-29 05:26 . 2007-06-29 05:26 185896 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2006-07-11 14:23 . 2006-07-11 14:23 1174528 c:\program files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe

2005-11-17 00:08 . 2005-11-17 00:08 106496 c:\program files\Corel\Corel Photo Album 6\bak\MediaDetect.exe

2005-12-02 06:09 . 2003-09-17 16:43 57344 c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe

2005-12-02 06:10 . 2005-02-23 22:19 53248 c:\program files\CyberLink\PowerDVD\bak\DVDLauncher.exe

2005-01-27 07:02 . 2005-01-27 07:02 86016 c:\program files\Dell\Media Experience\bak\DMXLauncher.exe

2007-03-15 18:09 . 2007-03-15 18:09 460784 c:\program files\DellSupport\bak\DSAgnt.exe

2005-12-02 06:06 . 2005-06-17 13:56 139264 c:\program files\Intel\Intel Matrix Storage Manager\bak\iaanotif.exe

2007-08-01 01:44 . 2007-08-01 01:44 271672 c:\program files\iTunes\bak\iTunesHelper.exe
2009-04-02 23:11 . 2009-04-02 23:11 342312 c:\program files\iTunes\iTunesHelper.exe

2007-04-08 04:13 . 2006-12-15 10:23 75520 c:\program files\Java\jre1.5.0_11\bin\bak\jusched.exe

2004-08-11 23:11 . 2004-10-13 16:24 1694208 c:\program files\Messenger\bak\msmsgs.exe
2009-04-01 12:18 . 2008-04-14 00:12 1695232 c:\program files\Messenger\msmsgs.exe

2006-11-13 20:39 . 2006-11-13 20:39 1289000 c:\program files\Microsoft ActiveSync\bak\Wcescomm.exe

2005-04-12 23:21 . 2005-04-12 23:21 90112 c:\program files\NudgeMania\bak\NudgeMania.exe
2005-04-12 23:21 . 2005-04-12 23:21 90112 c:\program files\NudgeMania\NudgeMania.exe

2007-06-29 13:24 . 2007-06-29 13:24 286720 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 23:18 . 2009-01-05 23:18 413696 c:\program files\QuickTime\QTTask.exe

2005-10-06 18:40 . 2006-06-19 22:30 4796416 c:\program files\RitzPix E-Z Print & Share\bak\OurPictures.exe

2006-07-11 14:26 . 2006-07-11 14:26 1313792 c:\program files\TiVo\Desktop\bak\TiVoServer.exe

2006-11-21 17:38 . 2006-11-21 17:38 35328 c:\program files\Winamp\bak\winampa.exe

2005-12-02 06:09 . 2000-05-11 07:00 90112 c:\windows\bak\UpdReg.EXE

2004-08-11 23:00 . 2004-08-04 11:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-11 23:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2005-12-02 06:19 . 2004-12-06 07:05 127035 c:\windows\system32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-07 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-18 39408]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"DellTouch"="c:\windows\MMKeybd.exe" [2002-01-17 163840]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]

c:\documents and settings\Big Axe 49\Start Menu\Programs\Startup\
HOTLLAMA Update Check.lnk - c:\program files\HOTLLAMA MEDIA\Player\WiseUpdt.exe [2008-11-21 162834]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-1 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 02:19 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave1"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\MSN Gaming Zone\\zclient.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/7/2009 7:19 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/7/2009 7:19 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/7/2009 7:19 PM 298776]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [10/19/2006 10:18 PM 70016]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/22/2008 10:08 PM 179856]
R2 TivoBeacon2;TiVo Beacon;c:\program files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe [7/11/2006 7:22 AM 857088]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/22/2008 10:08 PM 15504]
S0 dywiqfu;dywiqfu;c:\windows\system32\drivers\djin.sys --> c:\windows\system32\drivers\djin.sys [?]
S2 gupdate1c9b715f1a7b168;Google Update Service (gupdate1c9b715f1a7b168);c:\program files\Google\Update\GoogleUpdate.exe [4/6/2009 5:15 PM 133104]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\DRIVERS\smrtdrv.sys --> c:\windows\system32\DRIVERS\smrtdrv.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 03:34]

2009-05-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-15 17:24]

2009-05-24 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 00:15]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Big Axe 49\Application Data\Mozilla\Firefox\Profiles\gzxye4q7.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.40115.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 16:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,99,3c,41,77,36,2c,44,91,e2,0e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a8,99,3c,41,77,36,2c,44,91,e2,0e,\

[HKEY_USERS\S-1-5-21-1889046461-877503063-3486001853-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:69,3a,a7,67,d7,13,f1,48,30,24,ea,81,c8,a7,ba,6a,d1,7d,9a,7f,a3,67,9a,
17,8b,cf,94,b4,ff,5d,97,c1,9d,1c,da,79,8c,19,77,f5,73,23,fd,ef,5e,80,35,66,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3444)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Netropa\OSD.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-05-24 16:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-24 23:15

Pre-Run: 26,522,763,264 bytes free
Post-Run: 26,510,032,896 bytes free

416 --- E O F --- 2009-05-17 19:20

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:25 AM

Posted 24 May 2009 - 11:03 PM

There was a rootkit infection and an autorun infection as well. I'd like to have you follow up by doing the following:

Place your USB flash drives in-place so that some of these programs will be able to find them.

I'm going to have you get and run two utilities.
The first stops automatic use of the AutoRun feature of XP. The second will write to any connected devices a Read-only, System protected Autorun.inf file on all of your hard drives, and all connected removable storage devices.

Download and Install Microsoft's TweakUI:
http://www.microsoft.com/windowsxp/downloa...ppowertoys.mspx
Obtain and install TweakUI (part of the PowerToys for Windows XP package), and then start TweakUI.
Expand the My Computer branch, then the AutoPlay branch, and then select Drives.
Turn off the checkbox next to every drive letter to disable AutoPlay -- except your CD/DVD drive letters.

Download and run "Flash Drive Disinfector" by sUBs. It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
http://download.bleepingcomputer.com/sUBs/...Disinfector.exe
There is no GUI interface or log file produced.

=

I would very much recommend you get and apply the MVP Hosts file, which will help keep this system a bit more secure.

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:

_________________________________________________
+---+
THE MVPS HOSTS FILE IS NOW UPDATED v
+---+



Previous version saved and renamed to HOSTS.MVP
Press any key to continue . . .


Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat

=

Download RootRepeal:
http://rootrepeal.googlepages.com/RootRepeal.zip
  • Extract the archive to a folder you create such as C:\RootRepeal
  • Double-click RootRepeal.exe to launch the program (Vista users should right-click and select "Run as Administrator).
  • Click the "File" tab (located at the bottom of the RootRepeal screen)
  • Click the "Scan" button
  • In the popup dialog, check the drives to be scanned - making sure to check your primary operating system drive - normally C:
  • Click OK and the file scan will begin
  • When the scan is done, there will be files listed, but most if not all of them will be legitimate
  • Click the "Save Report" Button
  • Save the log file to your Documents folder
  • Post the content of the RootRepeal file scan log in your next reply.

Next, Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
I would suggest an online scan at Kaspersky website:
Scan the system with the Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner

Posted Image Attention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.
2) Accept the agreement
3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )
4) For XP SP2-SP3, click the Install button when prompted
5) The necessary files will be downloaded and installed. Please have plenty of patience.
6) After Kaspersky AntiVirus Database is updated, look at the Scan box.
7) Click the My Computer line
8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.
Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or SmitFraudFix items, or ComboFix's Qoobox & quarantine.
Kaspersky is a report only and does not remove files.

Post back with copy of the RootRepeal file scan log
DrWeb CureIt report
Kaspersky.txt report
.
[b]How is your system now ?

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 BigAxe49

BigAxe49
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 26 May 2009 - 01:14 AM

my system seems fine so far (although the internet is EXTREMELY slow all of a sudden, i dont think it is a virus. it might have happened from one of the antivirus scanners you told me to do)... thanks for all the help. here are the logs you asked for


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 25, 2009 21:27:39
Records in database: 2244335
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 140077
Threat name: 5
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 04:02:19


File name / Threat name / Threats count
C:\Documents and Settings\Big Axe 49\Desktop\zip stuff and pics\Folders\Games and Stuff\GemsweeperSetup.exe Infected: Trojan-Downloader.Win32.Agent.bfte 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000003.dll Infected: Trojan.Win32.Tdss.aalc 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000005.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000007.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000008.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000370.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000371.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000374.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\A0000376.dll Infected: Trojan-Spy.Win32.Agent.argt 1
C:\Documents and Settings\Big Axe 49\DoctorWeb\Quarantine\ovfsthviiuebvcobqxrieccfhxgomhvtypnawl.dll.vir Infected: Trojan.Win32.Tdss.aalc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthmeprxlvwykffqvifprpxoervyvqnaqyl.dll.vir Infected: Trojan.Win32.Tdss.aalg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxawsursjcdvpwwrwkhuqknshksngbxlc.dll.vir Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000004.dll Infected: Trojan.Win32.Tdss.aalg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0\A0000006.dll Infected: Trojan.Win32.Tdss.aald 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000375.dll Infected: Trojan.Win32.Tdss.aald 1

The selected area was scanned.





====================



ROOTREPEAL AD, 2007-2008
==================================================
Scan Time: 2009/05/24 22:18
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Big Axe 49\Desktop\7100.0.090421-1700_x86fre_client_en-us_retail_ultimate-grc1c.iso
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Big Axe 49\Local Settings\temp\etilqs_HX9tg7oySyYH92NHplij
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Big Axe 49\Local Settings\temp\hpodvd09.log
Status: Allocation size mismatch (API: 8192, Raw: 4096)

Path: C:\Program Files\MoparScape\Aryan\logs\zezima
Status: Locked to the Windows API!

Path: C:\Program Files\MoparScape\Aryan\logs\zezima-20070131.log:p-20070131.log
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Big Axe 49\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Big Axe 49\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Big Axe 49\Desktop\zip stuff and pics\Folders\Games and Stuff\c-drive\Documents and Settings\Greg\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1275210071-1682526488-1343024091-1002\12827eab270ae1e5d2dfb77986562a67_533ebac3-8624-4afc-9d0e-bfc0798013e4
Status: Locked to the Windows API!

=================


RegUBP2b-Big Axe 49.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
TiVoTransfer.exe;C:\Program Files\Common Files\TiVo Shared\Transfer\bak;Trojan.DownLoader.origin;Incurable.Moved.;
WIS4E8390903B68436AB3CFA2A08C38DD26_2_3_239_826.MSI/stream000\TiVoTransfer.exe32;C:\Program Files\Common Files\Wise Installation Wizard\WIS4E8390903B68436AB3CFA2A08C38DD26_2_3_239_826.MSI/stream000;Trojan.DownLoader.origin;;
WIS4E8390903B68436AB3CFA2A08C38DD26_2_3_239_826.MSI/stream000\TiVoBeacon.exe33;C:\Program Files\Common Files\Wise Installation Wizard\WIS4E8390903B68436AB3CFA2A08C38DD26_2_3_239_826.MSI/stream000;Trojan.DownLoader.origin;;
stream000;C:\Program Files\Common Files\Wise Installation Wizard;Archive contains infected objects;;
WIS4E8390903B68436AB3CFA2A08C38DD26_2_3_239_826.MSI;C:\Program Files\Common Files\Wise Installation Wizard;Archive contains infected objects;Moved.;
916653139.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data;Trojan.Fakealert.4335;Deleted.;
ovfsthviiuebvcobqxrieccfhxgomhvtypnawl.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Tdss.115;Incurable.Moved.;
ovfsthwrwffmekesbdfuqporolwocthvfmepal.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;BackDoor.Tdss.115;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0000002.sys;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0;BackDoor.Tdss.115;Deleted.;
A0000003.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0;BackDoor.Tdss.115;Incurable.Moved.;
A0000005.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0;Trojan.Alupko.origin;Incurable.Moved.;
A0000007.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0;Trojan.Alupko.origin;Incurable.Moved.;
A0000008.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0;Trojan.Alupko.origin;Incurable.Moved.;
A0000029.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0;Trojan.Fakealert.4335;Deleted.;
A0000051.reg;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP0;Trojan.StartPage.1505;Deleted.;
A0000370.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Trojan.Alupko.origin;Incurable.Moved.;
A0000371.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Trojan.Alupko.origin;Incurable.Moved.;
A0000373.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Win32.HLLM.Graz.based;Deleted.;
A0000374.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Trojan.Alupko.origin;Incurable.Moved.;
A0000376.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Trojan.Alupko.origin;Incurable.Moved.;
A0000460.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Trojan.DownLoader.origin;Incurable.Moved.;
A0000461.reg;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Trojan.StartPage.1505;Deleted.;
A0000462.exe;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Trojan.DownLoader.origin;Incurable.Moved.;
A0000463.MSI/stream000\TiVoTransfer.exe32;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000463.MSI/stream000;Trojan.DownLoader.origin;;
A0000463.MSI/stream000\TiVoBeacon.exe33;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000463.MSI/stream000;Trojan.DownLoader.origin;;
stream000;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Archive contains infected objects;;
A0000463.MSI;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1;Archive contains infected objects;Moved.;

Edited by BigAxe49, 26 May 2009 - 11:48 AM.


#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:25 AM

Posted 26 May 2009 - 06:16 PM

Go to the following folder and delete one file
C:\Documents and Settings\Big Axe 49\Desktop\zip stuff and pics\Folders\Games and Stuff\GemsweeperSetup.exe <<--this file

It was tagged by the Kaspersky online scan.
The other items tagged by Kaspersky are either in quarantine or out of the way.


Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you need to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
Do the same for Kaspersky online scan.

OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combofix Posted Image), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.
  • Click Start, then click Run.

    In the command box that opens, type or copy/paste combofix /u and then click OK.
  • Download OTListIt by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTListIt2.exe
  • Please double-click OTListIt2.exe to run it.
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTListIt2 attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.
We are finished here. Best regards. :thumbup2:
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users