Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This- Unknoown Infection


  • This topic is locked This topic is locked
7 replies to this topic

#1 joedozzi

joedozzi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 30 May 2009 - 03:26 PM

Hey, my computer re directs me to site from google or something and won't let me access some site this is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:57 PM, on 5/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinFlip\WinFlip.exe
C:\Program Files\Vista Rainbar\launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\PROGRA~1\VISTAR~1\Rainbar.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe
O4 - HKCU\..\Run: [WinFlip] C:\Program Files\WinFlip\WinFlip.exe
O4 - HKCU\..\Run: [Vista Rainbar] C:\Program Files\Vista Rainbar\launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://
O16 - DPF: Win32 Classes -
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1217383701910
O16 - DPF: {77AAD261-A84E-4564-BEC2-C51FF6A7187F} (MRActivXUI Class) - http://202.8.40.133/comp/partner/pcphone/v...wbaxuiph612.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab57213.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A0B2FC7-11DD-4BB2-8E5B-6294E95CCA4C}: NameServer = 85.255.112.83,85.255.112.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.83,85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.83,85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.83,85.255.112.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira Firewall (AntiVirFirewallService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avfwsvc.exe
O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
O23 - Service: Apache2 - Avira GmbH - (no file)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

--
End of file - 8724 bytes

BC AdBot (Login to Remove)

 


#2 joedozzi

joedozzi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 30 May 2009 - 03:36 PM

Hey it also won't let me go to certain sites to download spybot, malwarebytes, or ad-ware and won't let me install or open the programs, i also have Avira Premimum Secruity Suite Installed but i ran it 3 times and it hasn't detected anything, also ran 3 online checks and couldn't finish the check or couldn't find anything cause it said i had Avira so.. i downloaded HiJack this and uploaded the log above and that kind is my last resort but if there is nothing wrong with it any other ideas Safe Mode doesn't help either.

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:44 PM

Posted 31 May 2009 - 10:12 AM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 joedozzi

joedozzi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 31 May 2009 - 08:47 PM

Hey I uploaded the ComboFix.txt otherwise everything i said in the previous reply is what happening to my computer. Thanks for the help

ComboFix 09-05-31.02 - ZIP5 05/31/2009 21:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.319.41 [GMT -4:00]
Running from: c:\documents and settings\ZIP5\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\program files\INSTALL.LOG
c:\windows\start.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\gxvxcbuyeagytmwamcuipdqhqoyikvxcivlsw.sys
c:\windows\system32\drivers\gxvxcqotvuuoykuljwyvawkkjyrcpstyxroir.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcmmwkyctpoqfursuyyvvkqcpaowtuixgx.dll
c:\windows\system32\mdm.exe
c:\windows\system32\Packer.dll
c:\windows\Web\default.htt
c:\windows\winsysmuspd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 00:39 . 2009-06-01 00:39 -------- dc----w- c:\documents and settings\ZIP5\Application Data\TeamViewer
2009-06-01 00:39 . 2009-06-01 00:39 -------- dc----w- c:\documents and settings\ZIP5\temp
2009-05-31 02:17 . 2009-05-31 02:17 -------- dc----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-05-30 20:18 . 2009-05-30 20:18 -------- dc----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-05-30 20:14 . 2009-05-30 20:39 -------- dc----w- c:\documents and settings\All Users\Application Data\HP
2009-05-30 19:24 . 2008-06-19 21:24 28544 -c--a-w- c:\windows\system32\drivers\pavboot.sys
2009-05-30 19:23 . 2009-05-30 19:23 -------- dc----w- c:\program files\Panda Security
2009-05-30 19:06 . 2009-05-30 19:06 -------- dc----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-30 18:13 . 2009-05-30 18:13 -------- dc----w- c:\documents and settings\ZIP5\.housecall6.6
2009-05-30 18:05 . 2009-05-30 18:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-30 17:59 . 2009-05-30 17:59 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 17:52 . 2009-05-30 17:52 -------- dc----w- c:\program files\Trend Micro
2009-05-30 15:40 . 2009-05-26 17:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 15:40 . 2009-05-30 17:59 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 15:40 . 2009-05-26 17:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 15:07 . 2009-05-30 15:09 -------- dc----w- c:\program files\Defraggler
2009-05-30 15:06 . 2009-05-30 15:06 -------- dc----w- c:\program files\CCleaner
2009-05-29 23:08 . 2009-05-30 20:08 -------- dc----w- c:\documents and settings\ZIP5\Tracing
2009-05-29 20:06 . 2009-05-29 20:06 -------- dc----w- c:\program files\ViStart
2009-05-29 20:06 . 2009-05-29 20:06 -------- dc----w- c:\program files\ViGlance
2009-05-29 20:05 . 2009-05-29 20:06 -------- dc----w- c:\program files\Vista Drive Icon
2009-05-29 20:05 . 2009-03-18 12:46 6181376 -c--a-w- c:\windows\system32\sevenui.exe
2009-05-29 20:05 . 2006-12-11 05:15 498176 -c--a-w- c:\windows\system32\logon.scr
2009-05-29 19:20 . 2009-05-29 20:06 -------- dc----w- c:\program files\TrueTransparency
2009-05-29 19:20 . 2009-05-30 20:07 -------- dc----w- c:\program files\WinFlip
2009-05-29 19:19 . 2009-05-29 20:06 -------- dc----w- c:\program files\Vista Rainbar
2009-05-29 00:19 . 2009-05-30 20:07 -------- dc----w- c:\windows\system32\VIRepair
2009-05-29 00:11 . 2009-04-25 07:12 348161 -c--a-w- c:\windows\system32\viwc.exe
2009-05-28 23:50 . 2009-05-29 20:06 -------- dc----w- c:\windows\system32\VITrans
2009-05-28 23:49 . 2009-05-29 21:31 -------- dc----w- C:\VTPFiles
2009-05-28 23:49 . 2006-12-03 21:15 111104 -c--a-w- c:\windows\system32\Uharc.exe
2009-05-28 23:49 . 2006-12-03 21:15 19968 -c--a-w- c:\windows\system32\reico.exe
2009-05-28 23:49 . 2006-12-03 21:15 69632 -c--a-w- c:\windows\system32\moveex.exe
2009-05-28 23:49 . 2006-12-03 21:14 8636 -c--a-w- c:\windows\system32\modifype.exe
2009-05-28 23:49 . 2004-11-27 23:00 94208 -c--a-w- c:\windows\system32\pskill.exe
2009-05-28 23:48 . 2009-03-23 21:39 20480 -c--a-w- c:\windows\system32\scrnrdr.exe
2009-05-28 23:30 . 2009-05-29 20:06 -------- dc----w- c:\program files\ViSplore
2009-05-28 22:57 . 2009-05-28 23:09 -------- dc----w- c:\documents and settings\ZIP5\Contacts
2009-05-28 22:55 . 2009-05-28 22:56 -------- dc----w- c:\program files\Messenger Plus! Live
2009-05-28 22:18 . 2009-05-28 22:18 -------- dc----w- c:\program files\Common Files\Windows Live
2009-05-28 19:42 . 2009-05-28 19:44 -------- dc----w- c:\documents and settings\ZIP5\Local Settings\Application Data\RcIncidents
2009-05-25 22:07 . 2009-05-25 22:07 -------- dc----w- c:\documents and settings\ZIP5\Local Settings\Application Data\AOL
2009-05-23 00:19 . 2009-05-23 00:19 -------- dc----w- C:\vcs5BGEffects
2009-05-21 19:58 . 2009-05-21 19:58 -------- dc----w- c:\program files\vixy.net
2009-05-09 19:11 . 2009-05-09 19:11 -------- dc----w- c:\documents and settings\ZIP5\Application Data\DivX
2009-05-09 19:10 . 2009-05-25 02:33 -------- dc----w- c:\documents and settings\ZIP5\Local Settings\Application Data\WMTools Downloaded Files
2009-05-06 11:58 . 2009-05-06 11:58 -------- dc----w- c:\program files\Microsoft.NET
2009-05-06 02:24 . 2007-11-09 15:32 131072 -c--a-w- c:\windows\system32\Packer2k7.dll
2009-05-06 02:21 . 2008-08-28 16:17 126976 -c--a-w- c:\windows\system32\P3DOffice2k7.dll
2009-05-06 02:21 . 2008-08-28 16:17 122880 -c--a-w- c:\windows\system32\PowerPlugs ProductIdentification.dll
2009-05-06 02:21 . 2008-08-28 16:17 118784 -c--a-w- c:\windows\system32\OfficeVer.dll
2009-05-06 02:13 . 2008-08-28 18:02 98304 -c--a-w- c:\windows\system32\InterfaceCaller.dll
2009-05-06 02:13 . 2008-08-28 18:02 126976 -c--a-w- c:\windows\system32\eSy_Vb2K7Support.dll
2009-05-06 01:54 . 2003-05-16 21:22 131072 -c--a-w- c:\windows\system32\QKernelDataTransferBridge.dll
2009-05-06 01:54 . 2003-05-16 20:59 122880 -c--a-w- c:\windows\system32\OutlookQuoteHelper.dll
2009-05-06 01:54 . 2003-05-16 21:22 159744 -c--a-w- c:\windows\system32\WordPlugs.dll
2009-05-06 01:54 . 2003-05-16 21:22 110592 -c--a-w- c:\windows\system32\OutlookQuoteAddin.dll
2009-05-06 01:54 . 2003-05-16 21:22 352256 -c--a-w- c:\windows\system32\QuotPlug.dll
2009-05-06 01:53 . 2003-05-16 20:38 155648 -c--a-w- c:\windows\QuoteUninstall.exe
2009-05-06 01:53 . 2003-05-16 20:37 393216 -c--a-w- c:\windows\system32\QStartUp.dll
2009-05-06 01:53 . 2003-05-16 21:22 524288 -c--a-w- c:\windows\system32\QKernel.dll
2009-05-06 01:53 . 1998-10-20 21:05 54784 -c--a-w- c:\windows\system32\INETWH32.DLL
2009-05-06 01:49 . 1999-11-22 18:52 276992 -c--a-w- c:\windows\system32\LFCMP11n.DLL
2009-05-06 01:49 . 1999-11-22 17:51 118272 -c--a-w- c:\windows\system32\ltfil11n.DLL
2009-05-06 01:49 . 1999-11-22 17:51 262144 -c--a-w- c:\windows\system32\LTDIS11n.dll
2009-05-06 01:49 . 1999-11-22 17:50 391168 -c--a-w- c:\windows\system32\ltkrn11n.dll
2009-05-06 01:49 . 2008-08-28 16:18 225280 -c----w- c:\windows\MusicClipUninstall.exe
2009-05-06 01:49 . 2003-06-14 09:22 226304 -c--a-w- c:\windows\system32\CGGenericUIControlsKernel.dll
2009-05-06 01:49 . 2008-03-05 19:17 692224 -c--a-w- c:\windows\system32\Music Clips GUI.dll
2009-05-06 01:41 . 2002-11-27 17:12 4608 -c--a-r- c:\windows\system32\W95INF32.DLL
2009-05-06 01:41 . 2002-11-27 17:12 2272 -c--a-r- c:\windows\system32\W95INF16.DLL
2009-05-06 01:41 . 2006-08-28 21:25 126976 -c--a-w- c:\windows\system32\cmGetSWFheader.dll
2009-05-06 01:41 . 2006-08-28 21:25 1150976 -c--a-w- c:\windows\system32\ImagePlug.dll
2009-05-06 01:37 . 2003-09-17 15:35 40960 -c--a-w- c:\windows\system32\ChartIcn.dll
2009-05-06 01:37 . 2003-09-09 13:55 44544 -c--a-w- c:\windows\system32\Mfc42loc.dll
2009-05-06 01:36 . 2008-08-28 18:02 131072 -c--a-w- c:\windows\system32\SaveStatus.dll
2009-05-06 01:29 . 2008-08-28 18:02 266752 -c--a-w- c:\windows\system32\VBSTARTUP.dll
2009-05-06 01:29 . 2008-08-28 18:02 876648 -c--a-w- c:\windows\system32\VT_DynamicVideoThumbnailGenerator.dll
2009-05-06 01:29 . 2008-08-28 18:02 1740800 -c--a-w- c:\windows\system32\VideoInterface.dll
2009-05-06 01:29 . 2008-08-28 18:02 143360 -c--a-w- c:\windows\system32\PowerPlugs Background Kernel.dll
2009-05-06 01:29 . 2008-08-28 18:02 24576 -c--a-w- c:\windows\system32\CheckMemoryUsage.dll
2009-05-06 01:29 . 2008-08-28 18:02 143360 -c--a-w- c:\windows\system32\eSyChangeTemplate.dll
2009-05-06 01:29 . 2008-08-28 18:02 102400 -c--a-w- c:\windows\system32\CGUtilities.dll
2009-05-06 01:29 . 2006-07-27 16:45 32768 -c--a-w- c:\windows\system32\REGTOOL5.DLL
2009-05-06 01:29 . 2008-08-28 18:02 724992 -c--a-w- c:\windows\system32\eSy_VTXPSupport.dll
2009-05-06 01:29 . 2006-07-27 16:45 102912 -c--a-w- c:\windows\system32\VB6STKIT.DLL
2009-05-06 01:28 . 2008-08-28 18:02 135168 -c--a-w- c:\windows\system32\DXVer.dll
2009-05-06 00:54 . 2009-05-06 00:54 -------- dc----w- C:\CrystalTroubleShoot
2009-05-05 23:40 . 2008-08-28 16:17 598016 -c--a-w- c:\windows\system32\ImageProcess.dll
2009-05-05 23:40 . 2008-08-28 16:17 317952 -c--a-w- c:\windows\system32\ROBOEX32.DLL
2009-05-05 23:37 . 2008-02-01 14:50 217088 -c--a-w- c:\windows\system32\cgRegister.exe
2009-05-05 23:37 . 2008-08-28 18:01 131072 -c--a-w- c:\windows\system32\TransSaveStatus.dll
2009-05-05 23:37 . 2008-08-28 16:17 266752 -c--a-w- c:\windows\system32\STARTUP.dll
2009-05-05 23:37 . 2008-08-28 18:02 921600 -c--a-w- c:\windows\system32\VideoPlayer.dll
2009-05-05 23:37 . 2008-08-28 18:01 499712 -c--a-w- c:\windows\system32\eSy_ScreenCapture.dll
2009-05-05 23:37 . 2008-08-28 18:01 3074560 -c--a-w- c:\windows\system32\PwrPlugs.dll
2009-05-05 23:37 . 2008-08-28 18:01 279040 -c--a-w- c:\windows\system32\CGPower3DUtilityFx.dll
2009-05-05 23:37 . 2008-08-28 16:17 131072 -c--a-w- c:\windows\system32\ProcessTerminator.dll
2009-05-05 23:37 . 2008-08-28 15:40 114688 -c--a-w- c:\windows\system32\RemovePresFromTemp.dll
2009-05-05 23:37 . 2009-05-19 22:18 -------- dc----w- c:\program files\PowerPlugs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 20:06 . 2008-11-15 13:55 -------- dc----w- c:\program files\LogMeIn
2009-05-30 18:30 . 2008-08-10 23:18 1324 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-05-30 15:14 . 2008-10-16 23:47 -------- dc----w- c:\program files\AV Vcs 6.0 DIAMOND
2009-05-30 15:14 . 2009-04-16 20:31 -------- dc----w- c:\documents and settings\ZIP5\Application Data\LimeWire
2009-05-30 00:04 . 2008-08-21 14:44 -------- dc----w- c:\program files\Windows Live
2009-05-29 22:57 . 2008-11-26 00:36 -------- dc----w- c:\program files\VAC System
2009-05-29 00:21 . 2008-07-30 17:36 72024 -c--a-w- c:\documents and settings\ZIP5\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-25 20:52 . 2008-11-07 23:52 -------- dc----w- c:\program files\VoipCheapCom
2009-05-22 02:19 . 2009-04-11 19:10 147606 -c--a-w- c:\windows\hpoins21.dat
2009-05-21 00:08 . 2009-03-21 16:04 34 -c--a-w- c:\windows\system32\BD2040.DAT
2009-05-15 02:34 . 2008-11-18 21:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-13 19:50 . 2008-07-29 23:44 90112 ----a-w- c:\windows\DUMP517b.tmp
2009-05-09 17:30 . 2008-09-09 22:20 -------- dc----w- c:\program files\FirstClass
2009-05-09 16:09 . 2009-04-03 01:19 -------- dc----w- c:\documents and settings\ZIP5\Application Data\Apple Computer
2009-05-02 01:14 . 2009-05-02 01:14 -------- dc----w- c:\documents and settings\ZIP5\Application Data\Avira
2009-05-02 00:41 . 2009-05-02 00:41 -------- dc----w- c:\program files\Microsoft Office Outlook Connector
2009-05-02 00:39 . 2009-05-02 00:39 -------- dc----w- c:\program files\MSECache
2009-05-01 01:54 . 2009-01-30 21:12 -------- dc----w- c:\program files\Common Files\InstallShield
2009-05-01 01:24 . 2009-04-25 13:32 -------- dc----w- c:\program files\Common Files\Symantec Shared
2009-04-30 21:54 . 2009-04-30 21:54 -------- dc----w- c:\program files\Avira
2009-04-30 21:54 . 2009-04-29 22:54 -------- dc----w- c:\documents and settings\All Users\Application Data\Avira
2009-04-30 20:35 . 2008-09-08 20:53 -------- dc----w- c:\program files\Common Files\Adobe
2009-04-30 19:58 . 2008-11-22 00:30 -------- dc----w- c:\program files\Musicnotes
2009-04-26 14:27 . 2009-04-26 14:27 1047552 -c--a-w- c:\windows\system32\mfc71u.dll
2009-04-23 18:22 . 2009-04-23 18:09 -------- dc----w- c:\program files\LimeWire Acceleration Patch
2009-04-23 18:12 . 2009-04-23 18:12 98304 -c--a-w- c:\documents and settings\ZIP5\Application Data\LimeWire\browser\xulrunner\smime3.dll
2009-04-23 18:10 . 2008-08-25 21:16 -------- dc----w- c:\program files\LimeWire
2009-04-19 15:35 . 2008-12-24 02:54 -------- dc----w- c:\program files\ProffittCenter
2009-04-19 15:24 . 2009-04-19 14:46 -------- dc----w- c:\documents and settings\ZIP5\Application Data\Auslogics
2009-04-19 15:18 . 2008-11-12 00:21 -------- dc----w- c:\program files\Common Files\Real
2009-04-19 15:17 . 2008-12-05 23:54 -------- dc----w- c:\program files\Full Tilt Poker
2009-04-19 14:56 . 2009-04-06 23:53 -------- dc----w- c:\program files\VeryPDF PDF Editor v2.2
2009-04-16 00:17 . 2009-04-16 00:17 -------- dc----w- c:\documents and settings\All Users\Application Data\MSScanAppDataDir
2009-04-13 18:33 . 2009-04-11 19:30 -------- dc----w- c:\documents and settings\ZIP5\Application Data\HPAppData
2009-04-12 18:22 . 2009-04-12 18:22 -------- dc----w- c:\documents and settings\ZIP5\Application Data\ICAClient
2009-04-12 02:34 . 2008-09-03 21:36 -------- dc----w- c:\program files\CamStudio
2009-04-11 19:56 . 2009-04-11 19:56 -------- dc----w- c:\documents and settings\ZIP5\Application Data\HP
2009-04-11 19:30 . 2009-04-11 19:13 -------- dc----w- c:\program files\HP
2009-04-11 19:21 . 2009-04-11 19:21 -------- dc----w- c:\program files\Common Files\HP
2009-04-11 19:20 . 2009-04-11 19:20 -------- dc----w- c:\program files\Hewlett-Packard
2009-04-11 19:20 . 2009-04-11 19:20 -------- dc----w- c:\program files\Common Files\Hewlett-Packard
2009-04-11 19:17 . 2009-04-11 19:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-08 23:19 . 2008-11-19 21:18 -------- dc----w- c:\program files\Windows Live Safety Center
2009-04-06 23:54 . 2009-04-06 23:54 1024 -c--a-w- c:\windows\system32\pdfeditor.dat
2009-04-06 23:49 . 2009-04-06 23:49 16 -c--a-w- c:\windows\system32\W7409A4F3447fc2F2.bin
2009-04-06 23:48 . 2009-04-06 23:48 -------- dc----w- c:\program files\Abdio
2009-04-06 23:39 . 2009-04-06 21:06 75264 -c--a-w- c:\windows\cadkasdeinst01e.exe
2009-03-31 21:57 . 2009-03-31 21:57 512 -c--a-w- c:\documents and settings\ZIP5\bootsect.bin
2009-03-30 14:33 . 2009-04-30 21:54 96104 -c--a-w- c:\windows\system32\drivers\avipbb.sys
2009-03-24 20:08 . 2009-04-30 21:54 55640 -c--a-w- c:\windows\system32\drivers\avgntflt.sys
2009-03-24 18:51 . 2009-04-30 21:54 97480 -c--a-w- c:\windows\system32\drivers\avfwot.sys
2009-03-21 00:53 . 2009-03-21 00:53 183544 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-06 14:22 . 2008-07-30 13:01 284160 -c--a-w- c:\windows\system32\pdh.dll
2003-05-23 19:00 . 2003-05-23 19:00 11079 -c-ha-w- c:\program files\folder.htt
.

------- Sigcheck -------

[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-14 05:01 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2004-08-04 06:58 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ntkrnlpa.exe
[-] 2009-02-07 23:02 2074752 3066E12CC2B82232CF9975A267619237 c:\windows\SYSTEM32\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SYSTEM32\dllcache\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SYSTEM32\VITrans\ntkrnlpa.exe

[7] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-14 05:57 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2004-08-04 07:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ntoskrnl.exe
[-] 2009-02-06 11:08 2197760 704B98F5A22F142DE956F7FDE3A347D2 c:\windows\SYSTEM32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SYSTEM32\dllcache\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SYSTEM32\VITrans\ntoskrnl.exe

[-] 2008-04-14 10:42 1480704 D4F330787E9A12892C4441EE7F0F554A c:\windows\explorer.exe
[-] 2008-04-14 10:42 975872 561A50497324F378E30F55D09B4E1258 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2004-08-04 08:56 1032192 A0732187050030AE399B241436565E64 c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\explorer.exe
[7] 2008-04-14 10:42 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SYSTEM32\VITrans\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 14465536 -c--a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"viwc"="c:\windows\system32\viwc.exe" [2009-04-25 348161]
"WinFlip"="c:\program files\WinFlip\WinFlip.exe" [2008-05-21 483328]
"Vista Rainbar"="c:\program files\Vista Rainbar\launcher.exe" [2009-03-20 135528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-13 49152]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{C3F23B40-E3F0-101B-8488-00AA003E56F8}"= "url.dll" [2009-02-20 105984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):73,65,76,65,6e,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-17 01:35 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^ZIP5^Start Menu^Programs^Startup^BitTorrent Turbo Accelerator.lnk]
path=c:\documents and settings\ZIP5\Start Menu\Programs\Startup\BitTorrent Turbo Accelerator.lnk
backup=c:\windows\pss\BitTorrent Turbo Accelerator.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ZIP5^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]
path=c:\documents and settings\ZIP5\Start Menu\Programs\Startup\Microsoft Office Groove.lnk
backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ZIP5^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\ZIP5\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ZIP5^Start Menu^Programs^Startup^UberIcon.lnk]
path=c:\documents and settings\ZIP5\Start Menu\Programs\Startup\UberIcon.lnk
backup=c:\windows\pss\UberIcon.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^ZIP5^Start Menu^Programs^Startup^Y'z Shadow.lnk]
path=c:\documents and settings\ZIP5\Start Menu\Programs\Startup\Y'z Shadow.lnk
backup=c:\windows\pss\Y'z Shadow.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Motive SmartBridge"=c:\progra~1\NETASS~1\SMARTB~1\MotiveSB.exe
"StandardInstall"=
"RecoverFromReboot"=c:\windows\TEMP\RECOVE~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\WINDOWS\\System32\\lxdjcoms.exe"=
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\HelpCtr.exe"=
"c:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"c:\\Program Files\\VoipCheapCom\\VoipCheapCom.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\groove.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\lxdjpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\spool\\drivers\\w32x86\\3\\lxdjjswx.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [5/30/2009 3:24 PM 28544]
R1 avfwot;avfwot;c:\windows\SYSTEM32\DRIVERS\avfwot.sys [4/30/2009 5:54 PM 97480]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 7:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\SYSTEM32\DRIVERS\LMIRfsDriver.sys [11/15/2008 9:56 AM 47640]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\SYSTEM32\DRIVERS\avfwim.sys [4/30/2009 5:54 PM 69632]
R3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\SYSTEM32\DRIVERS\NtApm.sys [7/29/2008 7:57 PM 9344]
S3 atirage;atirage;c:\windows\SYSTEM32\DRIVERS\atiragem.sys [7/29/2008 7:56 PM 70528]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\SYSTEM32\DRIVERS\ctlsb16.sys [7/29/2008 7:56 PM 96256]
S3 DivioUSBDCam;PineCam Z100;c:\windows\SYSTEM32\DRIVERS\pcam.sys [11/2/2008 10:25 PM 160876]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG
*Deregistered* - AntiVirFirewallService
*Deregistered* - AntiVirMailService
*Deregistered* - AntiVirSchedulerService
*Deregistered* - AntiVirService
*Deregistered* - AntiVirWebService
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - hpqcxs08
*Deregistered* - hpqddsvc
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanworkstation
*Deregistered* - LMIMaint
*Deregistered* - LogMeIn
*Deregistered* - lxdj_device
*Deregistered* - MDM
*Deregistered* - Nero BackItUp Scheduler 4.0
*Deregistered* - Net Driver HPZ12
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"c:\progra~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
c:\windows\SYSTEM32\updcrl.exe -e -u c:\windows\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder

2009-05-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1715567821-706699826-1957994488-1003.job
- c:\documents and settings\ZIP5\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 21:05]

2009-05-31 c:\windows\Tasks\WebReg Photosmart C6200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2007-03-12 01:27]

2009-06-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-03 02:18]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://sympatico.msn.ca/
mWindow Title = Microsoft Internet Explorer provided by Sympatico Internet Service
uInternet Settings,ProxyOverride = 127.0.0.1;<local>
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
DPF: {77AAD261-A84E-4564-BEC2-C51FF6A7187F} - hxxp://202.8.40.133/comp/partner/pcphone/ver6.1.2.0/wbaxuiph612.cab
FF - ProfilePath - c:\documents and settings\ZIP5\Application Data\Mozilla\Firefox\Profiles\1eiz36yr.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\documents and settings\ZIP5\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\LMIinit.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(760)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
Completion time: 2009-06-01 21:27
ComboFix-quarantined-files.txt 2009-06-01 01:27

Pre-Run: 4,852,311,040 bytes free
Post-Run: 4,852,981,760 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

427 --- E O F --- 2009-05-08 21:10

Attached Files


Edited by Buckeye_Sam, 01 June 2009 - 03:17 PM.


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:44 PM

Posted 01 June 2009 - 03:26 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\viwc.exe
c:\windows\system32\Uharc.exe
c:\windows\system32\reico.exe
c:\windows\system32\moveex.exe
c:\windows\system32\modifype.exe
c:\windows\system32\pskill.exe
c:\windows\system32\scrnrdr.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"viwc"=-
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 joedozzi

joedozzi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 01 June 2009 - 04:20 PM

ACtually thanks do you think this is necessary it stop like sending me to other sites and i was able to run malwarebytes, spybot search and destroy, ad-aware, and avira luke firewalker and i deleted all the viruses that showed up but if you think its necessary ill continue...

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:44 PM

Posted 02 June 2009 - 11:52 AM

I can only respond based off the information that you post. If you feel like your computer is running normally again that's a good indication that the active malware infection is gone. That doesn't mean that the remnant files have been cleaned though. It's your call. I can tell you that based upon your last log, you still have malware present.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:44 PM

Posted 25 June 2009 - 03:02 PM

Unfortunately there has been no response. :thumbup2:
This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users