Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antivirus Pro, I think...


  • Please log in to reply
17 replies to this topic

#1 Khirae

Khirae

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 07 July 2009 - 12:11 PM

The other day, I got a message at the bottom of my screen saying something about AntiVirus Pro and Windows will install it to get rid of a virus that you have and then several pop-ups appeared. I couldn't remove it from my taskbar, so I used AVG and MBAM, but the computer is still infected. I thought I got rid of it with MBAM because it found the infections and removed them. I ran it again and it found one more and said 'removal successful', but the next time I ran the scan (about two minutes later), the infection was still there. MBAM said it was: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft|Windows NT\CurrentVersion\Network\UID (Data: YOUR-4DACDOEA75_001E1CF). If that helps at all. I also have my MBAM log if that helps. I'm using a different computer because whenever I get on the internet with the infected one, more infections show up. I'm not all that computer literate, so any help would be much appreciated. Let me know if there's anymore info that you need. Here's my DDS logs:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Missy at 11:37:23.67 on Tue 07/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.477 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Search Settings\SearchSettings.exe
C:\windows\ld12.exe
C:\WINDOWS\system32\ctfmon.exe
svchost
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG8\avgupd.exe
C:\Documents and Settings\Missy\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://forums.worldofwarcraft.com/thread.html?topicId=14990472390&sid=1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn4\yt.dll
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn4\yt.dll
BHO: {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn4\yt.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
mRun: [sysldtray] c:\windows\ld12.exe
uExplorerRun: [servises] c:\windows\system32\servises.exe
mExplorerRun: [servises] c:\windows\system32\servises.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~2.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\windows\system32\winhelper.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-13 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-13 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-13 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-13 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-13 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009-7-3 2368]
S1 18eacb;18eacb;c:\windows\system32\drivers\18eacb.sys --> c:\windows\system32\drivers\18eacb.sys [?]
S1 drvdrv;drvdrv;\??\c:\program files\drv\drv.sys --> c:\program files\drv\drv.sys [?]
S2 DhcpDot3svc;DHCP Client DhcpDot3svc;c:\windows\system32\acctresi.exe srv --> c:\windows\system32\acctresi.exe srv [?]
S2 drv;drv;c:\windows\system32\svchost.exe -k drv [2004-8-9 14336]
S2 vpjnwhxgmgwuwk;vpjnwhxgmgwuwk;\??\c:\windows\system32\drivers\akptbyqqtkwfg.sys --> c:\windows\system32\drivers\akptbyqqtkwfg.sys [?]
S2 ymyttnwgqj;ymyttnwgqj;\??\c:\windows\system32\drivers\jkxfk.sys --> c:\windows\system32\drivers\jkxfk.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-07-06 14:38 21,504 a------- c:\windows\system32\winhelper.dll
2009-07-06 14:37 25,088 a------- C:\jsrtadqg.exe
2009-07-06 14:37 48,128 a------- C:\kkfwg.exe
2009-07-06 14:37 32,768 a------- C:\fdvjfx.exe
2009-07-06 14:37 198,851 a------- C:\gklrwl.exe
2009-07-06 14:37 831 a------- c:\windows\system32\critical_warning.html
2009-07-06 14:37 <DIR> --dsh--- c:\windows\System Volume Information
2009-07-06 14:37 2 a------- C:\2092926723
2009-07-06 09:32 2,862,428 a------- c:\windows\system32\GameMon.des
2009-07-06 09:32 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-07-06 09:32 4,682 a------- c:\windows\system32\npptNT2.sys
2009-07-06 09:31 <DIR> --d----- c:\program files\common files\INCA Shared
2009-07-05 23:44 <DIR> --d----- c:\program files\NCSoft
2009-07-05 23:41 <DIR> --d----- c:\docume~1\missy\applic~1\GetRightToGo
2009-07-05 23:32 <DIR> --dsh--- c:\documents and settings\missy\IETldCache
2009-07-05 23:27 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-05 23:27 <DIR> --d----- c:\windows\ie8updates
2009-07-05 23:26 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-05 23:26 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-05 23:26 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-05 23:26 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-05 23:25 <DIR> -cd-h--- c:\windows\ie8
2009-07-05 17:55 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-05 17:12 0 a------- c:\windows\strt_1246831976.exe
2009-07-05 00:52 1 a------- c:\windows\934fdfg34fgjf23
2009-07-05 00:51 <DIR> --d----- c:\program files\drv
2009-07-05 00:51 2 a------- c:\windows\0101120101464849.dat
2009-07-05 00:51 2 a------- c:\windows\010112010146118114.dat
2009-07-05 00:50 28,672 -------- c:\windows\ld12.exe
2009-07-05 00:02 213,024 a------- c:\windows\system32\drivers\str.sys
2009-07-04 23:05 <DIR> --d----- c:\docume~1\missy\applic~1\Uniblue
2009-07-04 15:10 <DIR> --d----- c:\program files\Dealio Toolbar
2009-07-03 23:05 <DIR> --d----- c:\program files\Sourceforge
2009-07-03 22:56 245,760 a------- c:\windows\system32\mp4sds32.ax
2009-07-03 22:56 309,616 a------- c:\windows\system32\wmv8dmod.dll
2009-07-03 22:55 420,240 a------- c:\windows\system32\mpg4c32.dll
2009-07-03 22:55 647,872 a------- c:\windows\system32\MSCOMCT2.OCX
2009-07-03 22:55 140,288 a------- c:\windows\system32\comdlg32.ocx
2009-07-03 22:55 45,056 a------- c:\windows\system32\CxxProgressBar.ocx
2009-07-03 22:35 <DIR> --d----- c:\program files\Solveig Multimedia
2009-07-03 21:31 2,368 a------- c:\windows\system32\SVKP.sys
2009-07-03 21:26 <DIR> --d----- c:\docume~1\missy\applic~1\Moyea
2009-06-08 21:22 <DIR> --d----- c:\docume~1\missy\applic~1\Malwarebytes

==================== Find3M ====================

2009-07-06 08:40 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-06 08:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-07 17:33 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-06-01 14:22 57,858 a------- c:\windows\Sysvxd.exe
2009-05-26 11:23 4,608 a------- c:\windows\system32\w95inf32.dll
2009-05-26 11:23 2,272 a------- c:\windows\system32\w95inf16.dll
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 06:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 23:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-01-31 06:15 1,459 a------- c:\program files\Media Center.lnk
2007-07-04 13:10 104 a------- c:\program files\Internet Explorer.lnk
2006-06-19 11:30 1,903 a------- c:\program files\Help and Support.lnk
2006-06-19 11:29 1,540 a------- c:\program files\HP Extended Service Plans.lnk
2006-06-19 11:26 1,580 a------- c:\program files\Quicken New User Edition 2006.lnk

============= FINISH: 11:40:13.75 ===============



MBAM log, if it helps:

Malwarebytes' Anti-Malware 1.33
Database version: 1658
Windows 5.1.2600 Service Pack 3

7/7/2009 10:57:09 AM
mbam-log-2009-07-07 (10-57-09).txt

Scan type: Quick Scan
Objects scanned: 62010
Time elapsed: 11 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I hope that helps. Please let me know if there's a way to get rid of this infection.

Attached Files


Edited by Khirae, 07 July 2009 - 12:12 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:02 AM

Posted 08 July 2009 - 05:44 AM

Hi,

Malwarebytes' Anti-Malware 1.33
Database version: 1658
Windows 5.1.2600 Service Pack 3

That's way outdated!

First of all, please update MalwareBytes....
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Khirae

Khirae
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 08 July 2009 - 06:51 PM

Ugh! I can't believe I forgot to update it! Thanks! Your reply was a lot faster than I thought it would be. Here's the most recent logs:

MBAM:

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 3

7/8/2009 6:30:23 PM
mbam-log-2009-07-08 (18-30-23).txt

Scan type: Quick Scan
Objects scanned: 118203
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 60
Registry Values Infected: 8
Registry Data Items Infected: 5
Folders Infected: 4
Files Infected: 41

Memory Processes Infected:
C:\WINDOWS\ld12.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ju495.ju495mgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ju495.ju495mgr.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9e263d08-4127-4b99-9043-4fb044e6fcbc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9e263d08-4127-4b99-9043-4fb044e6fcbc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d263fa6d-84cc-48a8-9af6-c664362b7a5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d76ab2a1-00f3-42bd-f434-00bbc39c8953} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdAgent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831} (Adware.RelevantKnowledge) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Seekapp (Adware.Seekapp) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\drvdrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\drv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRVDRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_DRV (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Services\del (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\servises (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\drv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\870159 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\Program Files\Seekapp (Adware.Seekapp) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Application Data\Seekapp (Adware.Seekapp) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\ld12.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wbem\proquota.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\fdvjfx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\gklrwl.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\jsrtadqg.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\kkfwg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-2367746093-295159659-1467035876-1009\Dc99.exe (Malware.Packer) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\2860218628mxx.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\a.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\d.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\installb[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\installb[2].exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\~TM77.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\Temp\~TMB1.tmp (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\temporary internet files\Content.IE5\CU68Z8BR\aasuper2[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\temporary internet files\Content.IE5\EB390GRG\aasuper3[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\temporary internet files\Content.IE5\HJNXGOLF\aasuper1[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\local settings\temporary internet files\Content.IE5\NRYZHLSG\aasuper0[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\plugins\NPMyWebS.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
c:\windows\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
c:\windows\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\Seekapp\seekapp132.exe (Adware.Seekapp) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.AntiVirus360) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Sysvxd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk (Rogue.av360) -> Quarantined and deleted successfully.
c:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\sto452730.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
c:\documents and settings\Missy\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\chrome\amba.jar (Trojan.Hanam) -> Quarantined and deleted successfully.
c:\WINDOWS\strt_1246831976.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.



DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Missy at 18:43:42.98 on Wed 07/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.398 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
svchost.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Missy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://forums.worldofwarcraft.com/thread.html?topicId=14990472390&sid=1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn4\yt.dll
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn4\yt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn4\yt.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - c:\program files\dealio toolbar\DealioToolbarIE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPwuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SearchSettings] c:\program files\search settings\SearchSettings.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~2.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.8.110.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-13 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-13 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-13 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-13 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-13 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2009-7-3 2368]
RUnknown roec;roec; [x]
S1 18eacb;18eacb;c:\windows\system32\drivers\18eacb.sys --> c:\windows\system32\drivers\18eacb.sys [?]
S2 DhcpDot3svc;DHCP Client DhcpDot3svc;c:\windows\system32\acctresi.exe srv --> c:\windows\system32\acctresi.exe srv [?]
S2 vpjnwhxgmgwuwk;vpjnwhxgmgwuwk;\??\c:\windows\system32\drivers\akptbyqqtkwfg.sys --> c:\windows\system32\drivers\akptbyqqtkwfg.sys [?]
S2 ymyttnwgqj;ymyttnwgqj;\??\c:\windows\system32\drivers\jkxfk.sys --> c:\windows\system32\drivers\jkxfk.sys [?]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getplus_helpersvc.exe --> c:\program files\nos\bin\getPlus_HelperSvc.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-07-06 14:37 <DIR> --dsh--- c:\windows\System Volume Information
2009-07-06 14:37 2 a------- C:\2092926723
2009-07-06 09:32 2,862,428 a------- c:\windows\system32\GameMon.des
2009-07-06 09:32 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-07-06 09:32 4,682 a------- c:\windows\system32\npptNT2.sys
2009-07-06 09:31 <DIR> --d----- c:\program files\common files\INCA Shared
2009-07-05 23:44 <DIR> --d----- c:\program files\NCSoft
2009-07-05 23:41 <DIR> --d----- c:\docume~1\missy\applic~1\GetRightToGo
2009-07-05 23:32 <DIR> --dsh--- c:\documents and settings\missy\IETldCache
2009-07-05 23:27 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-05 23:27 <DIR> --d----- c:\windows\ie8updates
2009-07-05 23:26 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-05 23:26 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-05 23:26 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-05 23:26 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-05 23:25 <DIR> -cd-h--- c:\windows\ie8
2009-07-05 17:55 664 a------- c:\windows\system32\d3d9caps.dat
2009-07-05 00:51 <DIR> --d----- c:\program files\drv
2009-07-04 23:05 <DIR> --d----- c:\docume~1\missy\applic~1\Uniblue
2009-07-04 15:10 <DIR> --d----- c:\program files\Dealio Toolbar
2009-07-03 23:05 <DIR> --d----- c:\program files\Sourceforge
2009-07-03 22:56 245,760 a------- c:\windows\system32\mp4sds32.ax
2009-07-03 22:56 309,616 a------- c:\windows\system32\wmv8dmod.dll
2009-07-03 22:55 420,240 a------- c:\windows\system32\mpg4c32.dll
2009-07-03 22:55 647,872 a------- c:\windows\system32\MSCOMCT2.OCX
2009-07-03 22:55 140,288 a------- c:\windows\system32\comdlg32.ocx
2009-07-03 22:55 45,056 a------- c:\windows\system32\CxxProgressBar.ocx
2009-07-03 22:35 <DIR> --d----- c:\program files\Solveig Multimedia
2009-07-03 21:31 2,368 a------- c:\windows\system32\SVKP.sys
2009-07-03 21:26 <DIR> --d----- c:\docume~1\missy\applic~1\Moyea
2009-06-08 21:22 <DIR> --d----- c:\docume~1\missy\applic~1\Malwarebytes

==================== Find3M ====================

2009-07-06 08:40 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-06 08:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-07 17:33 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-26 11:23 4,608 a------- c:\windows\system32\w95inf32.dll
2009-05-26 11:23 2,272 a------- c:\windows\system32\w95inf16.dll
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 5,936,128 -------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 1,207,808 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 06:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 23:46 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 07:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 09:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2009-01-31 06:15 1,459 a------- c:\program files\Media Center.lnk
2007-07-04 13:10 104 a------- c:\program files\Internet Explorer.lnk
2006-06-19 11:30 1,903 a------- c:\program files\Help and Support.lnk
2006-06-19 11:29 1,540 a------- c:\program files\HP Extended Service Plans.lnk
2006-06-19 11:26 1,580 a------- c:\program files\Quicken New User Edition 2006.lnk

============= FINISH: 18:46:07.85 ===============

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:02 AM

Posted 09 July 2009 - 02:11 AM

Hi,

This is a lot better, but we still have to delete some orphaned entries / leftovers and 2 unwanted programs.

First of all, go to start > controlpanel > software and uninstall Search Settings 1.2.1 and Dealio Toolbar v4.0

Those ones are not recommended.
Reboot after uninstalling.

Then, go to start > run and copy and paste the following commands one by one in the field and hit enter after each command:

sc delete ymyttnwgqj

sc delete vpjnwhxgmgwuwk

sc delete DhcpDot3svc

sc delete 18eacb

sc delete roec


Then, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then, navigate to and delete the following folders if still present:

c:\program files\search settings
c:\program files\drv
c:\program files\Dealio Toolbar

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Khirae

Khirae
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 July 2009 - 10:31 AM

I removed Dealio twice, but I had only deleted the file, not uninstalled it. Probably because I never meant to install it the first time. Thank you so much for the help. I just went online though, did a simple google search for MBAM and went to the regular site (so I know it was safe), and then closed the web browser. After I did, my background changed to a warning that I have viruses and to remove all spyware and then a program to remove viruses appeared in my task bar. I scanned with MBAM and came up with 8 infections, which I removed. Here's the log:

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 3

7/9/2009 10:15:41 AM
mbam-log-2009-07-09 (10-15-41).txt

Scan type: Quick Scan
Objects scanned: 117798
Time elapsed: 5 minute(s), 34 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\93267956\93267956.exe (Rogue.Multiple.H) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13257964 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\93267956 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\13257964 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\93267956 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\13257964\13257964.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\13257964\13257964.glu (Rogue.Multiple.H) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\93267956\93267956.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.


After the computer restarted, I ran MBAM again and it didn't find anything. The program in the taskbar is gone... again. Should I try uninstalling and reinstalling Mozilla, or is that not the problem?

Edited by Khirae, 09 July 2009 - 10:32 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:02 AM

Posted 09 July 2009 - 10:36 AM

After the computer restarted, I ran MBAM again and it didn't find anything. The program in the taskbar is gone... again. Should I try uninstalling and reinstalling Mozilla, or is that not the problem?

What program is gone?
Don't think Mozilla has anything to do with that.

Do the following please....

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Khirae

Khirae
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 July 2009 - 11:54 AM

There was a red shield in the task bar telling me that I have a virus and changing my desktop. I only use AVG, so I shouldn't have a red shield there, should I? Or do I know even less about computers than I thought? O.O; Once I restarted the computer for MBAM, the shield was gone. I ran ComboFix, so here's the log:

ComboFix 09-07-08.A0 - Missy 07/09/2009 11:30.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.592 [GMT -5:00]
Running from: c:\documents and settings\Missy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\93267956.ini
c:\program files\Common Files\System\Uninstall
c:\recycler\S-1-5-21-1917355440-1952198089-1091109119-1008
c:\recycler\S-1-5-21-1917355440-1952198089-1091109119-1009
c:\recycler\S-1-5-21-2367746093-295159659-1467035876-1008
c:\recycler\S-1-5-21-2367746093-295159659-1467035876-1009
c:\recycler\S-1-5-21-3362775873-2709979750-1643290852-1008
c:\recycler\S-1-5-21-3696645978-1307626208-1920848979-1008
c:\recycler\S-1-5-21-3696645978-1307626208-1920848979-1009
c:\recycler\S-1-5-21-4071277047-810124111-3831474109-1008
c:\recycler\S-1-5-21-4071277047-810124111-3831474109-1009
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\116b9aa1.msi
c:\windows\Installer\11ec957d.msp
c:\windows\Installer\11ec9590.msp
c:\windows\Installer\11ec95a3.msp
c:\windows\Installer\11ec95b5.msp
c:\windows\Installer\16fb5d11.msp
c:\windows\Installer\16fb5d23.msp
c:\windows\Installer\19023eef.msp
c:\windows\Installer\1cae9898.msp
c:\windows\Installer\1cae98b2.msp
c:\windows\Installer\1cae98c5.msp
c:\windows\Installer\1cae98d7.msp
c:\windows\Installer\1cae98ea.msp
c:\windows\Installer\1cae98fc.msp
c:\windows\Installer\1d10c4.msi
c:\windows\Installer\1d10c9.msi
c:\windows\Installer\1f2a73d.msp
c:\windows\Installer\1f2a745.msi
c:\windows\Installer\1f428.msi
c:\windows\Installer\1f42e.msi
c:\windows\Installer\1f434.msi
c:\windows\Installer\203af243.msi
c:\windows\Installer\20e63776.msi
c:\windows\Installer\20e637db.msi
c:\windows\Installer\20e63a80.msi
c:\windows\Installer\20e63b9a.msi
c:\windows\Installer\21713a.msi
c:\windows\Installer\22ad89.msi
c:\windows\Installer\22ad8f.msi
c:\windows\Installer\22ad95.msi
c:\windows\Installer\22ad9b.msi
c:\windows\Installer\2407b1a.msp
c:\windows\Installer\299be9e.msi
c:\windows\Installer\2a3534e5.msi
c:\windows\Installer\2a3534f7.msp
c:\windows\Installer\2a35350a.msp
c:\windows\Installer\2a35351b.msp
c:\windows\Installer\2ab058.msi
c:\windows\Installer\2b1945.msp
c:\windows\Installer\2d2bb.msi
c:\windows\Installer\2d2cd.msi
c:\windows\Installer\2dee36a.msi
c:\windows\Installer\2dee374.msi
c:\windows\Installer\2dee37d.msi
c:\windows\Installer\2e207ebc.msp
c:\windows\Installer\2e207ece.msp
c:\windows\Installer\2e207ee2.msp
c:\windows\Installer\2e207ef5.msp
c:\windows\Installer\30eccfaf.msp
c:\windows\Installer\30eccfc1.msp
c:\windows\Installer\30eccfd3.msp
c:\windows\Installer\30eccfe6.msp
c:\windows\Installer\30eccffa.msp
c:\windows\Installer\30ecd00c.msp
c:\windows\Installer\30ecd01e.msp
c:\windows\Installer\30ecd030.msp
c:\windows\Installer\339b5.msi
c:\windows\Installer\339c1.msi
c:\windows\Installer\339c7.msi
c:\windows\Installer\339cd.msi
c:\windows\Installer\359a292.msp
c:\windows\Installer\35f9a52c.msi
c:\windows\Installer\35f9a52d.msp
c:\windows\Installer\35f9a52e.msp
c:\windows\Installer\35f9a52f.msp
c:\windows\Installer\35f9a530.msp
c:\windows\Installer\35f9a531.msp
c:\windows\Installer\35f9a532.msp
c:\windows\Installer\35f9a533.msp
c:\windows\Installer\35f9a534.msp
c:\windows\Installer\35f9a535.msp
c:\windows\Installer\36086.msi
c:\windows\Installer\36092.msi
c:\windows\Installer\36098.msi
c:\windows\Installer\3609e.msi
c:\windows\Installer\3621b416.msp
c:\windows\Installer\3621b428.msp
c:\windows\Installer\3621b439.msp
c:\windows\Installer\3a8468.msp
c:\windows\Installer\3a8471.msi
c:\windows\Installer\3a8482.msp
c:\windows\Installer\3a8495.msp
c:\windows\Installer\3a84a7.msp
c:\windows\Installer\4017009.msi
c:\windows\Installer\410ef0.msp
c:\windows\Installer\410ef8.msi
c:\windows\Installer\41cc1a55.msp
c:\windows\Installer\46f07.msi
c:\windows\Installer\46f0d.msi
c:\windows\Installer\46f12.msi
c:\windows\Installer\46f19.msi
c:\windows\Installer\46f1f.msi
c:\windows\Installer\47a82.msi
c:\windows\Installer\47a8e.msi
c:\windows\Installer\47a94.msi
c:\windows\Installer\47a9a.msi
c:\windows\Installer\4887d55.msp
c:\windows\Installer\4887d6c.msp
c:\windows\Installer\4afce35.msp
c:\windows\Installer\4c1e7913.msp
c:\windows\Installer\4c1e791b.msp
c:\windows\Installer\4c1e793b.msp
c:\windows\Installer\4c1e794d.msp
c:\windows\Installer\4c1e795f.msp
c:\windows\Installer\4c1e7966.msp
c:\windows\Installer\520255f.msi
c:\windows\Installer\54d3ad.msi
c:\windows\Installer\54d3b4.msi
c:\windows\Installer\5c1179d.msi
c:\windows\Installer\5ce5e61.msp
c:\windows\Installer\5ce5e73.msp
c:\windows\Installer\5ce5e85.msp
c:\windows\Installer\5ce5e97.msp
c:\windows\Installer\5ce5ea9.msp
c:\windows\Installer\5ce5ebb.msp
c:\windows\Installer\5ce5ee6.msp
c:\windows\Installer\5ce5ee7.msp
c:\windows\Installer\5ce5efa.msp
c:\windows\Installer\5ce5f0c.msp
c:\windows\Installer\5ce5f1f.msp
c:\windows\Installer\5ce5f31.msp
c:\windows\Installer\66276ef.msp
c:\windows\Installer\6627702.msp
c:\windows\Installer\6627715.msp
c:\windows\Installer\6627727.msp
c:\windows\Installer\662773a.msp
c:\windows\Installer\662774c.msp
c:\windows\Installer\6975c2c.msp
c:\windows\Installer\6975c3f.msp
c:\windows\Installer\6975c51.msp
c:\windows\Installer\6975c63.msp
c:\windows\Installer\77167c0.msi
c:\windows\Installer\7786b0f.msi
c:\windows\Installer\80510.msi
c:\windows\Installer\8051c.msi
c:\windows\Installer\80522.msi
c:\windows\Installer\80528.msi
c:\windows\Installer\80544.msi
c:\windows\Installer\8054a.msi
c:\windows\Installer\80550.msi
c:\windows\Installer\80556.msi
c:\windows\Installer\8055c.msi
c:\windows\Installer\80566.msi
c:\windows\Installer\80572.msi
c:\windows\Installer\80583.msi
c:\windows\Installer\8058b.msi
c:\windows\Installer\80591.msi
c:\windows\Installer\80597.msi
c:\windows\Installer\806e0.msi
c:\windows\Installer\a33d3c0.msi
c:\windows\Installer\a7dec50.msp
c:\windows\Installer\a7dec63.msp
c:\windows\Installer\a7dec75.msp
c:\windows\Installer\a7dec88.msp
c:\windows\Installer\a7dec9a.msp
c:\windows\Installer\a7decac.msp
c:\windows\Installer\a7decbe.msp
c:\windows\Installer\a82e65.msp
c:\windows\Installer\b4209.msi
c:\windows\Installer\b420f.msi
c:\windows\Installer\b421b.msi
c:\windows\Installer\b4221.msi
c:\windows\Installer\b4227.msi
c:\windows\Installer\b422d.msi
c:\windows\Installer\b4233.msi
c:\windows\Installer\b4239.msi
c:\windows\Installer\b423f.msi
c:\windows\Installer\b4245.msi
c:\windows\Installer\b425d.msi
c:\windows\Installer\b4263.msi
c:\windows\Installer\b4275.msi
c:\windows\Installer\b5ca1ae.msp
c:\windows\Installer\b5ca1c0.msp
c:\windows\Installer\b5ca1d3.msp
c:\windows\Installer\b5ca1e5.msp
c:\windows\Installer\b5ca1f7.msp
c:\windows\Installer\b5ca20a.msp
c:\windows\Installer\b5ca223.msp
c:\windows\Installer\b5ca234.msp
c:\windows\Installer\b5ca23b.msi
c:\windows\Installer\b5ca24c.msp
c:\windows\Installer\b5ca260.msp
c:\windows\Installer\b6e2f0d.msp
c:\windows\Installer\b93b57.msi
c:\windows\Installer\d1c7c03.msp
c:\windows\Installer\d825613.msi
c:\windows\Installer\f4533ed.msp
c:\windows\Installer\fbb7d9.msp
c:\windows\Installer\fbb7e1.msi
c:\windows\kb913800.exe
c:\windows\patch.exe
c:\windows\system32\_id.dat
c:\windows\system32\drivers\hjgruiqxswwykf.sys
c:\windows\system32\hjgruiedmotnkj.dll
c:\windows\system32\hjgruiiblrhypm.dat
c:\windows\system32\hjgruixwyhuflu.dat
c:\windows\system32\hjgruixxdwqpoj.dll
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruidboadnry


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 16:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-09 16:44 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-06 19:49 . 2009-07-06 19:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-07-06 19:37 . 2009-07-06 19:37 -------- d-sh--w- c:\windows\System Volume Information
2009-07-06 14:32 . 2005-01-01 09:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-07-06 14:31 . 2009-07-06 14:31 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-06 05:16 . 2009-07-06 05:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-06 04:46 . 2009-07-06 04:46 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\assembly
2009-07-06 04:44 . 2009-07-06 04:47 -------- d-----w- c:\program files\NCSoft
2009-07-06 04:41 . 2009-07-06 04:42 -------- d-----w- c:\documents and settings\Missy\Application Data\GetRightToGo
2009-07-06 04:34 . 2009-07-06 04:34 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-06 04:32 . 2009-07-06 04:32 -------- d-sh--w- c:\documents and settings\Missy\IETldCache
2009-07-06 04:27 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-07-06 04:27 . 2009-07-06 04:27 -------- d-----w- c:\windows\ie8updates
2009-07-06 04:26 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-07-06 04:26 . 2009-04-30 21:22 1985024 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-07-06 04:26 . 2009-04-30 21:22 11064832 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-07-06 04:26 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-06 04:25 . 2009-07-06 04:25 -------- dc-h--w- c:\windows\ie8
2009-07-06 03:42 . 2009-07-06 03:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-05 22:55 . 2009-07-06 19:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-05 04:05 . 2009-07-05 04:05 -------- d-----w- c:\documents and settings\Missy\Application Data\Uniblue
2009-07-04 04:05 . 2009-07-04 04:05 -------- d-----w- c:\program files\Sourceforge
2009-07-04 03:56 . 2001-05-16 22:54 309616 ----a-w- c:\windows\system32\wmv8dmod.dll
2009-07-04 03:55 . 2001-05-11 18:18 420240 ----a-w- c:\windows\system32\mpg4c32.dll
2009-07-04 03:35 . 2009-07-04 03:37 -------- d-----w- c:\program files\Solveig Multimedia
2009-07-04 03:25 . 2009-07-04 03:25 167376 ----a-w- c:\documents and settings\Missy\Application Data\Mozilla\Firefox\Profiles\1yds0wbc.default\FlashGot.exe
2009-07-04 02:31 . 2009-07-04 02:31 2368 ----a-w- c:\windows\system32\SVKP.sys
2009-07-04 02:26 . 2009-07-04 02:26 -------- d-----w- c:\documents and settings\Missy\Application Data\Moyea

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 23:20 . 2009-01-13 19:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-08 23:20 . 2009-01-13 19:55 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-06 19:42 . 2009-05-07 15:31 -------- d-----w- c:\documents and settings\Missy\Application Data\DNA
2009-07-06 19:42 . 2007-12-22 14:37 -------- d-----w- c:\program files\DNA
2009-07-06 13:40 . 2009-01-13 21:46 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-06 13:40 . 2009-01-13 21:46 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-06 13:40 . 2009-01-13 21:46 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-06 04:44 . 2006-06-19 16:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 04:20 . 2007-06-28 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-05 22:27 . 2009-01-13 21:46 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-04 01:42 . 2009-05-05 16:41 -------- d-----w- c:\documents and settings\Missy\Application Data\AVS4YOU
2009-06-20 14:51 . 2009-03-29 21:43 -------- d-----w- c:\program files\VentSrv
2009-06-20 14:51 . 2008-09-08 23:25 -------- d-----w- c:\program files\Ventrilo
2009-06-20 14:44 . 2009-05-30 20:22 -------- d-----w- c:\program files\FileSubmit
2009-06-20 14:43 . 2009-03-23 00:05 -------- d-----w- c:\documents and settings\Missy\Application Data\IGN_DLM
2009-06-17 16:27 . 2009-01-13 19:54 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-01-13 19:54 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-12 14:45 . 2006-06-19 16:38 -------- d-----w- c:\program files\Google
2009-06-11 08:07 . 2007-07-04 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-11 08:05 . 2008-04-20 14:57 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-09 03:30 . 2009-05-21 23:29 -------- d-----w- c:\documents and settings\Missy\Application Data\Azureus
2009-06-09 02:22 . 2009-06-09 02:22 -------- d-----w- c:\documents and settings\Missy\Application Data\Malwarebytes
2009-06-08 20:09 . 2009-05-23 04:27 -------- d-----w- c:\documents and settings\Missy\Application Data\DAEMON Tools Lite
2009-06-07 22:33 . 2009-05-23 04:27 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-06-04 00:57 . 2008-09-02 16:26 -------- d-----w- c:\program files\World of Warcraft
2009-06-04 00:51 . 2009-05-23 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-06-03 02:43 . 2007-07-06 14:41 -------- d-----w- c:\program files\EA GAMES
2009-06-02 04:01 . 2009-05-30 05:54 -------- d-----w- c:\documents and settings\Missy\Application Data\U3
2009-06-01 20:55 . 2009-05-26 16:22 -------- d-----w- c:\program files\MyDSC2
2009-06-01 20:34 . 2009-06-01 19:14 -------- d-----w- c:\documents and settings\Missy\Application Data\SecondLife
2009-05-30 19:53 . 2006-06-19 16:33 -------- d-----w- c:\program files\PC-Doctor 5 for Windows
2009-05-30 19:53 . 2006-06-19 16:10 -------- d-----w- c:\program files\music_now
2009-05-30 19:53 . 2006-06-19 16:09 -------- d-----w- c:\program files\MSN Encarta Standard
2009-05-30 19:53 . 2007-07-18 06:40 -------- d-----w- c:\program files\gmf
2009-05-30 19:53 . 2006-06-19 15:32 -------- d-----w- c:\program files\GemMaster
2009-05-30 19:53 . 2007-07-12 04:47 -------- d-----w- c:\program files\Free Offers from Freeze.com
2009-05-30 19:53 . 2007-07-15 04:37 -------- d-----w- c:\program files\DivX
2009-05-30 19:53 . 2006-06-19 15:32 -------- d-----w- c:\program files\EnglishOtto
2009-05-30 19:52 . 2007-07-14 06:54 -------- d-----w- c:\program files\BlogTorrent
2009-05-29 14:37 . 2009-05-29 14:20 -------- d-----w- c:\documents and settings\Missy\Application Data\W Photo Studio Viewer
2009-05-26 16:33 . 2009-05-26 16:32 -------- d-----w- c:\documents and settings\Missy\Application Data\ArcSoft
2009-05-26 16:23 . 2009-05-26 16:23 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-05-26 16:23 . 2009-05-26 16:23 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-05-26 16:23 . 2009-05-26 16:20 -------- d-----w- c:\program files\ArcSoft
2009-05-26 16:22 . 2009-05-26 16:22 -------- d-----w- c:\documents and settings\Missy\Application Data\InstallShield
2009-05-25 05:24 . 2008-05-27 04:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-23 18:12 . 2009-05-23 18:12 10134 ----a-r- c:\documents and settings\Missy\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-05-23 18:12 . 2009-05-23 18:12 -------- d-----w- c:\program files\Microsoft WSE
2009-05-23 04:35 . 2009-05-23 04:35 -------- d-----w- c:\documents and settings\Missy\Application Data\DAEMON Tools Pro
2009-05-23 04:35 . 2009-05-23 04:35 -------- d-----w- c:\documents and settings\Missy\Application Data\DAEMON Tools
2009-05-23 04:34 . 2009-05-23 04:34 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-21 23:29 . 2009-05-21 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-05-21 23:21 . 2009-05-21 23:21 32 --s-a-w- c:\windows\system32\4100527465.dat
2009-05-17 02:22 . 2009-05-17 02:22 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-05-16 03:48 . 2009-03-01 02:12 -------- d-----w- c:\documents and settings\Missy\Application Data\dvdcss
2009-05-13 05:15 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll
2009-05-05 06:28 . 2009-01-13 21:46 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-28 00:41 . 2009-04-28 00:41 290816 ----a-w- c:\documents and settings\Missy\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-04-28 00:41 . 2009-04-28 00:41 290816 ----a-w- c:\documents and settings\Missy\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-04-28 00:41 . 2009-04-28 00:41 290816 ----a-w- c:\documents and settings\Missy\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-04-28 00:41 . 2009-04-28 00:41 290816 ----a-w- c:\documents and settings\Missy\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-17 12:26 . 2004-08-10 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-01-31 11:15 . 2007-07-05 17:39 1459 ----a-w- c:\program files\Media Center.lnk
2007-07-04 18:10 . 2007-07-04 18:10 104 ----a-w- c:\program files\Internet Explorer.lnk
2006-06-19 16:30 . 2006-06-19 16:30 1903 ----a-w- c:\program files\Help and Support.lnk
2006-06-19 16:29 . 2007-07-04 18:09 1540 ----a-w- c:\program files\HP Extended Service Plans.lnk
2006-06-19 16:26 . 2007-07-05 17:39 1580 ----a-w- c:\program files\Quicken New User Edition 2006.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2004-12-14 663552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-16 49152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-06 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-26 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-7-4 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-7-22 151552]
Kodak software updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-6-19 36903]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 123904]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-06 13:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/13/2009 4:46 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/13/2009 4:46 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/13/2009 4:46 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/13/2009 4:46 PM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [7/3/2009 9:31 PM 2368]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe --> c:\program files\NOS\bin\getPlus_HelperSvc.exe [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-06-11 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Hewlett-Packard\SDP\HPSdpApp.exe [2005-09-09 02:23]

2009-06-30 c:\windows\Tasks\Norton Security Online - Run Full System Scan - HP_Administrator.job
- c:\progra~1\Symantec\Norton AntiVirus\Navw32.exe [2007-01-14 09:09]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://forums.worldofwarcraft.com/thread.html?topicId=14990472390&sid=1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 11:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
Completion time: 2009-07-09 11:48
ComboFix-quarantined-files.txt 2009-07-09 16:47

Pre-Run: 84,491,894,784 bytes free
Post-Run: 87,257,636,864 bytes free

446 --- E O F --- 2009-07-06 04:27

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:02 AM

Posted 09 July 2009 - 11:57 AM

Hi,

The red shield was a false alert.
It should be gone, because it's not the correct one :thumbup2:

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Khirae

Khirae
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 July 2009 - 12:31 PM

I went online and then ran MBAM and only found one infection, but so far no random programs have popped up telling me that I have a virus. Thank you so much for the help!

I do have another question though. I've been using a laptop to get online while the other computer was infected and MBAM keeps finding 4 infections and "removing" them, but when I run MBAM again, they're not in the quarantine area and when I do another scan, MBAM finds them again. Do you know how I would go about getting rid of them? If I need to wait to get help since this is a different computer with a problem, then that's fine. I don't mind at all. :thumbup2:

Edited by Khirae, 09 July 2009 - 12:33 PM.


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:02 AM

Posted 09 July 2009 - 06:03 PM

Hi,

I can help you with the other computer, but for that I need the log from mbam and a HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Khirae

Khirae
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 09 July 2009 - 06:33 PM

Okay, thanks! Here are the logs:

DDS:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Sue at 18:29:26.44 on Thu 07/09/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1915.1172 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Service Station\TSS.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sue\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [PlayNC Launcher]
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\TSS.exe /hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\sue\appdata\roaming\mozilla\firefox\profiles\0vfff3gy.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-23 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-23 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-16 20384]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-5 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-5 298776]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-18 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-18 7168]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-16 954368]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-21 9216]

=============== Created Last 30 ================

2009-07-09 10:24 <DIR> --d----- c:\users\sue\appdata\roaming\Malwarebytes
2009-07-09 10:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 10:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 10:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-09 10:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 10:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-07 10:56 428,544 a------- c:\windows\system32\EncDec.dll
2009-07-07 10:56 293,376 a------- c:\windows\system32\psisdecd.dll
2009-07-07 10:56 217,088 a------- c:\windows\system32\psisrndr.ax
2009-07-07 10:56 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-07-07 10:56 80,896 a------- c:\windows\system32\MSNP.ax
2009-07-06 19:33 <DIR> --d----- c:\program files\KRU
2009-07-06 17:51 <DIR> --d----- c:\programdata\Yahoo! Companion
2009-07-06 17:50 <DIR> --d----- c:\programdata\Yahoo!
2009-07-06 17:50 <DIR> --d----- c:\program files\Yahoo!
2009-07-05 19:48 <DIR> --d----- c:\program files\NCSoft
2009-07-05 19:39 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-07-05 19:39 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-07-05 19:38 <DIR> --d----- c:\users\sue\appdata\roaming\GetRightToGo

==================== Find3M ====================

2009-07-09 12:16 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-09 12:16 51,200 a------- c:\windows\inf\infpub.dat
2009-07-05 19:38 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 19:38 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-05 19:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 11:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 11:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 08:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 07:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 07:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 06:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-23 18:53 86,016 a------- c:\windows\inf\infstor.dat
2008-08-18 13:36 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:29:47.33 ===============

MBAM:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 6.0.6001 Service Pack 1

7/9/2009 12:37:38 PM
mbam-log-2009-07-09 (12-37-38).txt

Scan type: Quick Scan
Objects scanned: 72189
Time elapsed: 4 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6c7d99c0-58fc-4e9e-8556-4e2d54a414f6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6c7d99c0-58fc-4e9e-8556-4e2d54a414f6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I've never had this much trouble with computers before. Lol. Thanks for the help!

Attached Files



#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:02 AM

Posted 10 July 2009 - 12:59 AM

Hi,

Database version: 2297


First of all, please update MalwareBytes, because the databaseversion is outdated.
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a quick scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Khirae

Khirae
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 10 July 2009 - 12:23 PM

Ugh. One of these days, I'll remember to update MBAM before posting a problem. (I didn't start actually using the program until recently. I didn't know it was there. Not my computers.) For some reason, it wouldn't let me update MBAM on the laptop. I even went to the MBABM.org site, but I couldn't see the link to download the file. I saw everything else on that page though. So, I ended up using the PC to save the MBAM setup file and transferring it over to the laptop. I installed it thinking it would uninstall the first one, but it didn't. It was over in a few seconds. After I did that though, it updated fine. So confusing... Here are the logs:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Sue at 12:20:39.03 on Fri 07/10/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1915.1131 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Service Station\TSS.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Sue\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [PlayNC Launcher]
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NDSTray.exe] NDSTray.exe
mRun: [cfFncEnabler.exe] cfFncEnabler.exe
mRun: [ToshibaServiceStation] c:\program files\toshiba\toshiba service station\TSS.exe /hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\sue\appdata\roaming\mozilla\firefox\profiles\0vfff3gy.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-23 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-23 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-1-16 20384]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-5 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-5 298776]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-8-18 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-8-18 7168]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2009-1-16 954368]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-8-21 9216]

=============== Created Last 30 ================

2009-07-09 10:24 <DIR> --d----- c:\users\sue\appdata\roaming\Malwarebytes
2009-07-09 10:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 10:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-09 10:24 <DIR> --d----- c:\programdata\Malwarebytes
2009-07-09 10:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 10:24 <DIR> --d----- c:\progra~2\Malwarebytes
2009-07-07 10:56 428,544 a------- c:\windows\system32\EncDec.dll
2009-07-07 10:56 293,376 a------- c:\windows\system32\psisdecd.dll
2009-07-07 10:56 217,088 a------- c:\windows\system32\psisrndr.ax
2009-07-07 10:56 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-07-07 10:56 80,896 a------- c:\windows\system32\MSNP.ax
2009-07-06 19:33 <DIR> --d----- c:\program files\KRU
2009-07-06 17:50 <DIR> --d----- c:\programdata\Yahoo!
2009-07-06 17:50 <DIR> --d----- c:\program files\Yahoo!
2009-07-05 19:48 <DIR> --d----- c:\program files\NCSoft
2009-07-05 19:39 <DIR> --d----- c:\programdata\AVG Security Toolbar
2009-07-05 19:39 <DIR> --d----- c:\progra~2\AVG Security Toolbar
2009-07-05 19:38 <DIR> --d----- c:\users\sue\appdata\roaming\GetRightToGo

==================== Find3M ====================

2009-07-09 12:16 86,016 a------- c:\windows\inf\infstrng.dat
2009-07-09 12:16 51,200 a------- c:\windows\inf\infpub.dat
2009-07-05 19:38 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 19:38 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-05 19:38 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 11:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 11:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 08:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 07:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 07:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 06:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-23 18:53 86,016 a------- c:\windows\inf\infstor.dat
2008-08-18 13:36 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 12:21:05.53 ===============



Malwarebytes' Anti-Malware 1.38
Database version: 2403
Windows 6.0.6001 Service Pack 1

7/10/2009 12:18:04 PM
mbam-log-2009-07-10 (12-18-04).txt

Scan type: Quick Scan
Objects scanned: 74977
Time elapsed: 4 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6c7d99c0-58fc-4e9e-8556-4e2d54a414f6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6c7d99c0-58fc-4e9e-8556-4e2d54a414f6}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.26 85.255.112.89 68.87.72.134 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:02 AM

Posted 10 July 2009 - 12:59 PM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Khirae

Khirae
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 10 July 2009 - 11:17 PM

Here's the log:

ComboFix 09-07-09.08 - Sue 07/10/2009 23:10.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1915.1166 [GMT -5:00]
Running from: c:\users\Sue\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2734677411-1145241183-1731341934-500
c:\$recycle.bin\S-1-5-21-3969566641-39007500-1738613080-500
c:\windows\Installer\WMEncoder.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-11 to 2009-07-11 )))))))))))))))))))))))))))))))
.

2009-07-11 04:13 . 2009-07-11 04:14 -------- d-----w- c:\users\Sue\AppData\Local\temp
2009-07-09 15:24 . 2009-07-09 15:24 -------- d-----w- c:\users\Sue\AppData\Roaming\Malwarebytes
2009-07-09 15:24 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 15:24 . 2009-07-09 15:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 15:24 . 2009-07-09 15:24 -------- d-----w- c:\programdata\Malwarebytes
2009-07-09 15:24 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-07 15:56 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-07-07 15:56 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-07-07 00:33 . 2009-07-07 00:33 -------- d-----w- c:\program files\KRU
2009-07-06 22:53 . 2009-07-06 22:53 -------- d-----w- c:\users\Sue\AppData\Local\Yahoo
2009-07-06 22:51 . 2009-07-06 22:51 -------- d-----w- c:\users\Sue\AppData\Roaming\Yahoo!
2009-07-06 22:50 . 2009-07-06 22:51 -------- d-----w- c:\programdata\Yahoo!
2009-07-06 22:50 . 2009-05-27 00:50 607472 ----a-w- c:\programdata\Yahoo!\YUpdater\yupdater.exe
2009-07-06 22:50 . 2009-07-10 17:12 -------- d-----w- c:\program files\Yahoo!
2009-07-06 01:10 . 2009-07-06 01:10 -------- d-----w- c:\users\Sue\AppData\Local\AVG Security Toolbar
2009-07-06 00:50 . 2009-07-06 00:50 -------- d-----w- c:\users\Sue\AppData\Local\assembly
2009-07-06 00:48 . 2009-07-06 00:50 -------- d-----w- c:\program files\NCSoft
2009-07-06 00:46 . 2009-07-06 00:46 -------- d-----w- c:\users\Sue\AppData\Roaming\InstallShield
2009-07-06 00:39 . 2009-07-06 00:39 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-07-06 00:38 . 2009-07-06 00:46 -------- d-----w- c:\users\Sue\AppData\Roaming\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 08:23 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-07 03:49 . 2009-03-08 19:47 -------- d-----w- c:\users\Sue\AppData\Roaming\Skype
2009-07-06 01:43 . 2008-08-18 18:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-06 00:48 . 2008-08-18 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-06 00:38 . 2009-02-24 00:28 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-06 00:38 . 2009-02-24 00:28 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-06 00:38 . 2009-02-24 00:28 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-06 00:38 . 2009-02-24 00:28 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 16:05 . 2009-07-07 15:53 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-07-07 15:53 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-07-07 15:53 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-07-07 15:53 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-07-07 15:53 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-07-07 15:53 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-02-20 21:21 . 2009-02-20 21:21 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-02-20 21:21 . 2009-02-20 21:21 4 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 21:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1029416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-11-01 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\TSS.exe" [2008-08-04 1242424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-06 1948440]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-04-08 6037504]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D7A44B90-517B-42C0-8660-2D83AB9185F5}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{F5468568-85A3-4F60-846E-DB0A671F5A05}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{F43E0F2C-5595-4C8D-AB03-29FE58FC08C2}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{137380BB-86CA-4EF4-BDDE-C90EFAD1BF03}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{E37C97E0-F1B6-4809-9061-92B7E38B7C80}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{2530E709-AC97-4D3F-9EFE-89EFAFD67222}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2/23/2009 7:28 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/23/2009 7:28 PM 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [1/16/2009 12:49 AM 20384]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/5/2009 7:38 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/5/2009 7:38 PM 298776]
R2 ConfigFree Service;ConfigFree Service;c:\program files\Toshiba\ConfigFree\CFSvcs.exe [4/17/2008 2:19 AM 40960]
R2 TMachInfo;TMachInfo;c:\program files\Toshiba\TOSHIBA Service Station\TMachInfo.exe [8/18/2008 12:58 PM 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\Toshiba\SMARTLogService\TosIPCSrv.exe [12/3/2007 8:03 PM 126976]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [8/18/2008 12:48 PM 7168]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [1/16/2009 12:49 AM 954368]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [8/21/2008 3:18 PM 9216]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe
HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\Sue\AppData\Roaming\Mozilla\Firefox\Profiles\0vfff3gy.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 23:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????? ?m??h?????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-07-11 23:15
ComboFix-quarantined-files.txt 2009-07-11 04:15

Pre-Run: 105,578,680,320 bytes free
Post-Run: 105,613,500,416 bytes free

151 --- E O F --- 2009-07-09 14:41




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users