Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Win32.tdss.aekg


  • This topic is locked This topic is locked
14 replies to this topic

#1 ryeyedoc

ryeyedoc

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 19 July 2009 - 07:59 PM

To Whom It May Concern:

I have tried anti-virus software such as AVG, Avast, Malwarebytes' Anti-Malware, SUPERAnti-Spyware, CounterSpy, and countless others. Some identify the viruses on my laptop and some don't, but none seem to remove them! This has been ongoing for about a week and a half and I have absolutly no idea of where to go from here. Please help me.

Thank you


DDS (Ver_09-06-26.01) - NTFSx86
Run by Ry eyedoc at 19:42:41.36 on Sun 07/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.750.388 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: The Shield Deluxe *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Ry eyedoc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mWinlogon: SFCDisable=4 (0x4)
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {2be903f9-1cca-49c6-97cd-22cb0f770332} - c:\windows\system32\xxwxv.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
BHO: MessengerUpdate Class: {5948a52a-ba3a-49a8-bcaf-d578502bda9d} - c:\documents and settings\ry eyedoc\application data\messenger\drivers\MsgUpdate.dll
BHO: {59f07481-6dbf-4606-b34c-2fd8c73cfd41} - c:\windows\system32\cbxww.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {426539bd-8145-9038-bc24-c12d8a92397a}: {a79329a8-d21c-42cb-8309-5418db935624} - c:\windows\system32\jddbhctq.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ares] "c:\documents and settings\ry eyedoc\my documents\my music\ares lite edition\Ares.exe" -h
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [IgfxSys] rundll32.exe "c:\documents and settings\ry eyedoc\application data\messenger\drivers\IgfxSys.dll",StartProtector
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [WG511WLU] c:\program files\netgear\wg511\utility\WG511WLU.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRun: [SBAMTray] c:\program files\sunbelt software\counterspy\SBAMTray.exe
mRun: [SBRegRebootCleaner] c:\program files\sunbelt software\counterspy\SBRC.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\datavi~1.lnk - c:\program files\common files\dataviz\DvzIncMsgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: ljjjifc - ljjjifc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxwxv

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ryeyed~1\applic~1\mozilla\firefox\profiles\8hoylbbu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://facebook.com/http://eyecare.ico.edu
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\ry eyedoc\application data\mozilla\firefox\profiles\8hoylbbu.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-9 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-13 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-13 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-13 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 SBAMSvc;CounterSpy Antispyware;c:\program files\sunbelt software\counterspy\SBAMSvc.exe [2009-6-10 980264]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-7-17 1205760]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsetmgr.exe" --> c:\program files\common files\symantec shared\ccSetMgr.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-2-14 24652]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccevtmgr.exe" --> c:\program files\common files\symantec shared\ccEvtMgr.exe [?]

=============== Created Last 30 ================

2009-07-19 18:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure
2009-07-19 18:22 104 a------- c:\windows\system32\SBRC.dat
2009-07-19 15:26 <DIR> --d----- c:\docume~1\ryeyed~1\applic~1\Sunbelt
2009-07-19 15:26 <DIR> --d----- c:\program files\Sunbelt Software
2009-07-19 15:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt
2009-07-19 15:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-19 15:16 <DIR> --d----- c:\docume~1\ryeyed~1\applic~1\SUPERAntiSpyware.com
2009-07-19 15:16 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-19 14:40 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-19 14:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-19 14:40 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-19 14:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 22:53 10,194 a------- c:\windows\is-E1SSL.msg
2009-07-17 22:53 321 a------- c:\windows\is-E1SSL.lst
2009-07-17 22:53 775,168 a------- c:\windows\is-E1SSL.exe
2009-07-17 22:47 <DIR> --d----- c:\program files\NoAdware
2009-07-17 22:44 1,563,008 a------- c:\windows\WRSetup.dll
2009-07-17 22:44 <DIR> --d----- c:\docume~1\ryeyed~1\applic~1\Webroot
2009-07-17 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-07-17 22:38 164 a------- c:\windows\install.dat
2009-07-16 21:37 <DIR> --d----- c:\program files\iTunes
2009-07-16 21:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-16 21:36 <DIR> --d----- c:\program files\Bonjour
2009-07-16 10:44 <DIR> --d----- c:\program files\common files\xing shared
2009-07-13 10:43 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-13 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-13 08:59 <DIR> --d----- c:\windows\system32\drivers\NSS
2009-07-13 08:59 <DIR> --d----- c:\program files\Norton Security Scan
2009-07-13 08:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-07-13 08:59 <DIR> --d----- c:\program files\NortonInstaller
2009-07-13 08:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-07-13 00:09 <DIR> --d----- c:\program files\Tall Emu
2009-07-09 18:32 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-09 18:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-09 17:59 <DIR> --d----- c:\documents and settings\ry eyedoc\.housecall6.6
2009-07-09 17:56 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-09 17:56 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-09 17:08 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-09 16:48 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-09 16:47 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-09 11:17 <DIR> --d----- c:\docume~1\ryeyed~1\applic~1\Messenger
2009-07-09 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\14425934
2009-06-26 08:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar

==================== Find3M ====================

2009-07-17 08:55 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-16 10:41 499,712 a------- c:\windows\system32\msvcp71.dll
2009-07-16 10:41 348,160 a------- c:\windows\system32\msvcr71.dll
2009-07-13 22:09 54,272 a------- c:\docume~1\ryeyed~1\applic~1\GDIPFONTCACHEV1.DAT
2009-06-26 08:05 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-10 06:00 68,392 a------- c:\windows\system32\sbbd.exe
2009-06-03 14:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 14:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-13 00:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 10:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-30 16:22 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-04-30 16:22 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-30 16:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 16:22 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-30 16:22 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 16:22 385,536 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 16:22 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-04-30 06:21 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2007-12-26 12:31 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-03-24 10:06 836 a------- c:\docume~1\ryeyed~1\applic~1\ViewerApp.dat
2005-08-28 21:15 6,698,720 a------- c:\program files\sspsetup1_1012602125.exe
2005-08-26 15:56 716,064 a------- c:\program files\R104295.EXE
2008-01-24 22:12 10,265 a--sh--- c:\windows\system32\vxwxx.ini2
2008-01-20 19:19 579 a--sh--- c:\windows\system32\wwxbc.ini2

============= FINISH: 19:46:09.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 21 July 2009 - 12:25 PM

Hello ryeyedoc,

I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
AVG Anti-Virus or Webroot AntiVirus with AntiSpyware

*************

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint


*************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*************

Please post the last Malwarebytes log so I can see what it is finding.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Edited by SifuMike, 21 July 2009 - 12:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ryeyedoc

ryeyedoc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 22 July 2009 - 08:25 AM

SifuMike,

Thanks for your response.

I followed your instructions and removed all of my anti-virus software except AVG. Unfortunatley, I also removed Malwarebytes before I read your request to post the log. I tried reinstalling the software and for some reason it installs but will not open and function. Let me know if there is a different program you need me to download or if there is something I can do to get Malwarebytes to work. I also removed Viewpoint Manager and Viewpoint Media Player.

Here are the results of Security Check:

Results of screen317's Security Check version 0.98.5
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG 8.5


``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Windows Defender
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java™ 6 Update 14
Java 2 Runtime Environment, SE v1.4.2_03
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Windows Defender MSASCui.exe
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 22 July 2009 - 11:16 AM

Hi ryeyedoc,

Uninstall Java 2 Runtime Environment, SE v1.4.2_03, as that is an old version and attracts malware.


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus, Ad-Watch and Windows Defender before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Disable Ad-Watch to make sure it won't interfere fixing.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 22 July 2009 - 11:19 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ryeyedoc

ryeyedoc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 22 July 2009 - 04:08 PM

SifuMike,

Before you get to the ComboFix log I want to tell you a couple strange things that happened. I saved ComboFix.exe to my desktop and clicked Run and got no response. Then, an audio commerical or ad of some sort started to play, no pop-up window; just audio. After several attempts to run the program I deleted ComboFix and reinstalled it. The second time around I saved it to the desktop as Disney.exe and the program seemed to run fine.

Also, during the scanning process of ComboFix it detected The Shield Deluxe was an active program and recommended that I disable the program before continuing. I could not find The Shield Deluxe in my Control Panel, so I did a search for it and got no results. Ultimately, I ended up running ComboFix anyway and here is the log.


ComboFix 09-07-22.01 - Ry eyedoc 07/22/2009 15:29.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.750.390 [GMT -5:00]
Running from: c:\documents and settings\Ry eyedoc\Desktop\Disney.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: The Shield Deluxe *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\17PHolmes572.exe
c:\windows\Installer\164a0.msi
c:\windows\Installer\23863b4.msi
c:\windows\Installer\7d670.msi
c:\windows\system32\ceeeg.ini
c:\windows\system32\drivers\hjgruirowbicvh.sys
c:\windows\system32\drivers\UACdlamtbosienrqrdyi.sys
c:\windows\system32\hjgruiepxiwuaq.dll
c:\windows\system32\hjgruikvaxvpry.dat
c:\windows\system32\hjgruilblldblh.dll
c:\windows\system32\hjgruiomkrwwap.dat
c:\windows\system32\nGpxx01
c:\windows\system32\UACaoqyrmculmfujkdtg.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkbmrwkdethvpoumio.dll
c:\windows\system32\UACnfvufcakdwqaobcek.dll
c:\windows\system32\UACnwynrmjlgonpqjgwq.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACudoyxthsipfsnillt.dll
c:\windows\system32\UACwbylofkmjrwffahle.db
c:\windows\system32\UACxfgmbpbnsllxymsyx.dat
c:\windows\system32\vxwxx.ini
c:\windows\system32\vxwxx.ini2
c:\windows\system32\wwxbc.ini
c:\windows\system32\wwxbc.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hjgruiujwirqpx
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 15:06 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-22 15:06 . 2009-07-22 15:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-22 15:04 . 2009-07-22 15:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-22 15:04 . 2009-07-22 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-22 15:04 . 2009-07-22 19:22 -------- d-----w- c:\program files\NOS
2009-07-22 12:55 . 2009-07-22 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 23:37 . 2009-07-19 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-07-19 20:25 . 2009-07-19 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-07-18 03:53 . 2009-07-18 03:53 775168 ----a-w- c:\windows\is-E1SSL.exe
2009-07-18 03:47 . 2009-07-22 01:51 -------- d-----w- c:\program files\NoAdware
2009-07-18 03:38 . 2009-07-18 03:38 164 ----a-w- c:\windows\install.dat
2009-07-17 13:56 . 2009-06-26 13:05 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-17 13:56 . 2009-06-26 13:05 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-17 13:56 . 2009-06-26 13:05 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-17 13:56 . 2009-06-26 13:05 493336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-07-17 13:56 . 2009-06-26 13:05 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-17 13:56 . 2009-06-26 13:05 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-17 13:56 . 2009-06-26 13:05 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-17 13:56 . 2009-06-26 13:05 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-17 13:56 . 2009-06-26 13:05 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-17 13:56 . 2009-06-26 13:05 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-17 13:56 . 2009-06-26 13:05 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-17 13:54 . 2009-06-26 13:02 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-17 13:54 . 2009-06-26 13:02 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-17 02:37 . 2009-07-17 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-17 02:37 . 2009-07-17 02:37 -------- d-----w- c:\program files\iTunes
2009-07-17 02:36 . 2009-07-17 02:36 -------- d-----w- c:\program files\Bonjour
2009-07-17 02:33 . 2009-07-17 02:35 -------- d-----w- c:\program files\QuickTime
2009-07-16 15:44 . 2009-07-16 15:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-13 19:22 . 2009-07-13 19:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 15:43 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-13 15:43 . 2009-07-13 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-13 13:59 . 2009-07-22 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-13 13:59 . 2009-07-13 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-13 05:09 . 2009-07-13 05:09 -------- d-----w- c:\program files\Tall Emu
2009-07-13 04:08 . 2009-07-13 04:08 -------- d-----w- c:\documents and settings\Ry eyedoc\Local Settings\Application Data\AVG Security Toolbar
2009-07-11 04:49 . 2009-07-11 04:49 -------- d-----w- c:\documents and settings\Ry eyedoc\Local Settings\Application Data\The Weather Channel
2009-07-09 23:32 . 2009-07-19 19:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 23:32 . 2009-07-19 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-09 22:59 . 2009-07-18 03:29 -------- d-----w- c:\documents and settings\Ry eyedoc\.housecall6.6
2009-07-09 22:56 . 2009-07-09 22:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-09 22:53 . 2009-07-09 22:53 152576 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-09 22:08 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-09 21:48 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-09 21:47 . 2009-07-09 21:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-09 21:47 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-09 21:47 . 2009-07-09 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-09 16:20 . 2009-07-09 20:16 139 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\serial.sys
2009-07-09 16:17 . 2009-07-09 16:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-09 16:17 . 2009-07-09 16:17 278528 ------w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\Aud32\msgutil83.dll
2009-07-09 16:17 . 2009-07-09 17:59 2453 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\conf.sys
2009-07-09 16:17 . 2009-07-09 16:17 -------- d-----w- c:\documents and settings\Ry eyedoc\Application Data\Messenger
2009-07-09 16:17 . 2009-06-04 23:33 11 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\pub.dll
2009-07-09 16:17 . 2009-07-10 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\14425934
2009-06-26 14:53 . 2009-06-14 21:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-26 13:08 . 2009-06-26 13:05 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-26 13:07 . 2009-06-27 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-26 13:07 . 2009-06-26 13:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 16:43 . 2007-11-08 22:17 -------- d-----w- c:\program files\AIMTunes
2009-07-22 15:09 . 2005-08-19 22:22 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-22 03:08 . 2008-07-14 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-22 01:51 . 2005-08-15 00:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-22 01:40 . 2005-08-15 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-20 02:55 . 2005-08-15 00:01 90112 ----a-w- c:\windows\DUMP17a8.tmp
2009-07-20 00:04 . 2005-10-19 02:25 -------- d-----w- c:\program files\Trend Micro
2009-07-18 04:52 . 2008-01-21 04:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-17 13:55 . 2009-01-13 06:02 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 02:37 . 2005-08-19 21:59 -------- d-----w- c:\program files\iPod
2009-07-16 15:43 . 2005-08-15 00:42 -------- d-----w- c:\program files\Common Files\Real
2009-07-16 15:41 . 2005-08-15 00:41 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-16 15:41 . 2005-08-15 00:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-13 13:59 . 2005-08-15 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-11 16:36 . 2007-07-02 17:01 -------- d-----w- c:\program files\Common Files\Apple
2009-07-09 23:23 . 2009-01-13 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-09 22:55 . 2005-08-15 00:32 -------- d-----w- c:\program files\Java
2009-07-09 22:05 . 2005-10-22 05:38 -------- d-----w- c:\program files\Lavasoft
2009-07-09 22:05 . 2005-10-22 05:39 -------- d-----w- c:\documents and settings\Ry eyedoc\Application Data\Lavasoft
2009-07-09 13:07 . 2005-08-19 19:16 54272 ----a-w- c:\documents and settings\Ry eyedoc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 01:54 . 2005-08-15 00:44 -------- d-----w- c:\program files\Intuit
2009-07-09 01:48 . 2005-08-15 00:45 -------- d-----w- c:\program files\Common Files\Intuit
2009-07-09 01:46 . 2005-08-15 00:45 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2009-07-09 01:27 . 2005-08-15 00:37 -------- d-----w- c:\program files\MUSICMATCH
2009-06-26 13:05 . 2009-01-13 06:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 13:05 . 2009-01-13 06:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-18 03:25 . 2008-01-21 03:47 -------- d-----w- c:\program files\AIM6
2009-06-18 03:06 . 2007-11-08 22:16 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
2009-06-18 03:01 . 2005-12-12 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-08 03:59 . 2006-04-06 16:05 1915520 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-19 06:36 . 2009-06-18 03:02 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 06:36 . 2009-06-18 03:02 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 06:36 . 2009-06-18 03:02 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 06:36 . 2009-06-18 03:02 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 06:36 . 2009-06-18 03:02 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 06:36 . 2009-06-18 03:02 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 06:36 . 2009-06-18 03:02 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 06:36 . 2009-06-18 03:02 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2005-08-29 02:15 . 2005-08-29 02:14 6698720 ----a-w- c:\program files\sspsetup1_1012602125.exe
2005-08-26 20:56 . 2005-08-26 20:56 716064 ----a-w- c:\program files\R104295.EXE
2009-03-28 14:53 . 2009-01-16 04:44 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 16:15 . 2008-01-03 16:15 50528 c:\program files\AIM6\bak\aim6.exe
2009-05-19 05:23 . 2009-05-19 05:23 49968 c:\program files\AIM6\aim6.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ares"="c:\documents and settings\Ry eyedoc\My Documents\My Music\Ares Lite Edition\Ares.exe" [N/A]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-14 68856]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [N/A]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-03-19 801904]
"IgfxSys"="c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\IgfxSys.dll" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [N/A]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [N/A]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [N/A]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [N/A]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [N/A]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [N/A]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [N/A]
"WG511WLU"="c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe" [N/A]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [N/A]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [N/A]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [N/A]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [N/A]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [N/A]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [N/A]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [N/A]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-16 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-25 28672]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-14 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-8-31 315392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 13:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ry eyedoc^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\Ry eyedoc\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134425552\\ee\\aim6.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/9/2009 4:48 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/13/2009 1:02 AM 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/13/2009 1:02 AM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-07-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{2BE903F9-1CCA-49C6-97CD-22CB0F770332} - c:\windows\system32\xxwxv.dll
BHO-{59F07481-6DBF-4606-B34C-2FD8C73CFD41} - c:\windows\system32\cbxww.dll
BHO-{a79329a8-d21c-42cb-8309-5418db935624} - c:\windows\system32\jddbhctq.dll
ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)
Notify-ljjjifc - ljjjifc.dll


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Ry eyedoc\Application Data\Mozilla\Firefox\Profiles\8hoylbbu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://facebook.com/http://eyecare.ico.edu
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Ry eyedoc\Application Data\Mozilla\Firefox\Profiles\8hoylbbu.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 15:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(1488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-22 15:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-22 20:54

Pre-Run: 16,469,803,008 bytes free
Post-Run: 17,083,330,560 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

368 --- E O F --- 2009-07-16 15:50

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 22 July 2009 - 04:58 PM

Hi ryeyedoc,

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

***************

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

AWF:
c:\program files\AIM6\bak\aim6.exe

Registry:: 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 ryeyedoc

ryeyedoc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 22 July 2009 - 07:02 PM

SifuMike,

I had already removed Viewpoint and all its components from the Control Panel and from C:\Program Files\Viewpoint. I did do a search for Viewpoint and deleted any additional files that were found.

Here is the contents of ComboFix again:

ComboFix 09-07-22.01 - Ry eyedoc 07/22/2009 18:00.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.750.285 [GMT -5:00]
Running from: c:\documents and settings\Ry eyedoc\Desktop\Disney.exe
Command switches used :: c:\documents and settings\Ry eyedoc\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: The Shield Deluxe *On-access scanning enabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-22 15:06 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-22 15:06 . 2009-07-22 15:06 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-22 15:04 . 2009-07-22 15:04 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-22 15:04 . 2009-07-22 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-07-22 15:04 . 2009-07-22 19:22 -------- d-----w- c:\program files\NOS
2009-07-22 12:55 . 2009-07-22 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-19 23:37 . 2009-07-19 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2009-07-19 20:25 . 2009-07-19 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-07-18 03:53 . 2009-07-18 03:53 775168 ----a-w- c:\windows\is-E1SSL.exe
2009-07-18 03:47 . 2009-07-22 01:51 -------- d-----w- c:\program files\NoAdware
2009-07-18 03:38 . 2009-07-18 03:38 164 ----a-w- c:\windows\install.dat
2009-07-17 13:56 . 2009-06-26 13:05 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-17 13:56 . 2009-06-26 13:05 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-17 13:56 . 2009-06-26 13:05 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-17 13:56 . 2009-06-26 13:05 493336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-07-17 13:56 . 2009-06-26 13:05 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-17 13:56 . 2009-06-26 13:05 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-17 13:56 . 2009-06-26 13:05 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-17 13:56 . 2009-06-26 13:05 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-17 13:56 . 2009-06-26 13:05 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-17 13:56 . 2009-06-26 13:05 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-17 13:56 . 2009-06-26 13:05 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-17 13:54 . 2009-06-26 13:02 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-17 13:54 . 2009-06-26 13:02 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-17 02:37 . 2009-07-17 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-17 02:37 . 2009-07-17 02:37 -------- d-----w- c:\program files\iTunes
2009-07-17 02:36 . 2009-07-17 02:36 -------- d-----w- c:\program files\Bonjour
2009-07-17 02:33 . 2009-07-17 02:35 -------- d-----w- c:\program files\QuickTime
2009-07-16 15:44 . 2009-07-16 15:44 -------- d-----w- c:\program files\Common Files\xing shared
2009-07-13 19:22 . 2009-07-13 19:22 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-13 15:43 . 2009-03-24 21:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-07-13 15:43 . 2009-07-13 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-07-13 13:59 . 2009-07-22 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-07-13 13:59 . 2009-07-13 13:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-07-13 05:09 . 2009-07-13 05:09 -------- d-----w- c:\program files\Tall Emu
2009-07-13 04:08 . 2009-07-13 04:08 -------- d-----w- c:\documents and settings\Ry eyedoc\Local Settings\Application Data\AVG Security Toolbar
2009-07-11 04:49 . 2009-07-11 04:49 -------- d-----w- c:\documents and settings\Ry eyedoc\Local Settings\Application Data\The Weather Channel
2009-07-09 23:32 . 2009-07-19 19:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 23:32 . 2009-07-19 19:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-09 22:59 . 2009-07-18 03:29 -------- d-----w- c:\documents and settings\Ry eyedoc\.housecall6.6
2009-07-09 22:56 . 2009-07-09 22:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-09 22:53 . 2009-07-09 22:53 152576 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-09 22:08 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-07-09 21:48 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-09 21:47 . 2009-07-09 21:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-09 21:47 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-09 21:47 . 2009-07-09 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-09 16:20 . 2009-07-09 20:16 139 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\serial.sys
2009-07-09 16:17 . 2009-07-09 16:17 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-09 16:17 . 2009-07-09 16:17 278528 ------w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\Aud32\msgutil83.dll
2009-07-09 16:17 . 2009-07-09 17:59 2453 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\conf.sys
2009-07-09 16:17 . 2009-07-09 16:17 -------- d-----w- c:\documents and settings\Ry eyedoc\Application Data\Messenger
2009-07-09 16:17 . 2009-06-04 23:33 11 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\pub.dll
2009-07-09 16:17 . 2009-07-10 13:44 -------- d-----w- c:\documents and settings\All Users\Application Data\14425934
2009-06-26 14:53 . 2009-06-14 21:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-26 13:08 . 2009-06-26 13:05 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-26 13:07 . 2009-06-27 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-26 13:07 . 2009-06-26 13:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 16:43 . 2007-11-08 22:17 -------- d-----w- c:\program files\AIMTunes
2009-07-22 15:09 . 2005-08-19 22:22 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-22 03:08 . 2008-07-14 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-22 01:51 . 2005-08-15 00:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-22 01:40 . 2005-08-15 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-20 02:55 . 2005-08-15 00:01 90112 ----a-w- c:\windows\DUMP17a8.tmp
2009-07-20 00:04 . 2005-10-19 02:25 -------- d-----w- c:\program files\Trend Micro
2009-07-18 04:52 . 2008-01-21 04:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-17 13:55 . 2009-01-13 06:02 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 02:37 . 2005-08-19 21:59 -------- d-----w- c:\program files\iPod
2009-07-16 15:43 . 2005-08-15 00:42 -------- d-----w- c:\program files\Common Files\Real
2009-07-16 15:41 . 2005-08-15 00:41 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-16 15:41 . 2005-08-15 00:41 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-13 13:59 . 2005-08-15 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-11 16:36 . 2007-07-02 17:01 -------- d-----w- c:\program files\Common Files\Apple
2009-07-09 23:23 . 2009-01-13 06:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-09 22:55 . 2005-08-15 00:32 -------- d-----w- c:\program files\Java
2009-07-09 22:05 . 2005-10-22 05:38 -------- d-----w- c:\program files\Lavasoft
2009-07-09 22:05 . 2005-10-22 05:39 -------- d-----w- c:\documents and settings\Ry eyedoc\Application Data\Lavasoft
2009-07-09 13:07 . 2005-08-19 19:16 54272 ----a-w- c:\documents and settings\Ry eyedoc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-09 01:54 . 2005-08-15 00:44 -------- d-----w- c:\program files\Intuit
2009-07-09 01:48 . 2005-08-15 00:45 -------- d-----w- c:\program files\Common Files\Intuit
2009-07-09 01:46 . 2005-08-15 00:45 -------- d-----w- c:\program files\Common Files\AnswerWorks 4.0
2009-07-09 01:27 . 2005-08-15 00:37 -------- d-----w- c:\program files\MUSICMATCH
2009-06-26 13:05 . 2009-01-13 06:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 13:05 . 2009-01-13 06:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-18 03:25 . 2008-01-21 03:47 -------- d-----w- c:\program files\AIM6
2009-06-18 03:06 . 2007-11-08 22:16 1144808 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\aimtunes\AIMTunes.exe
2009-06-18 03:01 . 2005-12-12 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-16 14:36 . 2004-08-10 17:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-08 03:59 . 2006-04-06 16:05 1915520 ----a-w- c:\documents and settings\Ry eyedoc\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-03 19:09 . 2004-08-10 17:51 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-19 06:36 . 2009-06-18 03:02 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 06:36 . 2009-06-18 03:02 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 06:36 . 2009-06-18 03:02 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 06:36 . 2009-06-18 03:02 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 06:36 . 2009-06-18 03:02 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 06:36 . 2009-06-18 03:02 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 06:36 . 2009-06-18 03:02 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 06:36 . 2009-06-18 03:02 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-13 05:15 . 2004-08-10 17:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll
2005-08-29 02:15 . 2005-08-29 02:14 6698720 ----a-w- c:\program files\sspsetup1_1012602125.exe
2005-08-26 20:56 . 2005-08-26 20:56 716064 ----a-w- c:\program files\R104295.EXE
2009-03-28 14:53 . 2009-01-16 04:44 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-07-14 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-03-19 801904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-07-16 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - c:\program files\Common Files\DataViz\DvzIncMsgr.exe [2006-12-25 28672]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-14 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-8-31 315392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 13:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk
backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ry eyedoc^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\Ry eyedoc\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1134425552\\ee\\aim6.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"f:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/9/2009 4:48 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/13/2009 1:02 AM 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/13/2009 1:02 AM 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-07-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKCU-Run-ares - c:\documents and settings\Ry eyedoc\My Documents\My Music\Ares Lite Edition\Ares.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-IgfxSys - c:\documents and settings\Ry eyedoc\Application Data\Messenger\Drivers\IgfxSys.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-SynTPLpr - c:\program files\Synaptics\SynTP\SynTPLpr.exe
HKLM-Run-SynTPEnh - c:\program files\Synaptics\SynTP\SynTPEnh.exe
HKLM-Run-IntelWireless - c:\program files\Intel\Wireless\Bin\ifrmewrk.exe
HKLM-Run-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
HKLM-Run-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-DMXLauncher - c:\program files\Dell\Media Experience\DMXLauncher.exe
HKLM-Run-WG511WLU - c:\program files\NETGEAR\WG511\Utility\WG511WLU.exe
HKLM-Run-dla - c:\windows\system32\dla\tfswctrl.exe
HKLM-Run-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
HKLM-Run-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
HKLM-Run-Symantec PIF AlertEng - c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
HKLM-Run-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Ry eyedoc\Application Data\Mozilla\Firefox\Profiles\8hoylbbu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/|http://facebook.com/http://eyecare.ico.edu
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 18:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2956)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-22 18:12
ComboFix-quarantined-files.txt 2009-07-22 23:11
ComboFix2.txt 2009-07-22 20:55

Pre-Run: 17,080,385,536 bytes free
Post-Run: 17,042,587,648 bytes free

296 --- E O F --- 2009-07-16 15:50

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 23 July 2009 - 12:23 AM

Hi ryeyedoc,

Now lets looks for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 ryeyedoc

ryeyedoc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 23 July 2009 - 02:57 PM

SifuMike,

Here are the results from the Kaspersky scan.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 23, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 23, 2009 12:45:34
Records in database: 2520102
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 90342
Threat name: 6
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 03:42:58


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACdlamtbosienrqrdyi.sys.vir Infected: Rootkit.Win32.Agent.mih 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjgruilblldblh.dll.vir Infected: Trojan.Win32.Agent.crez 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACaoqyrmculmfujkdtg.dll.vir Infected: Trojan.Win32.TDSS.adzz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACkbmrwkdethvpoumio.dll.vir Infected: Trojan.Win32.Agent2.kyk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnfvufcakdwqaobcek.dll.vir Infected: Trojan.Win32.TDSS.aekg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACnwynrmjlgonpqjgwq.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACudoyxthsipfsnillt.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000003.dll Infected: Trojan.Win32.Agent.crez 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000004.sys Infected: Rootkit.Win32.Agent.mih 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000005.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000006.dll Infected: Trojan.Win32.Agent2.kyk 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000007.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000008.dll Infected: Trojan.Win32.TDSS.adzz 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000009.dll Infected: Trojan.Win32.TDSS.aekg 1

The selected area was scanned.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 23 July 2009 - 03:08 PM

Hi ryeyedoc,

Looks good. :thumbup2:

Kaspersksy found previously quarantined files and previously deleted files in the System Restore folder. We will be getting rid of those shortly.

I think we have you clean. :) Please tell me how the computer is running.

We still have to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 ryeyedoc

ryeyedoc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 23 July 2009 - 03:16 PM

SifuMike,

After running the ComboFix scan twice yesterday I immediately noticed improvement! Things seem like they're getting back to normal.

Let me know what the next step is.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 23 July 2009 - 03:27 PM

Hi ryeyedoc,

The next step is program clean up. :)

Delete Security Check and ComboFix (you renamed it Disney) from your desktop.

Please download OTC and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


If you time is still set to military time, then reset the military time to standard time format:

Click Start>Control Panel>Regional and Language Options
Click the Customize button
Select the Time tab.
Reset to preferred time format, click Apply and OK.
of
Open the Control Panel> Date, Time, Language and Regional Options> Select the Regional Options tab> Next to the box that shows your selected language click Customize> Click the Time tab> In the Time Format box enter: Standard Format: "h:mm:ss:tt"
or
In case the clock settings weren't restored, Go to your control panel and choose Date,Time, language & region Options > Regional and Language options (this in normal XP view)
When in classic view, select Regional and Language options.
Under the tab Regional options > standards and formats, from the dropdown list, choose your region > click apply and ok.



Please read and follow

Simple and easy ways to keep your computer safe and secure on the Internet
as well
Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again, as well as
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.


Now your good to go. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 ryeyedoc

ryeyedoc
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 23 July 2009 - 09:31 PM

SifuMike,

I can't thank you enough for you help. Prior to this I was wasting time with scans that seemed to be doing nothing except causing me headaches and frustration. I certainly appreciate your time and expert knowledge!!


:thumbup2:

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 23 July 2009 - 10:01 PM

Thank you for the kind words.
It's always nice to hear that someone appreciates the help we are giving. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:27 PM

Posted 31 July 2009 - 09:01 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users