Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot Remove Malware Infections


  • This topic is locked This topic is locked
14 replies to this topic

#1 qthush99

qthush99

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 11 June 2009 - 01:09 PM

Hi All ~

I have an infected laptop. I have run MalwareBytes AntiMalware and SpyBot. They both detect and remove malware, yet the malware, particularly "Malware Doctor" always returns. Below is a Hijack This log. I would appreciate your assistance in removing the malware and spyware, and thank you very much in advance. :thumbup2:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:56 PM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\Documents and Settings\LocalService\Application Data\1361538659.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spurgeon.org/mainpage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Chrome copyright - {aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmcd.dll (file missing)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\1361538659.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176728813982
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176734363502
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter hijack: text/html - {1fc576bc-13ef-4fd3-8027-bf5f6e4fcebb} - C:\WINDOWS\system32\msziptools.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast!antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7061 bytes

Edited by qthush99, 11 June 2009 - 01:24 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 11 June 2009 - 02:37 PM

Hello qthush99,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy.

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 qthush99

qthush99
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 11 June 2009 - 04:55 PM

Thanks for the fast reply Fireman4it. There is an additional problem I neglected to mention in my original post. My desktop background has been altered, and the blue inlay, normally on the black background, is missing when the machine boots up to the desktop. Thanks again for your assistance. :thumbup2:

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 11 June 2009 - 09:41 PM

Hello qthush99

1.
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
A new HiJackThis log.
How is your computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 qthush99

qthush99
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 12 June 2009 - 01:06 PM

Hi Fireman4it ~

I followed all instructions disabling AVG antivirus, Spybot, and Ad Aware. Ran ComboFix, and it successfully installed Windows Recovery Console.

ComboFix was running, said it detected rootkit activity, asked me to write down several files, which I did, and then my machine suddenly went to a blue screen that said "windows has shut down to protect your computer from being damaged. If this is the first time you are seeing this message....please restart...."

I have attempted to reboot using the "last succesful configuration" and "normal start," but the machine will only boot to a desktop with no start button tray, and no desktop icons. It just stops at this level and will not reach the desktop.

I am writing this message from another computer. Any suggestions would be appreciated. Should I try booting up using safe mode or the Windows Console?

Thanks in advance. :thumbup2:

Edited by qthush99, 12 June 2009 - 01:15 PM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 12 June 2009 - 08:27 PM

Hello qthush99,

Yes please boot into safe mode and post combofix.txt
Location if it dont come up when boot into safemode is C:\Combofix.txt

Edited by fireman4it, 12 June 2009 - 08:28 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 qthush99

qthush99
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 12 June 2009 - 09:28 PM

Hi Fireman4it ~

I followed your instructions, and booted up into safe mode; and ran ComboFix. I think, (it all happened so fast), that AVG was enabled when I booted up into safe mode. By the time I was aware of this, Combofix was already running, and I did not want to try to interrupt the process. Below is the Combofix log, and a new Hijack This log. I have also included an AVG 8.5 scan. Your assistance is greatly appreciated, and the machine seems to be working OK, but I have yet to try anything except posting this message to you. I will check other functions now and let you know. :thumbup2:

ComboFix 09-06-11.06 - Qthush99 06/12/2009 19:43.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.744 [GMT -6:00]
Running from: c:\documents and settings\Qthush99\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\documents and settings\LocalService\Application Data\1361538659.exe
c:\documents and settings\LocalService\Application Data\1458931097.exe
c:\documents and settings\LocalService\Application Data\615289520.exe
C:\fsev.exe
C:\jotvxhh.exe
C:\kvonprd.exe
C:\lvur.exe
c:\program files\Internet Explorer\setupapi.dll
c:\windows\Install.txt
c:\windows\system32\8241_1.exe
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\drivers\321917d4.sys
c:\windows\system32\drivers\35252c73.sys
c:\windows\system32\drivers\83407a3d.sys
c:\windows\system32\drivers\86afd58c.sys
c:\windows\system32\drivers\931e1015.sys
c:\windows\system32\drivers\964597d5.sys
c:\windows\system32\drivers\a3047e55.sys
c:\windows\system32\drivers\a6e9e54a.sys
c:\windows\system32\drivers\ovfsthxoqxmejwf.sys
c:\windows\system32\jbnmcd.dll
c:\windows\system32\jbnmck.dll
c:\windows\system32\ovfsthxnyvblovk.dat
c:\windows\system32\ovfsthxpcbnyrnj.dat
c:\windows\system32\ovfsthxppnypnqn.dll
c:\windows\system32\ovfsthxthotxmyd.dll
c:\windows\system32\ovfsthxxyqyftim.dll
c:\windows\system32\sft.res

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_AVAST!ANTIVIRUS
-------\Legacy_dhcpsrv
-------\Legacy_msncache
-------\Legacy_ntalme
-------\Legacy_sopidkc
-------\Legacy_win32x
-------\Service_avast!antivirus
-------\Service_ovfsthxptamrqhx
-------\Service_321917d4
-------\Service_83407a3d
-------\Service_931e1015
-------\Service_964597d5
-------\Service_a3047e55


((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 01:51 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-02 06:19 . 2009-06-12 17:46 0 ----a-w- c:\windows\system32\drivers\f0421761.sys
2009-05-31 09:23 . 2009-05-31 09:23 15360 ----a-w- c:\windows\system32\uss_setup.exe
2009-05-30 03:52 . 2009-06-13 01:42 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-05-30 03:51 . 2009-05-30 04:09 -------- d-----w- c:\windows\dhcp
2009-05-23 22:29 . 2009-05-23 22:29 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-13 01:50 . 2002-08-29 20:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 17:36 . 2007-04-16 04:39 90112 ----a-w- c:\windows\DUMPe1c1.tmp
2009-06-12 16:41 . 2007-04-16 04:39 90112 ----a-w- c:\windows\DUMPeac0.tmp
2009-06-11 03:54 . 2008-06-02 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-27 07:24 . 2009-01-01 17:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 07:24 . 2009-04-11 04:26 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 19:20 . 2009-01-01 17:21 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 19:19 . 2009-01-01 17:21 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 16:14 . 2002-08-29 20:00 104960 ----a-w- c:\windows\system32\win32x.exe
2009-05-13 20:32 . 2009-05-13 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-05-13 12:20 . 2007-04-17 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-07 16:02 . 2009-05-07 14:49 202 ----a-w- C:\43214354.bat
2009-05-07 15:21 . 2007-04-17 05:01 -------- d-----w- c:\program files\Google
2009-05-06 18:42 . 2009-05-06 18:42 -------- d-----w- c:\program files\Sophos
2009-05-02 01:40 . 2009-01-30 22:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 01:40 . 2008-06-02 15:13 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 01:40 . 2007-10-08 21:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-02 01:40 . 2009-04-11 05:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 05:00 . 2008-01-30 08:00 -------- d-----w- c:\documents and settings\Allen Sutton\Application Data\Move Networks
2009-04-28 15:19 . 2009-04-28 15:19 299352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-04-28 15:19 . 2009-04-28 15:19 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-04-28 15:19 . 2009-04-28 15:19 165728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-04-28 15:19 . 2009-04-28 15:19 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-04-28 15:19 . 2009-04-09 14:17 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-04-28 15:19 . 2009-04-28 15:19 343888 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-04-28 15:19 . 2009-04-28 15:19 289632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-04-28 15:19 . 2009-04-28 15:19 82784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-04-28 15:19 . 2009-04-28 15:19 1629024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-04-28 15:19 . 2009-04-28 15:19 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-04-28 15:18 . 2009-04-28 15:18 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-04-28 15:18 . 2009-04-28 15:18 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-28 15:18 . 2009-04-09 04:44 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-28 15:18 . 2009-04-28 15:18 632680 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-04-28 15:18 . 2009-04-28 15:18 539512 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-04-28 15:18 . 2009-04-28 15:18 552808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-04-28 15:18 . 2009-04-28 15:18 2324808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-04-28 15:18 . 2009-04-28 15:18 626000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-04-28 15:18 . 2009-04-28 15:18 516440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-04-28 15:18 . 2009-04-28 15:18 953168 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-03-24 04:58 . 2008-10-04 04:23 34062 ----a-w- c:\documents and settings\Qthush99\Application Data\Move Networks\ie_bin\Uninst.exe
2009-03-24 04:58 . 2009-03-24 04:58 1048200 ----a-w- c:\documents and settings\Qthush99\\Application Data\Move Networks\MoveMediaPlayer_071303000004.exe
2004-11-25 23:51 . 2004-11-25 23:33 56 --sh--r- c:\windows\system32\2DA06E93C1.sys
2004-11-25 23:51 . 2004-11-25 23:33 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-17 87584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-15 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-28 516440]
"CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-05-21 4608]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-09-25 364544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\Qthush99\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 01:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/8/2009 10:44 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2008 9:13 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/10/2009 11:12 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/30/2009 4:11 PM 298776]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [4/15/2007 10:51 PM 26624]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2/17/2004 5:58 PM 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2/17/2004 5:59 PM 273536]
S1 f0421761;f0421761;c:\windows\system32\drivers\f0421761.sys [6/2/2009 12:19 AM 0]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 953168]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
.
- - - - ORPHANS REMOVED - - - -

BHO-{aff01325-0fc2-4749-8914-fbf0565ad9cc} - jbnmcd.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.spurgeon.org/mainpage.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.phoenix.edu/secure/PhxStudent15.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-12 19:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{370D7872-B473-193A-8C3F-A1B18AD43B67}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8c,66,2f,19,87,45,96,64,a4,7b,c0,76,78,cd,a1,ce,98,72,ba,40,dd,
56,fa,d4,2a,cb,d7,87,66,9e,f1,2e,a5,e4,d0,82,be,4d,e0,f3,ad,eb,71,45,ed,7a,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8c,66,2f,19,87,45,96,64,a4,7b,c0,76,78,cd,a1,ce,98,72,ba,40,dd,
56,fa,d4,2a,cb,d7,87,66,9e,f1,2e,a5,e4,d0,82,be,4d,e0,f3,ad,eb,71,45,ed,7a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(792)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2780)
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-06-13 20:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-13 02:11

Pre-Run: 11,483,996,160 bytes free
Post-Run: 10,368,442,368 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5,6
227 --- E O F --- 2009-05-13 12:20





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:06 PM, on 6/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spurgeon.org/mainpage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176728813982
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176734363502
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6321 bytes




AVG 8.5 Scan on 6/13/09


"C:\Program Files\Trend Micro\HijackThis\backups\backup-20090531-010526-281.dll";"Trojan horse Downloader.Generic8.AQMX";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1458931097.exe.vir";"Trojan horse Spam";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\615289520.exe.vir";"Virus found Win32/Heur";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\avast!Antivirus.exe.vir";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\321917d4.sys.vir";"Trojan horse BackDoor.Generic11.QRR";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\35252c73.sys.vir";"Trojan horse BackDoor.Generic11.QRR";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\83407a3d.sys.vir";"Trojan horse BackDoor.Generic11.QRR";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\86afd58c.sys.vir";"Trojan horse BackDoor.Generic11.QRR";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\931e1015.sys.vir";"Trojan horse BackDoor.Generic11.QRR";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\964597d5.sys.vir";"Trojan horse BackDoor.Generic11.RDL";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\a3047e55.sys.vir";"Trojan horse BackDoor.Generic11.QRR";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\a6e9e54a.sys.vir";"Trojan horse BackDoor.Generic11.QRR";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ndis.sys.vir";"Trojan horse Rootkit-Agent.DI";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ovfsthxoqxmejwf.sys.vir";"Trojan horse Pakes.DPC";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\jbnmcd.dll.vir";"Trojan horse Agent2.JXW";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\jbnmck.dll.vir";"Trojan horse Agent2.JXW";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxppnypnqn.dll.vir";"Trojan horse Generic13.ATOB";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxthotxmyd.dll.vir";"Trojan horse Rootkit-Pakes.A";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthxxyqyftim.dll.vir";"Trojan horse Generic13.ATOC";"Moved to Virus Vault"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir";"Trojan horse SpamTool.DGI";"Moved to Virus Vault"
"C:\System Volume Information\_restore{D1085B01-3E65-40C6-B8B1-249ECF8C398D}\RP2\A0000276.dll";"Trojan horse Downloader.Generic8.AQMX";"Moved to Virus Vault"
"C:\WINDOWS\system32\uss_setup.exe";"Trojan horse SHeur2.AIMV";"Moved to Virus Vault"
"C:\WINDOWS\system32\win32x.exe";"Virus identified Win32/Cryptor";"Moved to Virus Vault"

"C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\1361538659.exe.vir";"Potentially harmful program Fake_AntiSpyware.CJI";"Moved to Virus Vault"

Edited by qthush99, 13 June 2009 - 08:29 PM.


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 14 June 2009 - 09:10 AM

Hello qthush99,

Thanks for the logs. Unfortunately our work is not done. :thumbup2:

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

ttp://www.bleepingcomputer.com/forums/topic233270.html
Driver::
f0421761

Collect::
c:\windows\system32\drivers\f0421761.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

3.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Things to include in your next reply:
Combofix.txt
Gmer.log
Kaspersky log
HiJackThis log
How is your computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 qthush99

qthush99
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 14 June 2009 - 06:03 PM

Hi Fireman4it ~

I have a question about the instructions. Should the CFScript quote begin with "ttp" or http ? The quote from your message is below.


ttp://www.bleepingcomputer.com/forums/topic233270.html
Driver::
f0421761

Collect::
c:\windows\system32\drivers\f0421761.sys


In addition, do I need to turn off the Windows XP firewall?

Thanks in advance. :thumbup2:

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 14 June 2009 - 08:22 PM

Hello qthush99,
Cf script would be

http://www.bleepingcomputer.com/forums/t/233270/cannot-remove-malware-infections/
Driver::
f0421761

Collect::
c:\windows\system32\drivers\f0421761.sys


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 qthush99

qthush99
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 15 June 2009 - 04:54 PM

Hi Fireman4it ~

I have run the programs as instructed. Kaspersky had a note on their scan site that said I should have disabled AVG 8.5 antivirus before running the scan, but I did not see this note until after the the scan was already running. So I let Kaspersky finish the scan. Below are all of the logs as directed. Should I run the Kaspersky scan again with AVG antivirus disabled? Also, the Windows XP firewall was on during all scans. Does this need to be disabled during any of the scans? Thanks much for your continuing assistance. :thumbup2:

ComboFix 09-06-11.06 - Owner 06/15/2009 8:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.604 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\drivers\f0421761.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\f0421761.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_f0421761


((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-13 01:51 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-05-30 03:52 . 2009-06-13 01:42 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-05-30 03:51 . 2009-05-30 04:09 -------- d-----w- c:\windows\dhcp
2009-05-23 22:29 . 2009-05-23 22:29 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 09:01 . 2007-04-17 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-13 01:50 . 2002-08-29 20:00 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-12 17:36 . 2007-04-16 04:39 90112 ----a-w- c:\windows\DUMPe1c1.tmp
2009-06-12 16:41 . 2007-04-16 04:39 90112 ----a-w- c:\windows\DUMPeac0.tmp
2009-06-11 03:54 . 2008-06-02 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-27 07:24 . 2009-01-01 17:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 07:24 . 2009-04-11 04:26 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-26 19:20 . 2009-01-01 17:21 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 19:19 . 2009-01-01 17:21 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-13 20:32 . 2009-05-13 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-05-07 16:02 . 2009-05-07 14:49 202 ----a-w- C:\43214354.bat
2009-05-07 15:32 . 2002-08-29 20:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 15:21 . 2007-04-17 05:01 -------- d-----w- c:\program files\Google
2009-05-06 18:42 . 2009-05-06 18:42 -------- d-----w- c:\program files\Sophos
2009-05-02 01:40 . 2009-01-30 22:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 01:40 . 2008-06-02 15:13 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 01:40 . 2007-10-08 21:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-02 01:40 . 2009-04-11 05:12 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 05:00 . 2008-01-30 08:00 -------- d-----w- c:\documents and settings\Qthush99\Application Data\Move Networks
2009-04-29 04:56 . 2006-06-23 17:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 15:19 . 2009-04-28 15:19 299352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-04-28 15:19 . 2009-04-28 15:19 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-04-28 15:19 . 2009-04-28 15:19 165728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-04-28 15:19 . 2009-04-28 15:19 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-04-28 15:19 . 2009-04-09 14:17 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-04-28 15:19 . 2009-04-28 15:19 343888 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-04-28 15:19 . 2009-04-28 15:19 289632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-04-28 15:19 . 2009-04-28 15:19 82784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-04-28 15:19 . 2009-04-28 15:19 1629024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-04-28 15:19 . 2009-04-28 15:19 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-04-28 15:18 . 2009-04-28 15:18 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-04-28 15:18 . 2009-04-28 15:18 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-04-28 15:18 . 2009-04-09 04:44 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-28 15:18 . 2009-04-28 15:18 632680 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-04-28 15:18 . 2009-04-28 15:18 539512 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-04-28 15:18 . 2009-04-28 15:18 552808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-04-28 15:18 . 2009-04-28 15:18 2324808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-04-28 15:18 . 2009-04-28 15:18 626000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-04-28 15:18 . 2009-04-28 15:18 516440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-04-28 15:18 . 2009-04-28 15:18 953168 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-04-17 12:26 . 2002-08-29 20:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-03-24 04:58 . 2008-10-04 04:23 34062 ----a-w- c:\documents and settings\Qthush99\Application Data\Move Networks\ie_bin\Uninst.exe
2009-03-24 04:58 . 2009-03-24 04:58 1048200 ----a-w- c:\documents and settings\Qthush99\Application Data\Move Networks\MoveMediaPlayer_071303000004.exe
2004-11-25 23:51 . 2004-11-25 23:33 56 --sh--r- c:\windows\system32\2DA06E93C1.sys
2004-11-25 23:51 . 2004-11-25 23:33 11270 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-06-13_01.58.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-08 21:27 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
- 2007-10-08 21:27 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2005-04-27 16:53 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
+ 2005-04-27 16:53 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
+ 2006-11-08 03:03 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
- 2006-11-08 03:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2002-08-29 20:00 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
+ 2006-11-07 09:26 . 2009-04-28 09:05 13824 c:\windows\system32\ieudinit.exe
- 2006-11-07 09:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2002-08-29 20:00 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
- 2002-08-29 20:00 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2002-08-29 20:00 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 17:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
- 2006-10-17 17:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-01-04 13:36 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-05-09 08:43 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 08:43 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-01-04 13:36 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-05-09 08:43 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-05-09 08:43 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2006-11-07 09:26 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2006-11-07 09:26 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
- 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 18:09 . 2009-04-29 04:55 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2006-11-07 09:26 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-11-07 09:26 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-04-17 04:38 . 2009-05-13 12:20 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-10-27 03:13 . 2006-10-27 03:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\XL12CNVP.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 55056 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\SCANOST.EXE
+ 2006-10-27 02:55 . 2006-10-27 02:55 76576 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\RM.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 39208 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\RECALL.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 53048 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLVBA.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 21312 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\MLSHEXT.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 35160 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\DUMPSTER.DLL
+ 2009-06-13 06:06 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\pngfilt.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 52224 c:\windows\ie7updates\KB969897-IE7\msfeedsbs.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 27648 c:\windows\ie7updates\KB969897-IE7\jsproxy.dll
+ 2009-06-13 06:06 . 2009-02-20 10:20 13824 c:\windows\ie7updates\KB969897-IE7\ieudinit.exe
+ 2009-06-13 06:06 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB969897-IE7\iernonce.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 78336 c:\windows\ie7updates\KB969897-IE7\ieencode.dll
+ 2009-06-13 06:06 . 2009-02-20 10:20 70656 c:\windows\ie7updates\KB969897-IE7\ie4uinit.exe
+ 2009-06-13 06:06 . 2009-02-20 18:09 63488 c:\windows\ie7updates\KB969897-IE7\icardie.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2002-08-29 20:00 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2002-08-29 20:00 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
+ 2002-08-29 20:00 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
+ 2002-08-29 20:00 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2002-08-29 20:00 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
+ 2002-08-29 20:00 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2006-11-08 03:03 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
- 2006-11-08 03:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
- 2006-10-17 17:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
+ 2006-10-17 17:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2002-08-29 20:00 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 17:27 . 2009-04-29 04:55 383488 c:\windows\system32\ieapfltr.dll
- 2006-10-17 17:27 . 2009-02-20 18:09 383488 c:\windows\system32\ieapfltr.dll
+ 2002-08-29 20:00 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
- 2002-08-29 20:00 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2002-08-29 20:00 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
+ 2002-08-29 20:00 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 07:56 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 07:56 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
+ 2006-06-09 20:35 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
- 2006-06-09 20:35 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
+ 2006-06-09 20:35 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
- 2006-06-09 20:35 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2007-01-04 13:37 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
- 2006-11-08 03:03 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-11-08 03:03 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2006-10-17 18:05 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 18:05 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
- 2006-10-17 18:04 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 18:04 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
+ 2007-01-04 13:36 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2007-01-04 13:36 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-01-04 13:36 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 08:43 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 08:43 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2006-10-17 18:04 . 2009-04-25 05:27 636088 c:\windows\system32\dllcache\iexplore.exe
- 2007-05-09 08:43 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-09 08:43 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
- 2006-11-07 09:27 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-11-07 09:27 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-05-09 08:43 . 2009-02-20 18:09 383488 c:\windows\system32\dllcache\ieapfltr.dll
+ 2007-05-09 08:43 . 2009-04-29 04:55 383488 c:\windows\system32\dllcache\ieapfltr.dll
- 2002-08-29 20:00 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2002-08-29 20:00 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-11-07 09:27 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 09:27 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-11-07 09:26 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-11-07 09:26 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2007-01-04 13:36 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2007-01-04 13:36 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2007-01-04 13:36 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-01-04 13:36 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-11-07 09:26 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
- 2006-11-07 09:26 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
- 2002-08-29 20:00 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2002-08-29 20:00 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
- 2007-04-17 04:38 . 2009-05-13 12:20 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2006-10-27 21:16 . 2006-10-27 21:16 408880 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\RTFHTML.DLL
+ 2006-10-27 21:16 . 2006-10-27 21:16 138512 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OUTLCTL.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 254776 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\OLKFSTUB.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 154960 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\ENVELOPE.DLL
+ 2006-10-27 02:55 . 2006-10-27 02:55 116544 c:\windows\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.4518\EMABLT32.DLL
+ 2009-06-13 06:06 . 2009-03-03 00:18 826368 c:\windows\ie7updates\KB969897-IE7\wininet.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 233472 c:\windows\ie7updates\KB969897-IE7\webcheck.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 105984 c:\windows\ie7updates\KB969897-IE7\url.dll
+ 2009-06-13 06:06 . 2008-07-09 07:38 382840 c:\windows\ie7updates\KB969897-IE7\spuninst\updspapi.dll
+ 2009-06-13 06:06 . 2008-07-09 07:38 231288 c:\windows\ie7updates\KB969897-IE7\spuninst\spuninst.exe
+ 2009-06-13 06:06 . 2009-02-20 18:09 102912 c:\windows\ie7updates\KB969897-IE7\occache.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 671232 c:\windows\ie7updates\KB969897-IE7\mstime.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 193024 c:\windows\ie7updates\KB969897-IE7\msrating.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 477696 c:\windows\ie7updates\KB969897-IE7\mshtmled.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 459264 c:\windows\ie7updates\KB969897-IE7\msfeeds.dll
+ 2009-06-13 06:06 . 2009-02-28 04:54 636072 c:\windows\ie7updates\KB969897-IE7\iexplore.exe
+ 2009-06-13 06:06 . 2009-02-20 18:09 268288 c:\windows\ie7updates\KB969897-IE7\iertutil.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 385024 c:\windows\ie7updates\KB969897-IE7\iedkcs32.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 383488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dll
+ 2009-06-13 06:06 . 2009-02-20 05:14 161792 c:\windows\ie7updates\KB969897-IE7\ieakui.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 230400 c:\windows\ie7updates\KB969897-IE7\ieaksie.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 153088 c:\windows\ie7updates\KB969897-IE7\ieakeng.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 133120 c:\windows\ie7updates\KB969897-IE7\extmgr.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 214528 c:\windows\ie7updates\KB969897-IE7\dxtrans.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 347136 c:\windows\ie7updates\KB969897-IE7\dxtmsft.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 124928 c:\windows\ie7updates\KB969897-IE7\advpack.dll
+ 2006-08-31 02:42 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2006-06-30 16:28 . 2009-04-29 04:56 3596288 c:\windows\system32\mshtml.dll
+ 2006-11-08 03:03 . 2009-04-29 04:55 6066176 c:\windows\system32\ieframe.dll
- 2006-11-08 03:03 . 2009-02-20 18:09 6066176 c:\windows\system32\ieframe.dll
+ 2007-04-16 04:46 . 2009-06-13 15:07 1556960 c:\windows\system32\FNTCACHE.DAT
- 2007-04-16 04:46 . 2009-03-13 03:03 1556960 c:\windows\system32\FNTCACHE.DAT
+ 2008-10-16 04:56 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2007-01-25 12:48 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2007-01-04 13:36 . 2009-04-29 04:56 3596288 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 08:43 . 2009-04-29 04:55 6066176 c:\windows\system32\dllcache\ieframe.dll
- 2007-05-09 08:43 . 2009-02-20 18:09 6066176 c:\windows\system32\dllcache\ieframe.dll
+ 2007-04-17 04:38 . 2009-06-14 09:01 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-04-17 04:38 . 2009-06-14 09:01 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2007-04-17 04:38 . 2009-05-13 12:20 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-06-13 06:06 . 2009-02-20 18:09 1160192 c:\windows\ie7updates\KB969897-IE7\urlmon.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 3595264 c:\windows\ie7updates\KB969897-IE7\mshtml.dll
+ 2009-06-13 06:06 . 2009-02-20 18:09 6066176 c:\windows\ie7updates\KB969897-IE7\ieframe.dll
+ 2009-06-13 06:06 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB969897-IE7\ieapfltr.dat
+ 2007-04-16 14:28 . 2009-06-01 16:51 23635392 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-17 1164912]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-17 1941784]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-17 87584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-15 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-28 516440]
"CARPService"="carpserv.exe" - c:\windows\system32\carpserv.exe [2003-05-21 4608]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-09-25 364544]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 01:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/8/2009 10:44 PM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2008 9:13 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/10/2009 11:12 PM 108552]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/30/2009 4:11 PM 298776]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows\system32\drivers\alifir.sys [4/15/2007 10:51 PM 26624]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;c:\windows\system32\drivers\caliaud.sys [2/17/2004 5:58 PM 292352]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2/17/2004 5:59 PM 273536]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 953168]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7.tmp --> c:\windows\system32\7.tmp [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.spurgeon.org/mainpage.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.phoenix.edu/secure/PhxStudent15.CAB
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-15 08:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\controlset004\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-776561741-1563985344-1708537768-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{370D7872-B473-193A-8C3F-A1B18AD43B67}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8c,66,2f,19,87,45,96,64,a4,7b,c0,76,78,cd,a1,ce,98,72,ba,40,dd,
56,fa,d4,2a,cb,d7,87,66,9e,f1,2e,a5,e4,d0,82,be,4d,e0,f3,ad,eb,71,45,ed,7a,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ؕ||A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"=""

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8c,66,2f,19,87,45,96,64,a4,7b,c0,76,78,cd,a1,ce,98,72,ba,40,dd,
56,fa,d4,2a,cb,d7,87,66,9e,f1,2e,a5,e4,d0,82,be,4d,e0,f3,ad,eb,71,45,ed,7a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1380)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-15 9:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-15 15:03
ComboFix2.txt 2009-06-13 02:11

Pre-Run: 10,078,932,992 bytes free
Post-Run: 10,099,920,896 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5,6
372 --- E O F --- 2009-06-14 09:02



GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-15 09:16:40
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\ALLENS~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----



KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 15, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 15, 2009 12:27:39
Records in database: 2345167


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 80182
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 04:14:10

No malware has been detected. The scan area is clean.
The selected area was scanned.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:23 PM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.spurgeon.org/mainpage.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200705...ex/qtplugin.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176728813982
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176734363502
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://ecampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.1.6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

--
End of file - 6337 bytes

Edited by qthush99, 15 June 2009 - 05:22 PM.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 15 June 2009 - 06:52 PM

Hello qthush99,

1.
Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
2.
New Adobe Reader Installation:
  • Go here and click on AdbeRdr910_en_US.exe to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.
3.
Congradulations your log is clean!

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.
Please also have a look at the following links, giving some advice and suggestions for preventing future infections:Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
I recommend you regularly visit the Windows Update Site , you where lagging behind on a few of them!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommend, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atleast one of the three (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 qthush99

qthush99
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 17 June 2009 - 02:30 AM

Hi Fireman4it ~

I want to express my sincere thanks and appreciation for your tremendouse help in cleaning my machine. I do have one additional question. Ususally there is a clicking sound when you navigate from one web page to another; or when a web page automatically updates and reloads. I no longer hear this clicking sound on my machine, and was wondering why not?

Thanks again for your assistance. :thumbup2:

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 17 June 2009 - 04:55 PM

Hello qthush99,

I want to express my sincere thanks and appreciation for your tremendouse help in cleaning my machine.

No problem you are most welcome! :thumbup2:

I do have one additional question. Ususally there is a clicking sound when you navigate from one web page to another; or when a web page automatically updates and reloads. I no longer hear this clicking sound on my machine, and was wondering why not?


Could be something to do with your sound settings that the malware may have changed. Or just a sound setting in general.
We don't deal with that here in the HJT forum, however if you post in this forum they will be glad to help you.
Windows XP Home and Professional

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:18 AM

Posted 21 June 2009 - 11:39 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users