Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Log File


  • This topic is locked This topic is locked
19 replies to this topic

#1 newhere

newhere

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 18 June 2009 - 01:36 AM

Hello, I have been having this problem for months. When I go online my CPU is being utilized 100%. This would happen for 2 minutes then subside and after 2 mins start again. lately it has been staying on 100% and my computer seems to be much slower now. Please help me. I am posting my log file. Please advice on what to do as I am completely new here. Thank you Very much for your time.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:32 PM, on 6/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\22CC3E\i-123.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1561552
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHots.dll
F2 - REG:system.ini: UserInit=userinit.exe,EXPLORER.EXE
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\ppApps\Flashget\jccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHots.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHots.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [INPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [49956C] C:\WINDOWS\system32\9FE8FA\49956C.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [wsctf.exe] wsctf.exe
O4 - HKCU\..\Run: [EXPLORER.EXE] EXPLORER.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKLM\..\Policies\Explorer\Run: [Snehal] .vbe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: 49956C.lnk = C:\WINDOWS\system32\9FE8FA\49956C.EXE
O4 - Startup: ACE728.lnk = C:\WINDOWS\system32\BC33B1\ACE728.EXE
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

--
End of file - 12171 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 18 June 2009 - 07:55 AM

Hi,

Hello, I have been having this problem for months.

Why have you waited so long? Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 newhere

newhere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 19 June 2009 - 12:29 AM

Hello, Thank you very much for your concise and prompt help. Below are the results after running Malwarebytes' Anti-Malware. Also I have attached the new HijackThis log. I did not realize the severity I guess so I waited.
Thank you very much again.

Malwarebytes' Anti-Malware 1.38
Database version: 2307
Windows 5.1.2600 Service Pack 2

6/19/2009 1:13:18 PM
mbam-log-2009-06-19 (13-13-18).txt

Scan type: Quick Scan
Objects scanned: 83970
Time elapsed: 4 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NOTEPAD.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 19 June 2009 - 01:37 AM

Hi,

I see you are running AdWatch.
I suggest you disable it because it can interfere with the fixes.

To disable AdWatch - * Right click on the Ad-Watch icon in the system tray and select to Disable Adwatch Live.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 newhere

newhere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 19 June 2009 - 03:00 AM

Hello, I have run ComboFix and below are the results. Thank you again.

ComboFix 09-06-18.02 - Snehal 06/19/2009 15:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.527 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090618-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Desktop_.ini
c:\windows\Temp\E_N4
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\WgaLogon.dll
c:\windows\Temp\E_N4\cnvpe.fne
c:\windows\Temp\E_N4\dp1.fne
c:\windows\Temp\E_N4\eAPI.fne
c:\windows\Temp\E_N4\HtmlView.fne
c:\windows\Temp\E_N4\internet.fne
c:\windows\Temp\E_N4\krnln.fnr
c:\windows\Temp\E_N4\RegEx.fnr
c:\windows\Temp\E_N4\shell.fne
c:\windows\Temp\E_N4\spec.fne

.
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\system32\wbem\snmp
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\system32\xircom
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\srchasst
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\program files\microsoft frontpage
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-19 05:06 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 05:06 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 05:04 . 2009-06-19 05:05 3561744 ----a-w- C:\mbam-setup.exe
2009-06-18 05:47 . 2009-06-19 05:20 -------- d-----w- C:\HijackThis
2009-06-16 01:27 . 2009-06-18 01:18 -------- d--h--w- c:\windows\system32\38E542
2009-06-16 01:27 . 2009-06-18 01:18 -------- d--h--w- c:\windows\system32\22CC3E
2009-06-16 01:27 . 2009-06-16 01:43 -------- d--h--w- c:\windows\system32\9FE8FA
2009-06-16 01:27 . 2009-06-16 01:42 -------- d--h--w- c:\windows\system32\0BF855
2009-06-08 07:42 . 2009-06-08 07:42 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-08 07:42 . 2009-06-08 07:42 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-08 07:42 . 2009-06-08 07:42 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-08 07:42 . 2009-06-08 07:42 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-08 07:42 . 2009-06-08 07:42 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-08 07:42 . 2009-06-08 07:42 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-08 07:42 . 2009-06-08 07:42 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-08 07:41 . 2009-06-08 07:41 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-08 07:41 . 2009-06-08 07:41 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-08 07:41 . 2009-06-08 07:41 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-08 07:41 . 2009-06-08 07:41 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-08 07:41 . 2009-06-08 07:41 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-08 07:41 . 2009-06-08 07:41 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-08 07:41 . 2009-06-08 07:41 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-08 07:41 . 2009-06-08 07:41 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-08 07:41 . 2009-06-08 07:41 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-08 07:41 . 2009-06-08 07:41 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-01 10:29 . 2006-07-04 20:29 489696 ----a-w- c:\windows\system32\drivers\ar5211.sys
2009-06-01 10:29 . 2005-06-21 05:32 28544 ----a-w- c:\windows\system32\drivers\callistx.sys
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ATI
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-05-31 12:33 . 2009-02-25 07:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-05-31 12:32 . 2009-05-31 12:34 -------- d-----w- c:\program files\ATI Technologies
2009-05-31 12:31 . 2009-05-31 12:31 -------- d-----w- C:\ATI
2009-05-26 07:41 . 1999-03-11 12:47 71680 ----a-w- c:\windows\ST5UNST.EXE
2009-05-26 07:41 . 1999-03-11 12:47 29696 ----a-w- c:\windows\system32\VB5StKit.dll
2009-05-21 09:11 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-05-21 09:11 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-05-21 09:11 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-05-21 09:11 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-05-21 09:11 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-05-21 09:11 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-05-21 09:11 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-05-21 09:11 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-05-21 09:11 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 07:50 . 2008-04-05 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-06-09 15:13 . 2008-03-09 01:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-06-09 11:53 . 2008-03-09 01:49 -------- d-----w- c:\program files\DNA
2009-06-08 07:42 . 2009-05-10 08:21 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 10:29 . 2008-01-27 08:52 -------- d-----w- c:\program files\Atheros
2009-06-01 10:29 . 2008-01-27 07:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 13:20 . 2008-01-27 07:36 -------- d-----w- c:\program files\Elaborate Bytes
2009-05-17 11:59 . 2009-05-17 11:58 -------- d-----w- c:\program files\Hotspot Shield
2009-05-17 11:59 . 2009-05-17 11:59 -------- d-----w- c:\program files\Conduit
2009-05-17 11:59 . 2009-05-17 11:59 -------- d-----w- c:\program files\Hotspot_Shield
2009-05-16 00:07 . 2009-05-16 00:07 -------- d-----w- c:\program files\MSECache
2009-05-14 14:29 . 2009-01-27 16:25 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-05-10 07:39 . 2009-05-10 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-10 07:38 . 2009-05-10 07:39 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-10 07:38 . 2009-05-10 07:38 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-10 07:27 . 2009-05-10 07:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 07:27 . 2009-05-10 07:27 -------- d-----w- c:\program files\Lavasoft
2009-05-09 10:28 . 2008-02-20 14:05 -------- d-----w- c:\program files\Folder Guard Pro
2009-04-28 06:49 . 2008-05-06 11:47 -------- d-----w- c:\program files\DivX
2009-04-28 06:49 . 2008-01-27 07:20 -------- d-----w- c:\program files\Windows Media Connect 2
2009-04-28 06:28 . 2009-04-21 10:28 -------- d-----w- c:\program files\Graboid
2009-04-26 06:30 . 2008-03-09 01:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-04-21 12:19 . 2009-01-28 15:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-04-21 10:39 . 2009-04-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Graboid Inc
2009-04-21 10:39 . 2009-04-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\MozillaControl
2009-04-03 18:18 . 2009-04-03 18:18 33256 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2009-03-28 13:41 . 2008-01-27 07:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2008-03-08 01:29 . 2008-03-08 01:29 520192 ----a-w- c:\program files\WinDjView-0.5.exe
2008-01-27 07:45 . 2008-01-27 07:45 0 --sh--w- c:\windows\S5E091914.tmp
2008-11-29 13:47 . 2008-11-21 02:38 17408 --sh--w- c:\windows\system32\BC33B1\72845.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2007-11-07 09:00 544256 E924BFFA379552571CB250E241F14E84 c:\windows\system32\user32.dll

[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[-] 2007-11-07 09:00 2346752 24FCD8FB0C6BD0E5F3B1203769948336 c:\windows\system32\ntoskrnl.exe

[-] 2007-11-07 09:00 1224192 9349B192D2249721F513768A9A47C152 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
[-] 2007-11-07 09:00 40448 E00DFA816FA5521EB44C5D63109DE2A9 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2008-06-24 15:17 1569304 ----a-w- c:\program files\Hotspot_Shield\tbHots.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-17 11:58 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-11-07 40448]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2007-02-25 132680]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-04-05 3551456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-08 518488]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"49956C"="c:\windows\system32\9FE8FA\49956C.EXE" [2009-06-16 1425998]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2007-11-07 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 62976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"NewUser"="c:\windows\System32\NewUser.cmd" [2007-11-07 2475]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-03-01 124928]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
49956C.lnk - c:\windows\system32\9FE8FA\49956C.EXE [2009-6-16 1425998]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2009 3:39 PM 64160]
R0 SI3112r;ATI-4379 Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 PM 116264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/21/2009 5:11 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/21/2009 5:11 PM 20560]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [2/20/2008 10:05 PM 48896]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/22/2009 9:12 AM 328752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/10/2009 3:06 AM 1005904]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/23/2009 5:34 AM 34352]
S3 mpr_freader;MPR FileReader Driver;\??\c:\windows\Temp\RarSFX0\mpr_freader.sys --> c:\windows\Temp\RarSFX0\mpr_freader.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:41]

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1450960922-839522115-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-01 10:48]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-wsctf.exe - wsctf.exe
HKLM-Run-INPROCOMMWireless - c:\program files\Atheros\Wireless\Utility\WlanUtil.exe
HKLM-Explorer_Run-Snehal - .vbe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath -
.
.
------- File Associations -------
.
inffile=c:\windows\system32\Notepad2.exe %1
inifile=c:\windows\system32\Notepad2.exe %1
txtfile=c:\windows\system32\Notepad2.exe %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 15:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_av_proI.tm~a01664\setup.lok 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(1132)
c:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(7004)
c:\windows\system32\SHDOCVW.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\SETUPAPI.dll
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-06-19 15:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 07:54

Pre-Run: 1,915,006,976 bytes free
Post-Run: 1,995,763,712 bytes free

292 --- E O F --- 2008-08-08 15:03

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 19 June 2009 - 03:18 AM

Hi,

Please let Combofix install the Recovery console and RERUN combofix and post the new log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 19 June 2009 - 06:25 AM

Once you're done and you have installed the Recovery console..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\S5E091914.tmp
c:\documents and settings\Administrator\Start Menu\Programs\Startup\49956C.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ACE728.lnk
Collect::[8]
C:\Qoobox\quarantine\c\windows\system32\WgaLogon.dll.vir
C:\Qoobox\quarantine\c\windows\system32\WgaLogon.dll
c:\windows\system32\BC33B1\72845.exe
c:\windows\system32\9FE8FA\49956C.EXE
C:\WINDOWS\system32\22CC3E\i-123.exe
C:\WINDOWS\system32\BC33B1\ACE728.EXE
Suspect::[8]
c:\windows\System32\NewUser.cmd
Dirlook::
c:\windows\system32\38E542
c:\windows\system32\22CC3E
c:\windows\system32\9FE8FA
c:\windows\system32\0BF855
Driver::
mpr_freader
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"49956C"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 newhere

newhere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 19 June 2009 - 09:21 AM

Hello, I let Combofix install the Recovery console and reran combofix. Then I went ahead and followed your next instructions creating CFScript.txt and dragged it to Combofix and let it run. Also I uploaded the file to submit 'C:\Qoobox\Quarantine\[8]-Submit_date_time.zip'. Below is the new Combofix.txt data. Thank you very much once again.

ComboFix 09-06-18.02 - Snehal 06/19/2009 21:26.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.516 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090618-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\49956C.lnk"
"c:\documents and settings\Administrator\Start Menu\Programs\Startup\ACE728.lnk"
"c:\windows\S5E091914.tmp"

file zipped: c:\qoobox\quarantine\c\windows\system32\WgaLogon.dll.vir
file zipped: c:\windows\system32\22CC3E\i-123.exe
file zipped: c:\windows\system32\9FE8FA\49956C.EXE
file zipped: c:\windows\system32\BC33B1\72845.exe
file zipped: c:\windows\system32\Suspect_NewUser.cmd.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\49956C.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\ACE728.lnk
c:\windows\S5E091914.tmp
c:\windows\system32\22CC3E\i-123.exe
c:\windows\system32\9FE8FA\49956C.EXE
c:\windows\system32\BC33B1\72845.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MPR_FREADER
-------\Service_mpr_freader


((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\system32\wbem\snmp
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\system32\xircom
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\srchasst
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\program files\microsoft frontpage
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-19 05:06 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 05:06 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 05:04 . 2009-06-19 05:05 3561744 ----a-w- C:\mbam-setup.exe
2009-06-18 05:47 . 2009-06-19 05:20 -------- d-----w- C:\HijackThis
2009-06-16 01:27 . 2009-06-19 13:27 -------- d--h--w- c:\windows\system32\9FE8FA
2009-06-16 01:27 . 2009-06-19 13:27 -------- d--h--w- c:\windows\system32\22CC3E
2009-06-16 01:27 . 2009-06-18 01:18 -------- d--h--w- c:\windows\system32\38E542
2009-06-16 01:27 . 2009-06-16 01:42 -------- d--h--w- c:\windows\system32\0BF855
2009-06-08 07:42 . 2009-06-08 07:42 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-08 07:42 . 2009-06-08 07:42 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-08 07:42 . 2009-06-08 07:42 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-08 07:42 . 2009-06-08 07:42 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-08 07:42 . 2009-06-08 07:42 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-08 07:42 . 2009-06-08 07:42 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-08 07:42 . 2009-06-08 07:42 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-08 07:41 . 2009-06-08 07:41 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-08 07:41 . 2009-06-08 07:41 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-08 07:41 . 2009-06-08 07:41 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-08 07:41 . 2009-06-08 07:41 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-08 07:41 . 2009-06-08 07:41 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-08 07:41 . 2009-06-08 07:41 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-08 07:41 . 2009-06-08 07:41 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-08 07:41 . 2009-06-08 07:41 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-08 07:41 . 2009-06-08 07:41 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-08 07:41 . 2009-06-08 07:41 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-01 10:29 . 2006-07-04 20:29 489696 ----a-w- c:\windows\system32\drivers\ar5211.sys
2009-06-01 10:29 . 2005-06-21 05:32 28544 ----a-w- c:\windows\system32\drivers\callistx.sys
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ATI
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-05-31 12:33 . 2009-02-25 07:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-05-31 12:32 . 2009-05-31 12:34 -------- d-----w- c:\program files\ATI Technologies
2009-05-31 12:31 . 2009-05-31 12:31 -------- d-----w- C:\ATI
2009-05-26 07:41 . 1999-03-11 12:47 71680 ----a-w- c:\windows\ST5UNST.EXE
2009-05-26 07:41 . 1999-03-11 12:47 29696 ----a-w- c:\windows\system32\VB5StKit.dll
2009-05-21 09:11 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-05-21 09:11 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-05-21 09:11 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-05-21 09:11 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-05-21 09:11 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-05-21 09:11 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-05-21 09:11 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-05-21 09:11 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-05-21 09:11 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 13:33 . 2008-04-05 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-06-09 15:13 . 2008-03-09 01:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-06-09 11:53 . 2008-03-09 01:49 -------- d-----w- c:\program files\DNA
2009-06-08 07:42 . 2009-05-10 08:21 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 10:29 . 2008-01-27 08:52 -------- d-----w- c:\program files\Atheros
2009-06-01 10:29 . 2008-01-27 07:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 13:20 . 2008-01-27 07:36 -------- d-----w- c:\program files\Elaborate Bytes
2009-05-17 11:59 . 2009-05-17 11:58 -------- d-----w- c:\program files\Hotspot Shield
2009-05-17 11:59 . 2009-05-17 11:59 -------- d-----w- c:\program files\Conduit
2009-05-17 11:59 . 2009-05-17 11:59 -------- d-----w- c:\program files\Hotspot_Shield
2009-05-16 00:07 . 2009-05-16 00:07 -------- d-----w- c:\program files\MSECache
2009-05-14 14:29 . 2009-01-27 16:25 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-05-10 07:39 . 2009-05-10 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-10 07:38 . 2009-05-10 07:39 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-10 07:38 . 2009-05-10 07:38 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-10 07:27 . 2009-05-10 07:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 07:27 . 2009-05-10 07:27 -------- d-----w- c:\program files\Lavasoft
2009-05-09 10:28 . 2008-02-20 14:05 -------- d-----w- c:\program files\Folder Guard Pro
2009-04-28 06:49 . 2008-05-06 11:47 -------- d-----w- c:\program files\DivX
2009-04-28 06:49 . 2008-01-27 07:20 -------- d-----w- c:\program files\Windows Media Connect 2
2009-04-28 06:28 . 2009-04-21 10:28 -------- d-----w- c:\program files\Graboid
2009-04-26 06:30 . 2008-03-09 01:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-04-21 12:19 . 2009-01-28 15:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-04-21 10:39 . 2009-04-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Graboid Inc
2009-04-21 10:39 . 2009-04-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\MozillaControl
2009-04-03 18:18 . 2009-04-03 18:18 33256 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2009-03-28 13:41 . 2008-01-27 07:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2008-03-08 01:29 . 2008-03-08 01:29 520192 ----a-w- c:\program files\WinDjView-0.5.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\0BF855 ----

2009-06-16 01:42 . 2009-06-19 13:03 2252 ----a-w- c:\windows\system32\0BF855\8b681b.txt
2009-06-16 01:42 . 2009-06-19 13:03 350 --sha-w- c:\windows\system32\0BF855\8c9ba9.txt

---- Directory of c:\windows\system32\22CC3E ----

2009-06-18 01:18 . 2009-06-19 13:26 13824 --sha-w- c:\windows\system32\22CC3E\i-123.exe
2009-06-18 01:18 . 2009-06-19 13:03 728 --sh--w- c:\windows\system32\22CC3E\u-3v.txt
2009-06-16 01:27 . 2009-06-19 13:16 73728 ----a-w- c:\windows\system32\22CC3E\spec.fne
2009-06-16 01:27 . 2009-06-19 13:16 40960 ----a-w- c:\windows\system32\22CC3E\shell.fne
2009-06-16 01:27 . 2009-06-19 13:16 217088 ----a-w- c:\windows\system32\22CC3E\RegEx.fnr
2009-06-16 01:27 . 2009-06-19 13:16 1101824 ----a-w- c:\windows\system32\22CC3E\krnln.fnr
2009-06-16 01:27 . 2009-06-19 13:16 184320 ----a-w- c:\windows\system32\22CC3E\internet.fne
2009-06-16 01:27 . 2009-06-19 13:16 217088 ----a-w- c:\windows\system32\22CC3E\HtmlView.fne
2009-06-16 01:27 . 2009-06-19 13:16 323584 ----a-w- c:\windows\system32\22CC3E\eAPI.fne
2009-06-16 01:27 . 2009-06-19 13:16 114688 ----a-w- c:\windows\system32\22CC3E\dp1.fne
2009-06-16 01:27 . 2009-06-19 13:16 61440 ----a-w- c:\windows\system32\22CC3E\cnvpe.fne

---- Directory of c:\windows\system32\38E542 ----

2009-06-18 01:18 . 2009-06-18 01:18 7728 --sh--w- c:\windows\system32\38E542\c9f2670e.txt
2009-06-18 01:18 . 2009-06-18 01:18 712 --sh--w- c:\windows\system32\38E542\9e7bb5c7.txt

---- Directory of c:\windows\system32\9FE8FA ----

2009-06-16 01:27 . 2009-06-16 01:27 1425998 --sh--r- c:\windows\system32\9FE8FA\49956C.EXE


------- Sigcheck -------

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2007-11-07 09:00 544256 E924BFFA379552571CB250E241F14E84 c:\windows\system32\user32.dll

[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[-] 2007-11-07 09:00 2346752 24FCD8FB0C6BD0E5F3B1203769948336 c:\windows\system32\ntoskrnl.exe

[-] 2007-11-07 09:00 1224192 9349B192D2249721F513768A9A47C152 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
[-] 2007-11-07 09:00 40448 E00DFA816FA5521EB44C5D63109DE2A9 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-19_07.50.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-19 12:47 . 2009-06-19 12:47 16384 c:\windows\Temp\Perflib_Perfdata_1dc.dat
+ 2009-06-19 13:31 . 2009-06-19 13:31 16384 c:\windows\Temp\Perflib_Perfdata_1c8.dat
- 2009-06-19 07:47 . 2009-06-19 07:47 60416 c:\windows\Temp\Perflib_Perfdata__755.dat
+ 2009-06-19 13:30 . 2009-06-19 13:30 60416 c:\windows\Temp\Perflib_Perfdata__755.dat
- 2009-06-19 07:49 . 2009-06-19 07:49 53248 c:\windows\Temp\catchme.dll
+ 2009-06-19 13:32 . 2009-06-19 13:32 53248 c:\windows\Temp\catchme.dll
+ 2007-11-07 09:00 . 2009-06-19 13:15 63930 c:\windows\system32\perfc009.dat
- 2007-11-07 09:00 . 2009-06-19 05:41 63930 c:\windows\system32\perfc009.dat
- 2007-11-07 09:00 . 2009-06-19 05:41 406896 c:\windows\system32\perfh009.dat
+ 2007-11-07 09:00 . 2009-06-19 13:15 406896 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2008-06-24 15:17 1569304 ----a-w- c:\program files\Hotspot_Shield\tbHots.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-17 11:58 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-11-07 40448]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2007-02-25 132680]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-04-05 3551456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-08 518488]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2007-11-07 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 62976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"NewUser"="c:\windows\System32\NewUser.cmd" [2007-11-07 2475]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-03-01 124928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2009 3:39 PM 64160]
R0 SI3112r;ATI-4379 Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 PM 116264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/21/2009 5:11 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/21/2009 5:11 PM 20560]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [2/20/2008 10:05 PM 48896]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/22/2009 9:12 AM 328752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/10/2009 3:06 AM 1005904]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/23/2009 5:34 AM 34352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:41]

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1450960922-839522115-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-01 10:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 21:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(1132)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(7656)
c:\windows\system32\SHDOCVW.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\SETUPAPI.dll
c:\program files\Babylon\Babylon-Pro\Captlib.dll
c:\windows\system32\MSVCP60.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\rundll32.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-06-19 21:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-19 13:36
ComboFix2.txt 2009-06-19 13:20
ComboFix3.txt 2009-06-19 07:54

Pre-Run: 1,915,039,744 bytes free
Post-Run: 1,831,452,672 bytes free

314 --- E O F --- 2008-08-08 15:03

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 19 June 2009 - 09:27 AM

Hi,

First of all... Please perform the following steps in the correct order as I explain here...

1)

* Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

c:\windows\system32\38E542\c9f2670e.txt
c:\windows\system32\38E542\9e7bb5c7.txt
c:\windows\system32\22CC3E\u-3v.txt
c:\windows\system32\0BF855\8b681b.txt
c:\windows\system32\0BF855\8c9ba9.txt


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.

Then, 2)

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Folder::
c:\windows\system32\9FE8FA
c:\windows\system32\22CC3E
c:\windows\system32\38E542
c:\windows\system32\0BF855


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 newhere

newhere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 19 June 2009 - 10:01 AM

ComboFix 09-06-18.02 - Snehal 06/19/2009 22:52.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.520 [GMT 8:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Hello, I uploaded the cab file as per instructed as well as created the latest Combofix.txt file. Below are the latest results. Thank you once again.

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090618-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\0BF855
c:\windows\system32\22CC3E
c:\windows\system32\38E542
c:\windows\system32\9FE8FA
c:\windows\system32\0BF855\8b681b.txt
c:\windows\system32\0BF855\8c9ba9.txt
c:\windows\system32\22CC3E\cnvpe.fne
c:\windows\system32\22CC3E\dp1.fne
c:\windows\system32\22CC3E\eAPI.fne
c:\windows\system32\22CC3E\HtmlView.fne
c:\windows\system32\22CC3E\internet.fne
c:\windows\system32\22CC3E\krnln.fnr
c:\windows\system32\22CC3E\RegEx.fnr
c:\windows\system32\22CC3E\shell.fne
c:\windows\system32\22CC3E\spec.fne
c:\windows\system32\22CC3E\u-3v.txt
c:\windows\system32\38E542\9e7bb5c7.txt
c:\windows\system32\38E542\c9f2670e.txt

.
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\system32\wbem\snmp
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\system32\xircom
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\windows\srchasst
2009-06-19 07:48 . 2009-06-19 07:48 -------- d-----w- c:\program files\microsoft frontpage
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-19 05:06 . 2009-06-17 03:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 05:06 . 2009-06-19 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 05:06 . 2009-06-17 03:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 05:04 . 2009-06-19 05:05 3561744 ----a-w- C:\mbam-setup.exe
2009-06-18 05:47 . 2009-06-19 05:20 -------- d-----w- C:\HijackThis
2009-06-08 07:42 . 2009-06-08 07:42 314200 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-06-08 07:42 . 2009-06-08 07:42 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-06-08 07:42 . 2009-06-08 07:42 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-08 07:42 . 2009-06-08 07:42 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-06-08 07:42 . 2009-06-08 07:42 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-06-08 07:42 . 2009-06-08 07:42 294240 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-06-08 07:42 . 2009-06-08 07:42 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-08 07:41 . 2009-06-08 07:41 1630048 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-06-08 07:41 . 2009-06-08 07:41 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-08 07:41 . 2009-06-08 07:41 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-08 07:41 . 2009-06-08 07:41 640360 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-06-08 07:41 . 2009-06-08 07:41 540536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-06-08 07:41 . 2009-06-08 07:41 559464 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-06-08 07:41 . 2009-06-08 07:41 2352456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-06-08 07:41 . 2009-06-08 07:41 627536 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-06-08 07:41 . 2009-06-08 07:41 518488 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-06-08 07:41 . 2009-06-08 07:41 1005904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-06-01 10:29 . 2006-07-04 20:29 489696 ----a-w- c:\windows\system32\drivers\ar5211.sys
2009-06-01 10:29 . 2005-06-21 05:32 28544 ----a-w- c:\windows\system32\drivers\callistx.sys
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ATI
2009-05-31 12:38 . 2009-05-31 12:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\ATI
2009-05-31 12:33 . 2009-02-25 07:15 593920 ------w- c:\windows\system32\ati2sgag.exe
2009-05-31 12:32 . 2009-05-31 12:34 -------- d-----w- c:\program files\ATI Technologies
2009-05-31 12:31 . 2009-05-31 12:31 -------- d-----w- C:\ATI
2009-05-26 07:41 . 1999-03-11 12:47 71680 ----a-w- c:\windows\ST5UNST.EXE
2009-05-26 07:41 . 1999-03-11 12:47 29696 ----a-w- c:\windows\system32\VB5StKit.dll
2009-05-21 09:11 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-05-21 09:11 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-05-21 09:11 . 2009-02-05 21:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-05-21 09:11 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-05-21 09:11 . 2009-02-05 21:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-05-21 09:11 . 2009-02-05 21:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-05-21 09:11 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-05-21 09:11 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-05-21 09:11 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-19 14:33 . 2008-04-05 00:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2009-06-09 15:13 . 2008-03-09 01:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\DNA
2009-06-09 11:53 . 2008-03-09 01:49 -------- d-----w- c:\program files\DNA
2009-06-08 07:42 . 2009-05-10 08:21 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-01 10:29 . 2008-01-27 08:52 -------- d-----w- c:\program files\Atheros
2009-06-01 10:29 . 2008-01-27 07:34 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-31 13:20 . 2008-01-27 07:36 -------- d-----w- c:\program files\Elaborate Bytes
2009-05-17 11:59 . 2009-05-17 11:58 -------- d-----w- c:\program files\Hotspot Shield
2009-05-17 11:59 . 2009-05-17 11:59 -------- d-----w- c:\program files\Conduit
2009-05-17 11:59 . 2009-05-17 11:59 -------- d-----w- c:\program files\Hotspot_Shield
2009-05-16 00:07 . 2009-05-16 00:07 -------- d-----w- c:\program files\MSECache
2009-05-14 14:29 . 2009-01-27 16:25 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-05-10 07:39 . 2009-05-10 07:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-10 07:38 . 2009-05-10 07:39 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-10 07:38 . 2009-05-10 07:38 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-10 07:27 . 2009-05-10 07:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-10 07:27 . 2009-05-10 07:27 -------- d-----w- c:\program files\Lavasoft
2009-05-09 10:28 . 2008-02-20 14:05 -------- d-----w- c:\program files\Folder Guard Pro
2009-04-28 06:49 . 2008-05-06 11:47 -------- d-----w- c:\program files\DivX
2009-04-28 06:49 . 2008-01-27 07:20 -------- d-----w- c:\program files\Windows Media Connect 2
2009-04-28 06:28 . 2009-04-21 10:28 -------- d-----w- c:\program files\Graboid
2009-04-26 06:30 . 2008-03-09 01:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-04-21 12:19 . 2009-01-28 15:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2009-04-21 10:39 . 2009-04-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\Graboid Inc
2009-04-21 10:39 . 2009-04-21 10:39 -------- d-----w- c:\documents and settings\Administrator\Application Data\MozillaControl
2009-04-03 18:18 . 2009-04-03 18:18 33256 ----a-w- c:\windows\system32\drivers\HssDrv.sys
2009-03-28 13:41 . 2008-01-27 07:20 348160 ----a-w- c:\windows\system32\msvcr71.dll
2008-03-08 01:29 . 2008-03-08 01:29 520192 ----a-w- c:\program files\WinDjView-0.5.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2007-11-07 09:00 544256 E924BFFA379552571CB250E241F14E84 c:\windows\system32\user32.dll

[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ntoskrnl.exe
[-] 2007-11-07 09:00 2346752 24FCD8FB0C6BD0E5F3B1203769948336 c:\windows\system32\ntoskrnl.exe

[-] 2007-11-07 09:00 1224192 9349B192D2249721F513768A9A47C152 c:\windows\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe

[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ctfmon.exe
[-] 2007-11-07 09:00 40448 E00DFA816FA5521EB44C5D63109DE2A9 c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-06-19_07.50.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-19 13:31 . 2009-06-19 13:31 16384 c:\windows\Temp\Perflib_Perfdata_1c8.dat
- 2009-06-19 07:49 . 2009-06-19 07:49 53248 c:\windows\Temp\catchme.dll
+ 2009-06-19 14:55 . 2009-06-19 14:55 53248 c:\windows\Temp\catchme.dll
+ 2007-11-07 09:00 . 2009-06-19 13:36 63930 c:\windows\system32\perfc009.dat
- 2007-11-07 09:00 . 2009-06-19 05:41 63930 c:\windows\system32\perfc009.dat
+ 2007-11-07 09:00 . 2009-06-19 13:36 406896 c:\windows\system32\perfh009.dat
- 2007-11-07 09:00 . 2009-06-19 05:41 406896 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c95a4e8e-816d-4655-8c79-d736da1adb6d}]
2008-06-24 15:17 1569304 ----a-w- c:\program files\Hotspot_Shield\tbHots.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-17 11:58 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-11-07 40448]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FG_Monitor"="c:\program files\Folder Guard Pro\FGKey.exe" [2007-02-25 132680]
"Babylon Client"="c:\program files\Babylon\Babylon-Pro\Babylon.exe" [2008-04-05 3551456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-28 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-08 518488]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2007-11-07 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-05 62976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"NewUser"="c:\windows\System32\NewUser.cmd" [2007-11-07 2475]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2008-03-01 124928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/10/2009 3:39 PM 64160]
R0 SI3112r;ATI-4379 Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [8/29/2007 4:04 PM 116264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/21/2009 5:11 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/21/2009 5:11 PM 20560]
R2 FGUARD32;FGUARD32;c:\program files\Folder Guard Pro\FGUARD32.SYS [2/20/2008 10:05 PM 48896]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/22/2009 9:12 AM 328752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/10/2009 3:06 AM 1005904]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/23/2009 5:34 AM 34352]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ASPI32
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:41]

2009-06-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1450960922-839522115-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-01 10:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1561552
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Translate with &Babylon - c:\program files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-19 22:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1076)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\cscui.dll
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(1132)
c:\windows\system32\SETUPAPI.dll
.
Completion time: 2009-06-19 22:57
ComboFix-quarantined-files.txt 2009-06-19 14:56
ComboFix2.txt 2009-06-19 13:36
ComboFix3.txt 2009-06-19 13:20
ComboFix4.txt 2009-06-19 07:54

Pre-Run: 1,776,914,432 bytes free
Post-Run: 1,763,414,016 bytes free

248 --- E O F --- 2008-08-08 15:03

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 19 June 2009 - 10:08 AM

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then please update your Windows to Service Pack 3

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 newhere

newhere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 19 June 2009 - 10:55 AM

Hello, I have followed the instructions, however, my cpu is still being used 100%. I noticed this happens mostly when streaming clips etc. Once I stop the streaming then the cpu usage goes back to normal. Thank you very much for all your help and also your prompt response.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 19 June 2009 - 11:03 AM

Hi,

Don't really worry if you only have it when streaming clips though. The malware is removed. This may be because of your Avast probably - or because of the huge amount of add-ons you have installed in your IE Browser (toolbars).

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 newhere

newhere
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 19 June 2009 - 11:09 AM

Thank you so much again. Have a Fantastic Day!

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:21 AM

Posted 19 June 2009 - 11:11 AM

You're most welcome. :thumbup2:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users