Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.TDSS.rtk infection keeps coming back


  • This topic is locked This topic is locked
19 replies to this topic

#1 Salar

Salar

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 30 June 2009 - 04:13 PM

My computer is infected with Win32.TDSS.rtk. Spybot and Malwarebytes' Anti-Malware both detect and remove it (MalwareBytes calls it "Rootkit.trace"), but then it re-appears on subsequent scans. I think it regenerates itself when ever the computer boots or re-boots. AVG Free never detects it. The hidden file C:\WINNT\System32\UACcfyxfymsntyqjxt.dll is referenced in the scans and I suspect there are several other components that are more deeply hidden.

A good deal of internet research on this rootkit took me to this fine forum to ask for help. I have used good info found while browsing this forum to rid the machine of other pesky malware, but this one is beyond my capabilities. I'd appreciate any assistance.

Here's my DDS log file:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 15:57:37.87 on Tue 06/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1465 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINNT\Explorer.EXE
svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\atwtusb.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Owner\Desktop\Security\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://forecast.weather.gov/MapClick.php?site=BTV&llon=-73.272083&rlon=-72.609583&tlat=44.727917&blat=44.065417&smap=1&mp=1&map.x=110&map.y=88
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\winnt\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/content/burninrubber2/sis/BurninRubber2.dcr"
mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
mRun: [GWMDMpi] c:\winnt\GWMDMpi.exe
mRun: [GWMDMMSG] GWMDMMSG.exe
mRun: [atwtusb] atwtusb.exe beta
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [0000 - c:\documents and settings\owner\start menu\programs\hp deskjet 810c series v11.1] c:\winnt\system32\command.com /c rmdir "c:\documents and settings\owner\start menu\programs\HP DeskJet 810C Series v11.1"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\owner\application data\leadertech\powerregister\Seagate 2GEVZBMW Product Registration.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google updater\GoogleUpdater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - c:\program files\verizon online\verizon online control pad\VerizonControlPad.Exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_14.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1097055904031
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
DPF: {56393399-041A-4650-94C7-13DFCB1F4665} - hxxp://www.pcpitstop.com/pestscan/pestscan.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228674274203
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228674255953
DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} - hcp://system/RunExeActiveX.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} - hcp://system/StartFirstControl.CAB
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - hxxps://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: junomsg - {C4D10830-379D-11d4-9B2D-00C04F1579A5} - c:\program files\juno\bin\jmsgpph.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: awtuuVop - awtuuVop.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 c:\winnt\system32\geBuVNFU
LSA: Notification Packages = :\winnt\system32\srrstr.dll scecli

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-1-11 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-1-11 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-11 298776]
R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [2002-8-19 7808]
R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [2003-1-22 34712]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2003-1-22 6736]
R2 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-10 30152]
R2 WinDriver;WinDriver;c:\winnt\system32\drivers\windrvr.sys [2003-1-31 205220]
S2 gupdate1c9cfd6ade0b7ca;Google Update Service (gupdate1c9cfd6ade0b7ca);c:\program files\google\update\GoogleUpdate.exe [2009-5-8 133104]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\qctest\pcdoc\pcdrdrv.sys --> c:\atf\qctest\pcdoc\PCDRDRV.sys [?]
S4 AloPar;AloPar;c:\winnt\system32\drivers\AloPar.sys [2003-2-1 4112]

=============== Created Last 30 ================

2009-06-29 20:41 <DIR> --ds---- C:\Combo-Fix
2009-06-29 19:19 1,891 a------- c:\winnt\wincmd.ini
2009-06-29 19:19 545 a------- c:\winnt\UC.PIF
2009-06-29 19:19 545 a------- c:\winnt\RAR.PIF
2009-06-29 19:19 545 a------- c:\winnt\PKZIP.PIF
2009-06-29 19:19 545 a------- c:\winnt\PKUNZIP.PIF
2009-06-29 19:19 545 a------- c:\winnt\NOCLOSE.PIF
2009-06-29 19:19 545 a------- c:\winnt\LHA.PIF
2009-06-29 19:19 545 a------- c:\winnt\ARJ.PIF
2009-06-29 19:19 <DIR> --d----- C:\totalcmd
2009-06-29 19:12 <DIR> --d----- C:\Total Commander
2009-06-29 16:39 <DIR> --d----- c:\program files\common files\xing shared
2009-06-27 15:08 <DIR> --dsh--- c:\winnt\ftpcache
2009-06-27 09:06 327,688 a------- c:\winnt\system32\drivers\avgldx86.sys.prepare
2009-06-27 09:06 27,784 a------- c:\winnt\system32\drivers\avgmfx86.sys.prepare
2009-06-27 09:06 11,952 a------- c:\winnt\system32\avgrsstx.dll.prepare
2009-06-26 12:09 246,272 -------- c:\winnt\system32\dllcache\ieproxy.dll
2009-06-26 12:09 12,800 -------- c:\winnt\system32\dllcache\xpshims.dll
2009-06-25 21:49 <DIR> --d----- c:\program files\iPod
2009-06-25 21:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 15:42 118,272 a------- c:\winnt\system32\hpz3l696.dll
2009-06-21 15:42 974,848 a----r-- c:\winnt\system32\hpost_p01c.dll
2009-06-21 15:42 737,280 a----r-- c:\winnt\system32\hposwia_p01c.dll
2009-06-21 15:42 307,200 a----r-- c:\winnt\system32\hposc_p01a.dll
2009-06-21 15:40 <DIR> --d----- c:\program files\common files\HP
2009-06-21 15:31 150,623 a------- c:\winnt\hpoins33.dat
2009-06-21 15:31 1,008 -------- c:\winnt\hpomdl33.dat
2009-06-20 11:20 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-06-20 11:20 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-20 11:20 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-06-20 11:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 11:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-10 12:51 <DIR> --d----- c:\program files\Viewpoint

==================== Find3M ====================

2009-06-29 20:13 393,202 a------- c:\winnt\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-06-29 16:39 348,160 a------- c:\winnt\system32\msvcr71.dll
2009-05-25 00:24 350,208 -------- c:\winnt\system32\mssph.dll
2009-05-21 11:33 410,984 a------- c:\winnt\system32\deploytk.dll
2009-05-13 01:15 5,936,128 a------- c:\winnt\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\winnt\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\winnt\system32\dllcache\wininet.dll
2009-05-12 01:11 102,912 -------- c:\winnt\system32\dllcache\iecompat.dll
2009-05-11 08:36 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-05-11 08:36 325,896 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-05-07 11:32 345,600 a------- c:\winnt\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\winnt\system32\dllcache\localspl.dll
2009-04-30 17:22 1,985,024 a------- c:\winnt\system32\dllcache\iertutil.dll
2009-04-30 17:22 11,064,832 a------- c:\winnt\system32\dllcache\ieframe.dll
2009-04-30 17:22 1,207,808 a------- c:\winnt\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\winnt\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\winnt\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 a------- c:\winnt\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\winnt\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\winnt\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\winnt\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\winnt\system32\dllcache\rpcrt4.dll
2007-07-08 07:45 104,072 -------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2002-09-07 02:47 144 -------- c:\program files\pcdocrx_order.html
2001-03-11 07:59 766 -------- c:\program files\pcdoc.ico

============= FINISH: 15:58:33.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 30 June 2009 - 09:01 PM

Hello Salar,

Posted Image

You have more going on here than just the rootkit.

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2: Tea Timer especially needs to be disabled.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Salar

Salar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 01 July 2009 - 10:48 AM

Hello Tea,

Thank you for the reply.

My ComboFix and HijackThis logs follow. Note that ComboFix prompted me to install Microsoft Windows Recovery Console, but since I was unsure about the necessity of this, I elected not to do so. Please advise.

ComboFix 09-06-29.07 - Owner 07/01/2009 10:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1623 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\system32\drivers\UACpfmlwmqbwemovns.sys
c:\winnt\system32\powercfg.dll
c:\winnt\system32\system
c:\winnt\system32\system\msxml4.dll
c:\winnt\system32\system\msxml4r.dll
c:\winnt\system32\UACcfyxfymsntyqjxt.dll
c:\winnt\system32\UACurqxdnmgriwaerd.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_WINDRIVER
-------\Service_WinDriver


((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.

2009-07-01 13:22 . 2009-06-28 12:16 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-07-01 13:22 . 2009-06-28 12:16 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-07-01 13:22 . 2009-06-28 12:16 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-01 13:22 . 2009-06-28 12:16 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-06-30 00:41 . 2009-06-30 00:48 -------- d-s---w- C:\Combo-Fix
2009-06-29 23:19 . 2009-06-29 23:25 -------- d-----w- C:\totalcmd
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\UC.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\RAR.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKZIP.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKUNZIP.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\NOCLOSE.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\LHA.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\ARJ.PIF
2009-06-29 23:12 . 2009-06-29 23:24 -------- d-----w- C:\Total Commander
2009-06-29 21:02 . 2009-06-29 21:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\program files\NOS
2009-06-29 20:39 . 2009-06-29 20:39 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-29 20:37 . 2009-06-29 20:37 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\setup\AU_setup.exe
2009-06-27 19:08 . 2009-06-29 17:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-06-27 19:08 . 2009-06-27 19:08 -------- d-sh--w- c:\winnt\ftpcache
2009-06-27 19:08 . 2009-01-16 07:19 1731736 ----a-w- c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe
2009-06-27 13:08 . 2009-06-27 13:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:21 . 2009-06-26 22:21 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-26 16:09 . 2009-04-30 21:22 12800 ------w- c:\winnt\system32\dllcache\xpshims.dll
2009-06-26 16:09 . 2009-04-30 21:22 246272 ------w- c:\winnt\system32\dllcache\ieproxy.dll
2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\program files\iPod
2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-26 01:40 . 2009-06-26 01:40 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-21 20:07 . 2009-07-01 13:49 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-06-21 19:48 . 2009-06-21 19:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\HP
2009-06-21 19:45 . 2009-06-21 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-21 19:42 . 2008-10-28 16:49 118272 ----a-w- c:\winnt\system32\hpz3l696.dll
2009-06-21 19:42 . 2008-10-30 07:18 737280 ----a-r- c:\winnt\system32\hposwia_p01c.dll
2009-06-21 19:42 . 2008-10-30 07:18 974848 ----a-r- c:\winnt\system32\hpost_p01c.dll
2009-06-21 19:42 . 2008-10-30 07:18 307200 ----a-r- c:\winnt\system32\hposc_p01a.dll
2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Common Files\HP
2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-21 19:31 . 2009-06-21 20:02 150623 ----a-w- c:\winnt\hpoins33.dat
2009-06-21 19:31 . 2008-12-10 20:49 1008 ------w- c:\winnt\hpomdl33.dat
2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-20 15:20 . 2009-06-17 15:27 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 15:20 . 2009-06-17 15:27 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-06-12 23:11 . 2009-06-12 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint
2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\program files\Viewpoint
2009-06-10 11:03 . 2009-06-10 11:03 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 01:33 . 2009-06-05 01:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-03 21:54 . 2009-06-03 21:54 -------- d-sh--w- c:\winnt\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-01 13:22 . 2009-06-27 13:06 327688 ----a-w- c:\winnt\system32\drivers\avgldx86.sys.prepare
2009-07-01 13:22 . 2009-06-27 13:06 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys.prepare
2009-06-30 00:13 . 2008-04-23 03:05 393202 ----a-w- c:\winnt\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-06-29 21:35 . 2004-04-24 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 21:06 . 2004-04-21 18:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-29 20:39 . 2003-01-23 02:10 -------- d-----w- c:\program files\Common Files\Real
2009-06-29 20:39 . 2003-02-21 09:42 348160 ----a-w- c:\winnt\system32\msvcr71.dll
2009-06-29 20:23 . 2005-02-13 16:28 -------- d-----w- c:\program files\Java
2009-06-29 19:01 . 2003-01-23 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 19:32 . 2008-05-16 13:31 -------- d-----w- c:\program files\SpywareBlaster
2009-06-27 20:06 . 2003-02-02 12:45 111760 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 18:41 . 2007-12-13 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-27 18:39 . 2003-01-23 02:13 -------- d-----w- c:\program files\Microsoft Works
2009-06-27 13:23 . 2009-01-11 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-26 22:23 . 2007-12-22 13:00 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-26 01:49 . 2007-07-05 16:43 -------- d-----w- c:\program files\iTunes
2009-06-26 01:49 . 2007-07-05 16:42 -------- d-----w- c:\program files\Common Files\Apple
2009-06-26 01:47 . 2005-09-26 15:11 -------- d-----w- c:\program files\QuickTime
2009-06-21 19:47 . 2007-12-04 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\HP
2009-06-21 19:47 . 2007-12-04 15:31 -------- d-----w- c:\program files\HP
2009-06-21 19:45 . 2007-12-04 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-06-10 16:51 . 2004-08-05 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-25 04:24 . 2008-05-27 02:18 350208 ------w- c:\winnt\system32\mssph.dll
2009-05-25 01:51 . 2007-04-15 16:09 -------- d--h--w- c:\documents and settings\Owner\Application Data\Move Networks
2009-05-21 15:33 . 2009-01-17 14:31 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-05-20 18:13 . 2007-10-10 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-13 05:15 . 2004-09-26 23:39 915456 ----a-w- c:\winnt\system32\wininet.dll
2009-05-11 12:36 . 2009-01-11 09:22 11952 ----a-w- c:\winnt\system32\avgrsstx.dll
2009-05-11 12:36 . 2009-01-11 09:22 325896 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-05-11 12:36 . 2009-01-11 09:22 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-05-10 14:20 . 2009-05-10 14:20 127877 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-05-10 14:20 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-10 14:20 . 2009-05-10 14:19 1685856 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-10 01:21 . 2007-11-15 16:56 -------- d-----w- c:\program files\Jasc Software Inc
2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_SMLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_DTLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
2009-05-08 12:16 . 2004-05-08 00:11 -------- d-----w- c:\program files\Google
2009-05-07 15:32 . 2004-09-26 23:39 345600 ----a-w- c:\winnt\system32\localspl.dll
2009-05-04 21:18 . 2009-05-04 21:18 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-23 00:08 . 2009-04-23 00:08 15340 ----a-w- C:\gtm6F.tmp
2009-04-17 12:26 . 2004-09-26 23:39 1847168 ----a-w- c:\winnt\system32\win32k.sys
2009-04-15 14:51 . 2004-09-26 23:40 585216 ----a-w- c:\winnt\system32\rpcrt4.dll
2002-09-07 06:47 . 2004-04-25 14:26 144 ------w- c:\program files\pcdocrx_order.html
2001-03-11 11:59 . 2004-04-25 14:26 766 ------w- c:\program files\pcdoc.ico
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-01-23 02:11 . 2002-07-17 02:21 28672 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

2005-09-09 00:13 . 2005-09-09 00:13 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
2008-02-09 14:52 . 2009-06-29 20:39 198160 c:\program files\Common Files\Real\Update_OB\realsched.exe

2003-11-10 13:30 . 2006-03-09 15:47 71328 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2005-12-29 16:56 . 2004-12-02 22:23 102400 c:\program files\Creative\MediaSource\Detector\bak\CTDetect.exe

2007-06-28 13:14 . 2007-06-28 13:14 270648 c:\program files\iTunes\bak\iTunesHelper.exe
2009-06-05 17:39 . 2009-06-05 17:39 292136 c:\program files\iTunes\iTunesHelper.exe

2005-05-14 12:51 . 2006-11-07 20:41 8192 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe

2003-01-23 02:10 . 2001-08-01 18:30 94208 c:\program files\QUICKENW\bak\QAGENT.EXE

2007-04-27 13:41 . 2007-04-27 13:41 282624 c:\program files\QuickTime\bak\qttask.exe
2009-05-26 21:18 . 2009-05-26 21:18 413696 c:\program files\QuickTime\QTTask.exe

2007-03-11 21:37 . 2007-03-11 21:37 936960 c:\program files\Verizon\bak\McciTrayApp.exe

2006-10-19 00:05 . 2006-10-19 00:05 204288 c:\program files\Windows Media Player\bak\WMPNSCFG.exe
2006-10-19 01:05 . 2006-10-19 01:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

2003-01-23 02:09 . 2002-08-06 21:24 53248 c:\winnt\bak\GWMDMpi.exe
2007-10-27 15:00 . 2002-08-06 21:24 53248 c:\winnt\GWMDMpi.exe

2004-09-26 23:40 . 2004-08-04 07:56 15360 c:\winnt\system32\bak\ctfmon.exe
2004-09-26 23:40 . 2008-04-14 00:12 15360 c:\winnt\system32\ctfmon.exe

2006-02-26 19:29 . 2006-01-12 19:40 155648 c:\winnt\system32\bak\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\winnt\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-07-28 4841472]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2003-07-28 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-29 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112]
"atwtusb"="atwtusb.exe" - c:\winnt\system32\atwtusb.exe [2002-11-21 188416]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2003-07-28 323584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"0000 - c:\documents and settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1"="c:\winnt\system32\command.com" [2002-08-29 50620]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Seagate 2GEVZBMW Product Registration.lnk - c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe [2009-6-27 1731736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2007-10-10 126136]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 12:36 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CADIX Screen Saver Control.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CADIX Screen Saver Control.lnk
backup=c:\winnt\pss\CADIX Screen Saver Control.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\winnt\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reminder-hpc41004.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Reminder-hpc41004.lnk
backup=c:\winnt\pss\Reminder-hpc41004.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\winnt\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Quick StartUp.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Quick StartUp.lnk
backup=c:\winnt\pss\Quick StartUp.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Start.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Start.lnk
backup=c:\winnt\pss\Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Speed Disk service"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"PrismXL"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"LightScribeService"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"dvpapi"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"c:\\WINNT\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Gateway\\Gateway Download Assistant\\Downloader.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\Google\\Google Updater\\GoogleUpdater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [1/11/2009 5:22 AM 325896]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/11/2009 5:22 AM 298776]
R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [8/19/2002 5:25 PM 7808]
R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [1/22/2003 10:11 PM 34712]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [1/22/2003 10:15 PM 6736]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/10/2009 12:51 PM 30152]
S2 gupdate1c9cfd6ade0b7ca;Google Update Service (gupdate1c9cfd6ade0b7ca);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:15 AM 133104]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S4 AloPar;AloPar;c:\winnt\system32\drivers\AloPar.sys [2/1/2003 1:11 PM 4112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-01 c:\winnt\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:15]

2009-07-01 c:\winnt\Tasks\{925FCACA-D57F-4037-9499-423C3A36AF61}_S0029534513_Owner.job
- c:\winnt\system32\mobsync.exe [2004-09-26 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file)
Notify-awtuuVop - awtuuVop.dll


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://forecast.weather.gov/MapClick.php?site=BTV&llon=-73.272083&rlon=-72.609583&tlat=44.727917&blat=44.065417&smap=1&mp=1&map.x=110&map.y=88
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 11:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F57B7ED0-D8AB-11D1-85DFnk *fPv!t\TypeLib]
@="{0002E157-0000-0000-C000-000000000046}"
"Version"="5.3"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3904)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\winnt\system32\LEXBCES.EXE
c:\winnt\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2009-07-01 11:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 15:15

Pre-Run: 12,008,103,936 bytes free
Post-Run: 11,944,546,304 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
339 --- E O F --- 2009-06-27 03:02


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:22 AM, on 7/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?s...10&map.y=88
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1] C:\WINNT\system32\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINNT\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.shockwave.com/content/burninrubber2/sis/BurninRubber2.dcr"
O4 - Startup: Seagate 2GEVZBMW Product Registration.lnk = C:\Documents and Settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674274203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674255953
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9cfd6ade0b7ca) (gupdate1c9cfd6ade0b7ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 13059 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 01 July 2009 - 03:20 PM

Hello,

Though ComboFix removed pieces of the rootkit you have, there's also another infection present we need to take care of :

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run option 1.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Salar

Salar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 01 July 2009 - 09:47 PM

OK, here's my awf.txt (from running Option 1):

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Wed 07/01/2009
The current time is: 22:06:02.60


bak folders found
~~~~~~~~~~~


Directory of C:\WINNT\BAK

08/06/2002 05:24 PM 53,248 GWMDMpi.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/28/2007 09:14 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\QUICKENW\BAK

08/01/2001 02:30 PM 94,208 QAGENT.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\VERIZON\BAK

03/11/2007 05:37 PM 936,960 McciTrayApp.exe
1 File(s) 936,960 bytes

Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 08:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\WINNT\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
01/12/2006 03:40 PM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/09/2006 11:47 AM 71,328 ccApp.exe
1 File(s) 71,328 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

11/07/2006 04:41 PM 8,192 mimboot.exe
1 File(s) 8,192 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 10:21 PM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/08/2005 08:13 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

53248 Aug 6 2002 "C:\OEMDRVRS\GWMDMPI.EXE"
53248 Aug 6 2002 "C:\WINNT\GWMDMpi.exe"
53248 Aug 6 2002 "C:\WINNT\bak\GWMDMpi.exe"
292136 Jun 5 2009 "C:\Program Files\iTunes\iTunesHelper.exe"
270648 Jun 28 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jun 25 2009 "C:\WINNT\Installer\{5D601655-6D54-4384-B52C-17EC5385FBBD}\iTunesIco.exe"
94208 Aug 1 2001 "C:\Program Files\QUICKENW\bak\QAGENT.EXE"
413696 May 26 2009 "C:\Program Files\QuickTime\QTTask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
936960 Mar 11 2007 "C:\Program Files\Verizon\bak\McciTrayApp.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\wmpnscfg.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
15360 Apr 13 2008 "C:\WINNT\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINNT\system32\bak\ctfmon.exe"
155648 Jan 12 2006 "C:\WINNT\system32\bak\NeroCheck.exe"
71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
8192 Nov 7 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe"
8192 Dec 10 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
198160 Jun 29 2009 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Sep 8 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"


end of report

I also want to let you know that later this afternoon (while offline after my last post) the AVG Resident Shield detected 2 new trojans that I've never seen before:
1. Trojan Horse Injector.EP at C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1009\A0208129.sys
2. Win32/Cryptor at C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP1009\A0208130.dll
They were moved to the AVG Virus Vault.

And a question regarding my comment in my previous reply: Is it benefical to have the Microsoft Windows Recovery Console installed??

Thanks,
Salar

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 01 July 2009 - 10:12 PM

Hello,

My apologies, I saw that I hadn't answered your question after I posted, and I should have edited it in.

It's up to you on the Recovery Console, but I would suggest installing it for future "just in cases". It's like insurance.....you may never need it, but you'll have it if something comes up. :thumbup2:

On those two files.....they are in System Restore and not a threat to you right now, and we'll clear those when the machine is clean. :)

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QUICKENW\bak\QAGENT.EXE"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Verizon\bak\McciTrayApp.exe"
"C:\WINNT\system32\bak\NeroCheck.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Salar

Salar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 02 July 2009 - 10:37 AM

Hi again,

Here is the FindAWF log:

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 07/02/2009
The current time is: 11:27:38.29


bak folders found
~~~~~~~~~~~


Directory of C:\WINNT\BAK

08/06/2002 05:24 PM 53,248 GWMDMpi.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/28/2007 09:14 AM 270,648 iTunesHelper.exe
1 File(s) 270,648 bytes

Directory of C:\PROGRA~1\QUICKENW\BAK

08/01/2001 02:30 PM 94,208 QAGENT.EXE
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\VERIZON\BAK

03/11/2007 05:37 PM 936,960 McciTrayApp.exe
1 File(s) 936,960 bytes

Directory of C:\PROGRA~1\WINDOW~2\BAK

10/18/2006 08:05 PM 204,288 WMPNSCFG.exe
1 File(s) 204,288 bytes

Directory of C:\WINNT\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
01/12/2006 03:40 PM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

03/09/2006 11:47 AM 71,328 ccApp.exe
1 File(s) 71,328 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

11/07/2006 04:41 PM 8,192 mimboot.exe
1 File(s) 8,192 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 10:21 PM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/08/2005 08:13 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

53248 Aug 6 2002 "C:\OEMDRVRS\GWMDMPI.EXE"
53248 Aug 6 2002 "C:\WINNT\GWMDMpi.exe"
53248 Aug 6 2002 "C:\WINNT\bak\GWMDMpi.exe"
270648 Jun 28 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
270648 Jun 28 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jun 25 2009 "C:\WINNT\Installer\{5D601655-6D54-4384-B52C-17EC5385FBBD}\iTunesIco.exe"
94208 Aug 1 2001 "C:\Program Files\QUICKENW\QAGENT.EXE"
94208 Aug 1 2001 "C:\Program Files\QUICKENW\bak\QAGENT.EXE"
282624 Apr 27 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
936960 Mar 11 2007 "C:\Program Files\Verizon\McciTrayApp.exe"
936960 Mar 11 2007 "C:\Program Files\Verizon\bak\McciTrayApp.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\wmpnscfg.exe"
204288 Oct 18 2006 "C:\Program Files\Windows Media Player\bak\WMPNSCFG.exe"
15360 Apr 13 2008 "C:\WINNT\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINNT\system32\bak\ctfmon.exe"
155648 Jan 12 2006 "C:\WINNT\system32\NeroCheck.exe"
155648 Jan 12 2006 "C:\WINNT\system32\bak\NeroCheck.exe"
71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
71328 Mar 9 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
8192 Nov 7 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot.exe"
8192 Nov 7 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mimboot.exe"
8192 Dec 10 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mimboot.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
180269 Sep 8 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Sep 8 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"


end of report

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 02 July 2009 - 10:07 PM

Hello,

Excellent, thanks. :thumbup2: In case you're wondering, this infection takes legit files and scrambles them around, replacing them with bogus ones. What we're doing here is unscrambling them and putting the real ones back where they belong. :)

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\WINNT\bak
C:\Program Files\iTunes\bak
C:\Program Files\QUICKENW\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Verizon\bak
C:\Program Files\Windows Media Player\bak
C:\WINNT\system32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Creative\MediaSource\Detector\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply. If all is well, we'll finish with AWF and go on the the rest of it. :)

Thanks,
tea

Edited by teacup61, 02 July 2009 - 10:08 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Salar

Salar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 02 July 2009 - 10:37 PM

Thanks tea, for the explanation. I was indeed wondering if that was the case. :thumbup2:

Here's my FindAWF log:

Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 07/02/2009
The current time is: 23:20:45.03


bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 02 July 2009 - 11:00 PM

Hello,

You're welcome, and that log looks perfect. No more duplicates. :thumbup2:

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT.

Now let's see what a ComboFix report looks like. But first I'd like for you to get a fresh copy, so......

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Salar

Salar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 03 July 2009 - 07:09 AM

My ComboFix log is pasted below. This stuff is fascinating!

ComboFix 09-07-02.02 - Owner 07/03/2009 7:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1562 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 15:27 . 2006-01-12 19:40 155648 ----a-w- c:\winnt\system32\NeroCheck.exe
2009-07-01 17:50 . 2009-07-01 17:53 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Temp
2009-07-01 13:22 . 2009-06-28 12:16 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-07-01 13:22 . 2009-06-28 12:16 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-07-01 13:22 . 2009-06-28 12:16 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-01 13:22 . 2009-06-28 12:16 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-06-30 00:41 . 2009-06-30 00:48 -------- d-s---w- C:\Combo-Fix
2009-06-29 23:19 . 2009-06-29 23:25 -------- d-----w- C:\totalcmd
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\UC.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\RAR.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKZIP.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\PKUNZIP.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\NOCLOSE.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\LHA.PIF
2009-06-29 23:19 . 2008-08-08 11:04 545 ----a-w- c:\winnt\ARJ.PIF
2009-06-29 23:12 . 2009-06-29 23:24 -------- d-----w- C:\Total Commander
2009-06-29 21:02 . 2009-06-29 21:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-29 21:02 . 2009-06-29 21:28 -------- d-----w- c:\program files\NOS
2009-06-29 20:39 . 2009-06-29 20:39 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-29 20:37 . 2009-06-29 20:37 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\setup\AU_setup.exe
2009-06-27 19:08 . 2009-06-29 17:01 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-06-27 19:08 . 2009-06-27 19:08 -------- d-sh--w- c:\winnt\ftpcache
2009-06-27 19:08 . 2009-01-16 07:19 1731736 ----a-w- c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe
2009-06-27 13:08 . 2009-06-27 13:08 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-26 22:21 . 2009-06-26 22:21 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-06-26 16:09 . 2009-04-30 21:22 12800 ------w- c:\winnt\system32\dllcache\xpshims.dll
2009-06-26 16:09 . 2009-04-30 21:22 246272 ------w- c:\winnt\system32\dllcache\ieproxy.dll
2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\program files\iPod
2009-06-26 01:49 . 2009-06-26 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-26 01:40 . 2009-06-26 01:40 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-21 20:07 . 2009-07-03 11:43 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-06-21 19:48 . 2009-06-21 19:48 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\HP
2009-06-21 19:45 . 2009-06-21 19:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-06-21 19:42 . 2008-10-28 16:49 118272 ----a-w- c:\winnt\system32\hpz3l696.dll
2009-06-21 19:42 . 2008-10-30 07:18 737280 ----a-r- c:\winnt\system32\hposwia_p01c.dll
2009-06-21 19:42 . 2008-10-30 07:18 974848 ----a-r- c:\winnt\system32\hpost_p01c.dll
2009-06-21 19:42 . 2008-10-30 07:18 307200 ----a-r- c:\winnt\system32\hposc_p01a.dll
2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Common Files\HP
2009-06-21 19:40 . 2009-06-21 19:40 -------- d-----w- c:\program files\Hewlett-Packard
2009-06-21 19:31 . 2009-06-21 20:02 150623 ----a-w- c:\winnt\hpoins33.dat
2009-06-21 19:31 . 2008-12-10 20:49 1008 ------w- c:\winnt\hpomdl33.dat
2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-20 15:20 . 2009-06-17 15:27 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-20 15:20 . 2009-06-20 15:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-20 15:20 . 2009-06-17 15:27 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-06-12 23:11 . 2009-06-12 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Viewpoint
2009-06-10 16:51 . 2009-06-10 16:51 -------- d-----w- c:\program files\Viewpoint
2009-06-10 11:03 . 2009-06-10 11:03 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-05 01:33 . 2009-06-05 01:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-03 21:54 . 2009-06-03 21:54 -------- d-sh--w- c:\winnt\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 03:20 . 2003-01-23 02:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-03 03:20 . 2007-07-05 16:43 -------- d-----w- c:\program files\iTunes
2009-07-03 03:20 . 2006-05-22 14:38 -------- d-----w- c:\program files\Verizon
2009-07-03 03:20 . 2005-09-26 15:11 -------- d-----w- c:\program files\QuickTime
2009-07-03 03:20 . 2003-01-23 02:10 -------- d-----w- c:\program files\QUICKENW
2009-07-01 17:54 . 2004-05-08 00:11 -------- d-----w- c:\program files\Google
2009-07-01 13:22 . 2009-06-27 13:06 327688 ----a-w- c:\winnt\system32\drivers\avgldx86.sys.prepare
2009-07-01 13:22 . 2009-06-27 13:06 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys.prepare
2009-06-30 00:13 . 2008-04-23 03:05 393202 ----a-w- c:\winnt\PCHealth\HelpCtr\Config\Cache\Personal_32_1033.dat
2009-06-29 21:35 . 2004-04-24 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-29 21:06 . 2004-04-21 18:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-29 20:39 . 2003-01-23 02:10 -------- d-----w- c:\program files\Common Files\Real
2009-06-29 20:39 . 2003-02-21 09:42 348160 ----a-w- c:\winnt\system32\msvcr71.dll
2009-06-29 20:23 . 2005-02-13 16:28 -------- d-----w- c:\program files\Java
2009-06-29 19:01 . 2003-01-23 02:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 19:32 . 2008-05-16 13:31 -------- d-----w- c:\program files\SpywareBlaster
2009-06-27 20:06 . 2003-02-02 12:45 111760 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-27 18:41 . 2007-12-13 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-27 18:39 . 2003-01-23 02:13 -------- d-----w- c:\program files\Microsoft Works
2009-06-27 13:23 . 2009-01-11 09:22 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-26 22:23 . 2007-12-22 13:00 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-26 01:49 . 2007-07-05 16:42 -------- d-----w- c:\program files\Common Files\Apple
2009-06-21 19:47 . 2007-12-04 15:40 -------- d-----w- c:\documents and settings\Owner\Application Data\HP
2009-06-21 19:47 . 2007-12-04 15:31 -------- d-----w- c:\program files\HP
2009-06-21 19:45 . 2007-12-04 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-06-10 16:51 . 2004-08-05 17:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-25 04:24 . 2008-05-27 02:18 350208 ------w- c:\winnt\system32\mssph.dll
2009-05-25 01:51 . 2007-04-15 16:09 -------- d--h--w- c:\documents and settings\Owner\Application Data\Move Networks
2009-05-21 15:33 . 2009-01-17 14:31 410984 ----a-w- c:\winnt\system32\deploytk.dll
2009-05-20 18:13 . 2007-10-10 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-13 05:15 . 2004-09-26 23:39 915456 ----a-w- c:\winnt\system32\wininet.dll
2009-05-11 12:36 . 2009-01-11 09:22 11952 ----a-w- c:\winnt\system32\avgrsstx.dll
2009-05-11 12:36 . 2009-01-11 09:22 325896 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-05-11 12:36 . 2009-01-11 09:22 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-05-10 14:20 . 2009-05-10 14:20 127877 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-05-10 14:20 . 2009-05-01 06:30 4183416 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071500000347.dll
2009-05-10 14:20 . 2009-05-10 14:19 1685856 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-05-10 01:21 . 2007-11-15 16:56 -------- d-----w- c:\program files\Jasc Software Inc
2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_SMLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
2009-05-10 01:16 . 2009-05-10 01:16 57344 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}\DPS_DTLink.CAA7B2BB_F373_4C0B_8C62_D4147E5C816B.exe
2009-05-07 15:32 . 2004-09-26 23:39 345600 ----a-w- c:\winnt\system32\localspl.dll
2009-05-04 21:18 . 2009-05-04 21:18 390664 ----a-w- c:\documents and settings\Owner\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-01 06:30 . 2009-05-01 06:30 97144 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-04-23 00:08 . 2009-04-23 00:08 15340 ----a-w- C:\gtm6F.tmp
2009-04-17 12:26 . 2004-09-26 23:39 1847168 ----a-w- c:\winnt\system32\win32k.sys
2009-04-15 14:51 . 2004-09-26 23:40 585216 ----a-w- c:\winnt\system32\rpcrt4.dll
2002-09-07 06:47 . 2004-04-25 14:26 144 ------w- c:\program files\pcdocrx_order.html
2001-03-11 11:59 . 2004-04-25 14:26 766 ------w- c:\program files\pcdoc.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"NvMediaCenter"="c:\winnt\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"NvCplDaemon"="c:\winnt\system32\NvCpl.dll" [2003-07-28 4841472]
"NvMediaCenter"="c:\winnt\system32\NvMcTray.dll" [2003-07-28 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-28 270648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-09-09 180269]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112]
"atwtusb"="atwtusb.exe" - c:\winnt\system32\atwtusb.exe [2002-11-21 188416]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2003-07-28 323584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"0000 - c:\documents and settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1"="c:\winnt\system32\command.com" [2002-08-29 50620]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Seagate 2GEVZBMW Product Registration.lnk - c:\documents and settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe [2009-6-27 1731736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2007-10-10 126136]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 12:36 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AloPar.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Parallel Arbitrator]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CADIX Screen Saver Control.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CADIX Screen Saver Control.lnk
backup=c:\winnt\pss\CADIX Screen Saver Control.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\winnt\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\winnt\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reminder-hpc41004.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Reminder-hpc41004.lnk
backup=c:\winnt\pss\Reminder-hpc41004.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\winnt\pss\Verizon Online Support Center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Quick StartUp.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Quick StartUp.lnk
backup=c:\winnt\pss\Quick StartUp.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Start.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Start.lnk
backup=c:\winnt\pss\Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Speed Disk service"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"PrismXL"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"LightScribeService"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"RPSUpdaterR"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"dvpapi"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"=
"c:\\Program Files\\Electronic Arts\\Need For Speed III\\nfs3.exe"=
"c:\\WINNT\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Gateway\\Gateway Download Assistant\\Downloader.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\googleearth.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\Program Files\\Google\\Google Updater\\GoogleUpdater.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [1/11/2009 5:22 AM 325896]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/11/2009 5:22 AM 298776]
R2 BBFat.VxD;BlueBird DSP API;c:\winnt\system32\drivers\BBFat.sys [8/19/2002 5:25 PM 7808]
R2 mrtRate;mrtRate;c:\winnt\system32\drivers\MrtRate.sys [1/22/2003 10:11 PM 34712]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [1/22/2003 10:15 PM 6736]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/10/2009 12:51 PM 30152]
S2 gupdate1c9cfd6ade0b7ca;Google Update Service (gupdate1c9cfd6ade0b7ca);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 8:15 AM 133104]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S4 AloPar;AloPar;c:\winnt\system32\drivers\AloPar.sys [2/1/2003 1:11 PM 4112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\winnt\system32\rundll32.exe" "c:\winnt\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\winnt\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-03 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:15]

2009-07-03 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 12:15]

2009-07-02 c:\winnt\Tasks\{925FCACA-D57F-4037-9499-423C3A36AF61}_S0029534513_Owner.job
- c:\winnt\system32\mobsync.exe [2004-09-26 00:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file)
HKCU-RunOnce-Shockwave Updater - c:\winnt\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; JUNO; GTB5; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET
Notify-awtuuVop - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://forecast.weather.gov/MapClick.php?site=BTV&llon=-73.272083&rlon=-72.609583&tlat=44.727917&blat=44.065417&smap=1&mp=1&map.x=110&map.y=88
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/dsl_settings/include/vzTCPConfig.CAB
DPF: {511073AD-BE56-4D43-AE68-93390514385E} - hcp://system/TechTools.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 07:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{F57B7ED0-D8AB-11D1-85DFnk *fPv!t\TypeLib]
@="{0002E157-0000-0000-C000-000000000046}"
"Version"="5.3"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1428)
c:\winnt\system32\WININET.dll
c:\winnt\system32\ieframe.dll
c:\winnt\system32\webcheck.dll
c:\winnt\system32\WPDShServiceObj.dll
c:\winnt\system32\PortableDeviceTypes.dll
c:\winnt\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-03 7:59
ComboFix-quarantined-files.txt 2009-07-03 11:59

Pre-Run: 11,869,106,176 bytes free
Post-Run: 11,911,168,000 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
299 --- E O F --- 2009-06-27 03:02

#12 Salar

Salar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 03 July 2009 - 07:20 AM

Hi again Tea.

I forgot to run HijackThis before for my lasy reply. Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:19 AM, on 7/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\SearchIndexer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\WINNT\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\Security\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?s...10&map.y=88
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [0000 - C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1] C:\WINNT\system32\command.com /c rmdir "C:\Documents and Settings\Owner\Start Menu\Programs\HP DeskJet 810C Series v11.1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Seagate 2GEVZBMW Product Registration.lnk = C:\Documents and Settings\Owner\Application Data\Leadertech\PowerRegister\Seagate 2GEVZBMW Product Registration.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_14.dll
O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/dsl_settings/...vzTCPConfig.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by109fd.bay109.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674274203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1228674255953
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: awtuuVop - C:\WINNT\
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Update Service (gupdate1c9cfd6ade0b7ca) (gupdate1c9cfd6ade0b7ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12937 bytes

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 03 July 2009 - 05:07 PM

Hello,

Those look much better. :thumbup2: No sign of the rootkit, and AWF is gone. I didn't see it, but do you use AOL, or at least AIM? If not :

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we knew before; read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now, if you did not install it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {70AA65F2-2221-4BAE-8A26-B9F10AABFCEF} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)
O20 - Winlogon Notify: awtuuVop - C:\WINNT\
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

I see you have MBAM already, so please make sure it's updated and have a scan with it. Post the report in your reply, if there is anything to post. How is it running now please? :)

Yes, it's fascinating stuff.....every day it's something new, and something new to learn.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 Salar

Salar
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Vermont
  • Local time:02:13 PM

Posted 04 July 2009 - 01:32 PM

Hello Tea. Happy 4th of July! :thumbup2:

Thanks for the Viewpoint tip. I found and removed the Viewpoint Media Player (I removed AIM years ago).

I then ran the HJT scan and found and checked all of the entries you posted, except for the Viewpoint entry, which wasn't there. Then a reboot and updated MBAM scan, which ended up with no malware detected.

The computer seems to be running fine, except that the Add/Remove Programs window is taking much longer to load the program list than it used to.

By the way, I found a Vol_Toolbar folder in C:\Program Files, but it doesn't show up in Add/Remove Programs. There are 3 files in this folder: install.ico, toolbar.ini and uninstall.exe. Could this be related to "O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - (no file)" that I checked and deleted earlier? Based on negative reports about this toolbar (which I have never seen onscreen), I want to remove it. Would this be as simple as deleting that folder and files?

Thanks,
Salar

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:13 PM

Posted 04 July 2009 - 08:22 PM

Hello,

The toolbar is all right, and yes they are related......the CLSID and the file name go with Verizon Broadband. :) You can do away with it if you like, especially if you don't use Verizon any more. But I do see entries for it in your logs, so I don't know.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Any other questions? :)

Happy 4th to you as well. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users