Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unkown trojan on computer


  • Please log in to reply
9 replies to this topic

#1 Half

Half

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 20 July 2009 - 04:23 PM

Malwarebytes finds 1 entry, but asks to remove it on reboot. on reboot the entry is different.
here is the current malwarebytes item found: "Trojan.Agent, File, c:\Windows\system32\uacinit.dll"

originally malwarebytes was blocked from running (had to rename the exe) and Spybot will not run at all.

on reboot, PeerGuardian blocks the following:
DoubleClick, INC
Beyond the Network America
Mercury Interactive (Isreal)
Savvis, LTD
Inktom corp.

thanks for any help you can offer
==================================


DDS (Ver_09-06-26.01) - NTFSx86
Run by BOC at 17:08:52.78 on Mon 07/20/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1194

[GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

{17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled*

{990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
M:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Intuit\Update

Service\IntuitUpdateService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
svchost
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\vmnetdhcp.exe
M:\Program Files\VMware\vmware-authd.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\BOC\Local Settings\Application

Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\BOC\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {18D9BBBC-2E0F-4FBE-AB00-6A639B8B2A32} - No File
BHO: Spybot-S&D IE Protection:

{53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot -

search & destroy\SDHelper.dll
BHO: {54EDF2AD-B263-4F6D-A0B1-A82022535B80} - No File
BHO: {62554E5B-DFBF-4F6B-8E5A-F6524BFABC02} - No File
BHO: {790E552A-72A8-4928-98B7-59458AEF908D} - No File
BHO: {8CC1DAC3-C6E2-49AE-A71D-1834171EA4FB} - No File
BHO: {a3b0097f-4580-4811-b15f-1857d3f19fc7} - No File
BHO: {A4CD59EA-2E00-4011-8E66-87AE1BFFD7F4} - No File
BHO: {A67488D6-C1FD-4747-8AC3-E316BC0D632A} - No File
BHO: {CE6CECF3-DF89-483D-B4C2-97AD0E291506} - No File
BHO: JQSIEStartDetectorImpl Class:

{e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E9EAA51F-2CB7-44EB-B41A-A60F4683C62D} - No File
BHO: {F38F3C7F-8A7C-4372-B8CA-A58FB56AAED6} - No File
uRun: [LDM] c:\program files\logitech\desktop

messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft

activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search &

destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\boc\local

settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [PeerGuardian] m:\program files\peerguardian2\pg2.exe
mRun: [EasyTuneV] c:\program files\gigabyte\et5\GUI.exe
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series

software\LGDCore.exe" /SHOWHIDE
mRun: [Google Desktop Search] "c:\program files\google\google desktop

search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common

files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [hpbdfawep] c:\program files\hp\dfawep\bin\hpbdfawep.exe 1
mRun: [Adobe_ID0ENQBO]

c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE

c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE

c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk -

c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Add to Evernote - i:\evernote\enbar.dll/2000
IE: E&xport to Microsoft Excel -

c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program

files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} -

c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

{53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot -

search & destroy\SDHelper.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} -

{BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - i:\evernote\enbar.dll
LSP: m:\program files\vmware\vsocklib.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -

hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} -

hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.

cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} -

hxxps://mygmgw.gm.com/http://usabhemama16.mail.gm.com/iNotes6W.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} -

c:\program files\logitech\desktop

messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: geBtQjkK - geBtQjkK.dll
Notify: LBTWlgn - c:\program files\common

files\logitech\bluetooth\LBTWlgn.dll
Notify: pmnoNFwT - pmnoNFwT.dll
AppInit_DLLs:

c:\progra~1\google\google~1\goec62~1.dll,aeymew.dll,vtxvms.dll,ppfqqe.dll,vf

qxut.dll,dqwqir.dll,ucmsby.dll,farqju.dll,yxewrp.dll,avgrsstx.dll aksvsl.dll

c:\progra~1\google\google~1\GOEC62~1.DLL iklswi.dll jeghzx.dll icoyiu.dll

cyhute.dll gtohvp.dll kjneqh.dll djsyrt.dll
SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: {38101905-d80f-4788-96f6-986a8186178a} -

c:\windows\system32\flashd32.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\tuvVLCSl

================= FIREFOX ===================

FF - ProfilePath -

c:\docume~1\boc\applic~1\mozilla\firefox\profiles\2gmeve4h.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\boc\application

data\mozilla\firefox\profiles\2gmeve4h.default\extensions\{e0b8c461-f8fb-49b

4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\boc\application

data\mozilla\firefox\profiles\2gmeve4h.default\extensions\piclens@cooliris.co

m\components\coolirisstub.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla

firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\boc\application

data\mozilla\firefox\profiles\2gmeve4h.default\extensions\moveplayer@move

networks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\boc\local settings\application

data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npSeaTools_EN.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: m:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: m:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: m:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: m:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: m:\program files\quicktime\plugins\npqtplugin5.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program

files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control

handled by McAfee Privacy Service

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
c:\program files\mozilla firefox\greprefs\all.js -

pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size",

51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled",

true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled",

true);
c:\program files\mozilla firefox\greprefs\all.js -

pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js -

pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js -

pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js -

pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js -

pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js -

pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js -

pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js -

pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer",

131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri",

"https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver

x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-12 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver

x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-12 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe

[2009-2-5 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common

files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common

files\symantec shared\ccpd-lc\symlcsvc.exe [2007-3-21 1247600]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26

54960]
R3 MarkFun_NT;MarkFun_NT;c:\program files\gigabyte\et5\MARKFUN.W32

[2007-3-21 17912]
S2 dwmeeblm;dwmeeblm;c:\windows\system32\drivers\cclui.sys -->

c:\windows\system32\drivers\cclui.sys [?]
S2 qlvoxb;qlvoxb;c:\windows\system32\drivers\fzvnds.sys -->

c:\windows\system32\drivers\fzvnds.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program

files\common files\adobe\adobe version cue

cs4\server\bin\VersionCueCS4.exe [2008-8-15 284016]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager

5.7.806.10245;c:\program files\google\google desktop

search\GoogleDesktop.exe [2007-5-20 29744]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [2009-7-12 320384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys

[2005-8-2 32512]

=============== Created Last 30 ================

2009-07-16 09:44 2,036,576 a-------

c:\windows\system32\D3DCompiler_40.dll
2009-07-16 09:44 452,440 a-------

c:\windows\system32\d3dx10_40.dll
2009-07-16 09:44 4,379,984 a-------

c:\windows\system32\D3DX9_40.dll
2009-07-16 09:44 <DIR> --d----- c:\windows\Logs
2009-07-12 16:48 320,384 a-------

c:\windows\system32\drivers\mgaum.sys
2009-07-12 16:48 235,648 a------- c:\windows\system32\mgaud.dll
2009-07-12 16:08 15,504 a-------

c:\windows\system32\drivers\mbam.sys
2009-07-12 16:08 38,496 a-------

c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 15:36 4,224 ac------

c:\windows\system32\dllcache\beep.sys
2009-07-12 15:36 4,224 a-------

c:\windows\system32\drivers\beep.sys
2009-07-12 00:49 2 a-------

c:\windows\0101120101464849.dat
2009-07-12 00:49 2 a-------

c:\windows\010112010146118114.dat
2009-07-12 00:49 2 a------- C:\79067883
2009-07-12 00:48 40,960 ---shr-- c:\windows\system32\flashd32.dll
2009-07-12 00:48 110,592 a------- c:\windows\system32\net.net
2009-06-30 16:28 139,264 a------- c:\windows\War3Unin.exe
2009-06-30 16:28 76,578 a------- c:\windows\War3Unin.dat
2009-06-30 16:28 2,829 a------- c:\windows\War3Unin.pif

==================== Find3M ====================

2009-07-12 22:07 98,304 a------- c:\windows\DUMPcd91.tmp
2009-07-12 22:03 98,304 a------- c:\windows\DUMPd11b.tmp
2009-07-12 21:33 98,304 a------- c:\windows\DUMPd60c.tmp
2009-07-12 20:08 98,304 a------- c:\windows\DUMPd040.tmp
2009-07-05 18:54 335,752 a-------

c:\windows\system32\drivers\avgldx86.sys
2009-05-10 09:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2008-05-29 20:50 1,048,576 a------- c:\program files\6a79lg0d.0
2008-05-29 20:48 71,703 a------- c:\program files\bios.ini
2008-05-29 20:48 528 a------- c:\program files\CONFIG.INI
2008-05-29 20:48 29 a------- c:\program files\new_ver.ini
2008-02-14 14:28 29 a------- c:\program files\version.ini
2008-02-14 14:23 231,944 a------- c:\program files\gwflash.exe
2007-11-13 23:50 87,608 a------- c:\docume~1\boc\applic~1\inst.exe
2007-11-13 23:50 47,360 a-------

c:\docume~1\boc\applic~1\pcouffin.sys
2007-09-21 19:42 19,008 a------- c:\program files\markfun.a64
2007-08-21 19:49 17,912 a------- c:\program files\markfun.w32
2007-04-05 04:31 248,640 a------- c:\program files\update.exe
2007-04-04 18:35 207,680 a------- c:\program files\updateutility.exe
2007-03-30 04:36 301 a------- c:\program files\update.ini
2007-03-02 04:48 240,448 a------- c:\program files\gwf32.exe
2006-11-23 23:47 207,680 a------- c:\program files\BIOS_Run.exe
2005-04-27 19:40 6,800 a------- c:\program files\W95_HUA.vxd
2008-12-14 12:31 885,433 a--sh--- c:\windows\system32\cfhQtBeg.ini2
2009-02-07 02:37 31,321 a--sh--- c:\windows\system32\lSCLVvut.ini2

============= FINISH: 17:10:40.26 ===============

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:58 PM

Posted 22 July 2009 - 03:20 PM

Hello Half,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

*****************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


To disable Spybot's Teatimer:
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Half

Half
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 22 July 2009 - 05:55 PM

thank you for your time.
below is the checkup.txt log.

i tried to run combofix, but it will not run. windows asks me if i really want to run the program, i click yes, and then nothing happens (i waited for a while and watched my HD light) just to check i renamed the file to "cfix.exe" and the same thing happened.


Results of screen317's Security Check version 0.98.5
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
AVG Free 8.5


WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:

Out of date Spybot installed!
Ad-Aware
Spybot - Search & Destroy 1.4
Spybot - Search & Destroy
Malwarebytes' Anti-Malware
HijackThis 2.0.2
TuneUp Utilities 2008
CCleaner (remove only)
DH Driver Cleaner.NET
Java™ 6 Update 12
Java™ 6 Update 3
Java™ 6 Update 5
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
Spybot SDHelper is disabled!
Spybot - Search & Destroy TeaTimer.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:58 PM

Posted 22 July 2009 - 06:28 PM

Hi Half,


Please do not rename ComboFix yourself. That just makes my job more difficult. :thumbup2:

Uninstall Spybot - Search & Destroy 1.4



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 12
    Java 6 Update 3
    Java 6 Update 5
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.
*****************



Delete the version of comboFix (you renamed it "cfix.exe) you have on your desktop.


Download Combofix from any of the links below. You must rename it before saving it.Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image


You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


To disable Spybot's Teatimer:
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.


Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Edited by SifuMike, 22 July 2009 - 06:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Half

Half
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 22 July 2009 - 08:39 PM

for the record, i only renamed it to cfix.exe after initially trying it, and renamed it back afterwards =[

initially, all 3 of the internet browsers on my computer wouldnt go to the java website. i was able to download it on another computer and put the install file on my computer, but was getting a file unzipping error.

so i followed the rest of the instructions, and combo-fix.exe was able to run. after the reboots, i am still getting the following error when trying to install java: "error 25099 unzipping core files failed"

thank you so much for your help. i really appreciate it. below is the log from combofix.

ComboFix 09-07-22.01 - BOC 07/22/2009 21:19.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1622 [GMT -4:00]
Running from: c:\documents and settings\BOC\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\BOC\Application Data\inst.exe
c:\program files\update.exe
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\aidehlda.ini
c:\windows\system32\ajttkgwi.ini
c:\windows\system32\bawlyfig.ini
c:\windows\system32\brikwkjt.ini
c:\windows\system32\cfhQtBeg.ini
c:\windows\system32\cfhQtBeg.ini2
c:\windows\system32\cflfqwyx.ini
c:\windows\system32\drivers\UAClsrhnpsdotdwxyuoy.sys
c:\windows\system32\egfgmoqo.ini
c:\windows\system32\ejimaims.ini
c:\windows\system32\lSCLVvut.ini
c:\windows\system32\lSCLVvut.ini2
c:\windows\system32\mqbusnol.ini
c:\windows\system32\net.net
c:\windows\system32\oqkmtaft.ini
c:\windows\system32\qpeastyc.ini
c:\windows\system32\UACaryaltxdduhthpunw.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACmwdaltfgquptbqsbg.dll
c:\windows\system32\UACnbkxcpjbcrhyalqil.db
c:\windows\system32\UAConkfyxprofklwnkor.dll
c:\windows\system32\UACqqjeiuhwfxaokxqpv.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACukijmiqjlaupsccgp.dll
c:\windows\system32\UACxygklesinlhaqghds.dat
c:\windows\system32\uufoeqlf.ini
c:\windows\system32\vkschelb.ini
c:\windows\system32\xykxbqev.ini

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2025-06-27 05:49 . 2025-06-27 05:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2025-06-27 05:29 . 2025-06-27 05:44 -------- d-----w- c:\windows\NV348712.TMP
2009-07-23 01:25 . 2009-07-23 01:25 -------- d-----w- c:\documents and settings\BOC\Local Settings\Application Data\Temp
2009-07-23 01:23 . 2004-08-04 05:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-23 01:23 . 2004-08-04 05:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-16 13:44 . 2008-10-10 08:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-16 13:44 . 2008-10-10 08:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-16 13:44 . 2008-10-10 08:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-16 13:44 . 2009-07-16 13:44 -------- d-----w- c:\windows\Logs
2009-07-12 20:48 . 2001-08-17 18:56 235648 ----a-w- c:\windows\system32\mgaud.dll
2009-07-12 20:48 . 2001-08-17 16:50 320384 ----a-w- c:\windows\system32\drivers\mgaum.sys
2009-07-12 20:08 . 2009-02-11 14:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 20:08 . 2009-02-11 14:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 19:36 . 2008-04-14 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-07-12 19:36 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-06-30 20:28 . 2009-06-30 21:19 76578 ----a-w- c:\windows\War3Unin.dat
2009-06-30 20:28 . 2009-06-30 21:08 2829 ----a-w- c:\windows\War3Unin.pif
2009-06-30 20:28 . 2009-06-30 21:08 139264 ----a-w- c:\windows\War3Unin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 01:26 . 2009-05-22 01:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-07-23 01:25 . 2009-05-22 01:41 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\VMware
2009-07-23 01:15 . 2007-04-21 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-23 01:09 . 2008-11-20 02:11 -------- d-----w- c:\documents and settings\BOC\Application Data\.purple
2009-07-23 01:03 . 2008-01-22 01:37 -------- d-----w- c:\program files\Java
2009-07-23 00:52 . 2008-12-07 18:37 -------- d-----w- c:\documents and settings\BOC\Application Data\gtk-2.0
2009-07-23 00:39 . 2007-04-21 15:35 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2009-07-22 11:21 . 2008-12-12 23:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-07-13 02:07 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPcd91.tmp
2009-07-13 02:03 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd11b.tmp
2009-07-13 01:33 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd60c.tmp
2009-07-13 00:08 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd040.tmp
2009-07-12 04:50 . 2007-04-08 03:26 -------- d-----w- c:\documents and settings\BOC\Application Data\uTorrent
2009-07-05 22:54 . 2008-12-12 23:02 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 05:00 . 2009-05-22 02:21 -------- d-----w- c:\documents and settings\BOC\Application Data\VMware
2009-06-20 01:58 . 2008-09-15 22:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-19 03:09 . 2007-04-20 03:19 -------- d-----w- c:\program files\MediaMonkey
2009-06-17 18:16 . 2008-12-12 23:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-04 21:30 . 2009-01-19 06:43 -------- d-----w- c:\program files\uTorrent
2009-05-27 05:56 . 2007-04-08 04:50 -------- d-----w- c:\program files\Warcraft III
2009-05-25 21:53 . 2007-11-14 03:50 -------- d-----w- c:\documents and settings\BOC\Application Data\Vso
2009-05-21 15:33 . 2009-02-13 23:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-10 13:23 . 2009-02-05 21:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2008-05-30 00:50 . 2008-05-30 00:50 1048576 ----a-w- c:\program files\6a79lg0d.0
2008-05-30 00:48 . 2008-05-30 00:48 71703 ----a-w- c:\program files\bios.ini
2008-05-30 00:48 . 2006-11-03 22:09 528 ----a-w- c:\program files\CONFIG.INI
2008-05-30 00:48 . 2008-05-30 00:48 29 ----a-w- c:\program files\new_ver.ini
2008-02-14 18:28 . 2008-02-14 18:28 29 ----a-w- c:\program files\version.ini
2008-02-14 18:23 . 2008-02-14 18:23 231944 ----a-w- c:\program files\gwflash.exe
2007-09-21 23:42 . 2007-09-21 23:42 19008 ----a-w- c:\program files\markfun.a64
2007-08-21 23:49 . 2007-08-21 23:49 17912 ----a-w- c:\program files\markfun.w32
2007-04-04 22:35 . 2007-04-04 22:35 207680 ----a-w- c:\program files\updateutility.exe
2007-03-30 08:36 . 2007-03-30 08:36 301 ----a-w- c:\program files\update.ini
2007-03-02 08:48 . 2007-03-02 08:48 240448 ----a-w- c:\program files\gwf32.exe
2006-11-24 03:47 . 2006-11-24 03:47 207680 ----a-w- c:\program files\BIOS_Run.exe
2005-04-27 23:40 . 2005-04-27 23:40 6800 ----a-w- c:\program files\W95_HUA.vxd
2009-06-30 20:04 . 2008-06-18 01:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-03 23:03 . 2007-05-20 16:31 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-30 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]
"PeerGuardian"="m:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyTuneV"="c:\program files\Gigabyte\ET5\GUI.exe" [2008-06-02 207680]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-03 29744]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-09 77824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-5 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 14:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\GWF32.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"m:\\Program Files\\VMware\\vmware-authd.exe"=
"i:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/12/2008 7:02 PM 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/5/2009 5:33 PM 298776]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 11:05 PM 54960]
S2 dwmeeblm;dwmeeblm;c:\windows\system32\drivers\cclui.sys --> c:\windows\system32\drivers\cclui.sys [?]
S2 qlvoxb;qlvoxb;c:\windows\system32\drivers\fzvnds.sys --> c:\windows\system32\drivers\fzvnds.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/20/2007 12:31 PM 29744]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [7/12/2009 4:48 PM 320384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MARKFUN_NT
*NewlyCreated* - PGFILTER
*Deregistered* - MarkFun_NT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
- - - - ORPHANS REMOVED - - - -

BHO-{18D9BBBC-2E0F-4FBE-AB00-6A639B8B2A32} - (no file)
BHO-{54EDF2AD-B263-4F6D-A0B1-A82022535B80} - (no file)
BHO-{62554E5B-DFBF-4F6B-8E5A-F6524BFABC02} - (no file)
BHO-{790E552A-72A8-4928-98B7-59458AEF908D} - (no file)
BHO-{8CC1DAC3-C6E2-49AE-A71D-1834171EA4FB} - (no file)
BHO-{a3b0097f-4580-4811-b15f-1857d3f19fc7} - (no file)
BHO-{A4CD59EA-2E00-4011-8E66-87AE1BFFD7F4} - (no file)
BHO-{A67488D6-C1FD-4747-8AC3-E316BC0D632A} - (no file)
BHO-{CE6CECF3-DF89-483D-B4C2-97AD0E291506} - (no file)
BHO-{E9EAA51F-2CB7-44EB-B41A-A60F4683C62D} - (no file)
BHO-{F38F3C7F-8A7C-4372-B8CA-A58FB56AAED6} - (no file)
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
ShellExecuteHooks-{38101905-D80F-4788-96F6-986A8186178A} - c:\windows\system32\flashd32.dll
Notify-geBtQjkK - geBtQjkK.dll
Notify-pmnoNFwT - pmnoNFwT.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Evernote - i:\evernote\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: m:\program files\VMware\vsocklib.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\docume~1\BOC\APPLIC~1\Mozilla\Firefox\Profiles\2gmeve4h.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npSeaTools_EN.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin2.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin3.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin4.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin5.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-22 21:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1801674531-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:df,f1,6b,48,ec,6b,d4,85,f4,b0,45,22,17,85,aa,50,23,a1,98,d0,55,31,0d,
7d,36,2c,f1,2c,04,8e,07,89,78,01,a3,ec,33,86,53,ae,cb,4c,34,4d,97,44,bf,2c,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-1177238915-1801674531-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:33,00,ce,bb,e7,77,70,b7,ac,ff,e3,f1,d4,1a,2a,7e,50,8a,9e,bb,a5,
e2,c7,63,6a,b8,5c,eb,c6,91,ff,88,5c,a5,ac,86,12,4e,83,b5,7a,92,26,2c,ae,f2,\
"rkeysecu"=hex:cd,70,55,eb,4b,f0,26,c5,12,e3,b6,19,48,e5,01,82
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(368)
c:\docume~1\BOC\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\vmnetdhcp.exe
m:\program files\VMware\vmware-authd.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-23 21:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-23 01:29

Pre-Run: 17,103,273,984 bytes free
Post-Run: 16,959,545,344 bytes free

359 --- E O F --- 2008-05-16 07:01

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:58 PM

Posted 22 July 2009 - 09:31 PM

Hi Half,

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED




With malware infections being as they are today, it's necessary to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image

  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Half

Half
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 23 July 2009 - 08:44 PM

AVG background scanner gave me some troubles initially, couldnt disable it, couldnt manually end the process, ended up uninstalling it.

here is the log.

ComboFix 09-07-23.02 - BOC 07/23/2009 21:30.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1547 [GMT -4:00]
Running from: c:\documents and settings\BOC\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\BOC\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BOC\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\BOC\Local Settings\temp\IadHide5.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2025-06-27 06:51 . 2025-06-27 07:37 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2025-06-27 05:49 . 2025-06-27 05:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2025-06-27 05:29 . 2025-06-27 05:44 -------- d-----w- c:\windows\NV348712.TMP
2009-07-23 01:25 . 2009-07-23 01:25 -------- d-----w- c:\documents and settings\BOC\Local Settings\Application Data\Temp
2009-07-23 01:23 . 2004-08-04 05:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-23 01:23 . 2004-08-04 05:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-23 00:57 . 2009-07-23 01:38 152576 ----a-w- c:\documents and settings\BOC\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-20 01:26 . 2009-07-05 22:54 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-16 13:44 . 2008-10-10 08:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-16 13:44 . 2008-10-10 08:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-16 13:44 . 2008-10-10 08:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-16 13:44 . 2009-07-16 13:44 -------- d-----w- c:\windows\Logs
2009-07-12 20:48 . 2001-08-17 18:56 235648 ----a-w- c:\windows\system32\mgaud.dll
2009-07-12 20:48 . 2001-08-17 16:50 320384 ----a-w- c:\windows\system32\drivers\mgaum.sys
2009-07-12 20:08 . 2009-02-11 14:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 20:08 . 2009-02-11 14:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 19:36 . 2008-04-14 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-07-12 19:36 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-09 20:29 . 2009-07-05 22:54 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-06-30 20:28 . 2009-06-30 21:19 76578 ----a-w- c:\windows\War3Unin.dat
2009-06-30 20:28 . 2009-06-30 21:08 2829 ----a-w- c:\windows\War3Unin.pif
2009-06-30 20:28 . 2009-06-30 21:08 139264 ----a-w- c:\windows\War3Unin.exe
2009-06-30 19:49 . 2009-06-30 19:49 1878984 ----a-w- c:\documents and settings\BOC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-27 03:35 . 2009-07-05 22:54 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 01:35 . 2009-05-22 01:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-07-24 01:35 . 2009-05-22 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-07-24 01:13 . 2008-12-12 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-23 01:55 . 2007-04-21 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-23 01:15 . 2007-04-21 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-23 01:09 . 2008-11-20 02:11 -------- d-----w- c:\documents and settings\BOC\Application Data\.purple
2009-07-23 01:03 . 2008-01-22 01:37 -------- d-----w- c:\program files\Java
2009-07-23 00:52 . 2008-12-07 18:37 -------- d-----w- c:\documents and settings\BOC\Application Data\gtk-2.0
2009-07-13 02:07 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPcd91.tmp
2009-07-13 02:03 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd11b.tmp
2009-07-13 01:33 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd60c.tmp
2009-07-13 00:08 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd040.tmp
2009-07-12 04:50 . 2007-04-08 03:26 -------- d-----w- c:\documents and settings\BOC\Application Data\uTorrent
2009-07-05 22:54 . 2008-12-12 23:02 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 05:00 . 2009-05-22 02:21 -------- d-----w- c:\documents and settings\BOC\Application Data\VMware
2009-06-20 01:58 . 2008-09-15 22:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-19 03:09 . 2007-04-20 03:19 -------- d-----w- c:\program files\MediaMonkey
2009-06-17 18:16 . 2008-12-12 23:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-04 21:30 . 2009-01-19 06:43 -------- d-----w- c:\program files\uTorrent
2009-05-27 05:56 . 2007-04-08 04:50 -------- d-----w- c:\program files\Warcraft III
2009-05-25 21:53 . 2007-11-14 03:50 -------- d-----w- c:\documents and settings\BOC\Application Data\Vso
2009-05-21 15:33 . 2009-02-13 23:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-10 13:23 . 2009-02-05 21:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2008-05-30 00:50 . 2008-05-30 00:50 1048576 ----a-w- c:\program files\6a79lg0d.0
2008-05-30 00:48 . 2008-05-30 00:48 71703 ----a-w- c:\program files\bios.ini
2008-05-30 00:48 . 2006-11-03 22:09 528 ----a-w- c:\program files\CONFIG.INI
2008-05-30 00:48 . 2008-05-30 00:48 29 ----a-w- c:\program files\new_ver.ini
2008-02-14 18:28 . 2008-02-14 18:28 29 ----a-w- c:\program files\version.ini
2008-02-14 18:23 . 2008-02-14 18:23 231944 ----a-w- c:\program files\gwflash.exe
2007-09-21 23:42 . 2007-09-21 23:42 19008 ----a-w- c:\program files\markfun.a64
2007-08-21 23:49 . 2007-08-21 23:49 17912 ----a-w- c:\program files\markfun.w32
2007-04-04 22:35 . 2007-04-04 22:35 207680 ----a-w- c:\program files\updateutility.exe
2007-03-30 08:36 . 2007-03-30 08:36 301 ----a-w- c:\program files\update.ini
2007-03-02 08:48 . 2007-03-02 08:48 240448 ----a-w- c:\program files\gwf32.exe
2006-11-24 03:47 . 2006-11-24 03:47 207680 ----a-w- c:\program files\BIOS_Run.exe
2005-04-27 23:40 . 2005-04-27 23:40 6800 ----a-w- c:\program files\W95_HUA.vxd
2009-06-30 20:04 . 2008-06-18 01:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-03 23:03 . 2007-05-20 16:31 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-23_01.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-24 01:19 . 2009-07-24 01:19 16384 c:\windows\Temp\Perflib_Perfdata_bd0.dat
+ 2009-07-24 01:35 . 2009-07-24 01:35 16384 c:\windows\Temp\Perflib_Perfdata_bc0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-30 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyTuneV"="c:\program files\Gigabyte\ET5\GUI.exe" [2008-06-02 207680]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-5 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 14:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\GWF32.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"m:\\Program Files\\VMware\\vmware-authd.exe"=
"i:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/12/2008 7:02 PM 335752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 11:05 PM 54960]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/5/2009 5:33 PM 298776]
S2 dwmeeblm;dwmeeblm;c:\windows\system32\drivers\cclui.sys --> c:\windows\system32\drivers\cclui.sys [?]
S2 qlvoxb;qlvoxb;c:\windows\system32\drivers\fzvnds.sys --> c:\windows\system32\drivers\fzvnds.sys [?]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/20/2007 12:31 PM 29744]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [7/12/2009 4:48 PM 320384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MARKFUN_NT
*Deregistered* - MarkFun_NT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-07-24 c:\windows\Tasks\1-Click Maintenance.job
- i:\tuneup utilities\OneClickStarter.exe [2008-02-27 17:44]

2009-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1801674531-725345543-1003Core.job
- c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 23:48]

2009-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1801674531-725345543-1003UA.job
- c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 23:48]

2009-07-22 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Evernote - i:\evernote\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: m:\program files\VMware\vsocklib.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}\platform\WINNT_x86-msvc\components\enbar3.dll
FF - component: c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npSeaTools_EN.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin2.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin3.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin4.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin5.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 21:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1801674531-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:df,f1,6b,48,ec,6b,d4,85,f4,b0,45,22,17,85,aa,50,23,a1,98,d0,55,31,0d,
7d,36,2c,f1,2c,04,8e,07,89,78,01,a3,ec,33,86,53,ae,cb,4c,34,4d,97,44,bf,2c,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-1177238915-1801674531-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:33,00,ce,bb,e7,77,70,b7,ac,ff,e3,f1,d4,1a,2a,7e,50,8a,9e,bb,a5,
e2,c7,63,6a,b8,5c,eb,c6,91,ff,88,5c,a5,ac,86,12,4e,83,b5,7a,92,26,2c,ae,f2,\
"rkeysecu"=hex:cd,70,55,eb,4b,f0,26,c5,12,e3,b6,19,48,e5,01,82
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3168)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\rundll32.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\vmnetdhcp.exe
m:\program files\VMware\vmware-authd.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-24 21:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-24 01:39
ComboFix2.txt 2009-07-23 01:29

Pre-Run: 16,918,753,280 bytes free
Post-Run: 16,866,623,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

327 --- E O F --- 2008-05-16 07:01

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:58 PM

Posted 23 July 2009 - 09:55 PM

Hi Half,

You need to disable your AVG Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I??ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


To disable Spybot's Teatimer:
Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\system32\drivers\fzvnds.sys 
c:\windows\system32\drivers\cclui.sys

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Driver:: 
qlvoxb
dwmeeblm


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Half

Half
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 24 July 2009 - 01:07 AM

followed your steps. sorry to make you reply so much.
there are a lot of errors when combofix is just about to restart the computer (i didnt interfere)

here is the log.

ComboFix 09-07-23.02 - BOC 07/24/2009 1:42.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1480 [GMT -4:00]
Running from: c:\documents and settings\BOC\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\BOC\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\windows\system32\drivers\cclui.sys"
"c:\windows\system32\drivers\fzvnds.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BOC\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\BOC\Local Settings\temp\IadHide5.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_dwmeeblm
-------\Service_qlvoxb


((((((((((((((((((((((((( Files Created from 2009-06-24 to 2009-07-24 )))))))))))))))))))))))))))))))
.

2025-06-27 06:51 . 2025-06-27 07:37 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2025-06-27 05:49 . 2025-06-27 05:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2025-06-27 05:29 . 2025-06-27 05:44 -------- d-----w- c:\windows\NV348712.TMP
2009-07-24 02:04 . 2009-06-27 18:35 1008896 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-24 01:54 . 2009-07-24 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-07-24 01:54 . 2009-07-24 01:54 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-24 01:54 . 2009-07-24 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-24 01:53 . 2009-07-24 01:53 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-07-24 01:53 . 2009-07-24 01:53 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-07-24 01:46 . 2009-07-24 01:46 -------- d-----w- c:\documents and settings\BOC\Application Data\AVG8
2009-07-23 01:25 . 2009-07-23 01:25 -------- d-----w- c:\documents and settings\BOC\Local Settings\Application Data\Temp
2009-07-23 01:23 . 2004-08-04 05:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-23 01:23 . 2004-08-04 05:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-23 00:57 . 2009-07-23 01:38 152576 ----a-w- c:\documents and settings\BOC\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-20 01:26 . 2009-07-05 22:54 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-16 13:44 . 2008-10-10 08:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-16 13:44 . 2008-10-10 08:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-16 13:44 . 2008-10-10 08:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-16 13:44 . 2009-07-16 13:44 -------- d-----w- c:\windows\Logs
2009-07-12 20:48 . 2001-08-17 18:56 235648 ----a-w- c:\windows\system32\mgaud.dll
2009-07-12 20:48 . 2001-08-17 16:50 320384 ----a-w- c:\windows\system32\drivers\mgaum.sys
2009-07-12 20:08 . 2009-02-11 14:19 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-12 20:08 . 2009-02-11 14:19 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-12 19:36 . 2008-04-14 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2009-07-12 19:36 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-09 20:29 . 2009-07-05 22:54 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-06-30 20:28 . 2009-06-30 21:19 76578 ----a-w- c:\windows\War3Unin.dat
2009-06-30 20:28 . 2009-06-30 21:08 2829 ----a-w- c:\windows\War3Unin.pif
2009-06-30 20:28 . 2009-06-30 21:08 139264 ----a-w- c:\windows\War3Unin.exe
2009-06-30 19:49 . 2009-06-30 19:49 1878984 ----a-w- c:\documents and settings\BOC\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-06-27 03:35 . 2009-07-05 22:54 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-24 05:49 . 2009-05-22 01:43 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-07-24 05:49 . 2009-05-22 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-07-24 01:51 . 2008-12-12 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-23 01:55 . 2007-04-21 15:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-23 01:15 . 2007-04-21 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-23 01:09 . 2008-11-20 02:11 -------- d-----w- c:\documents and settings\BOC\Application Data\.purple
2009-07-23 01:03 . 2008-01-22 01:37 -------- d-----w- c:\program files\Java
2009-07-23 00:52 . 2008-12-07 18:37 -------- d-----w- c:\documents and settings\BOC\Application Data\gtk-2.0
2009-07-13 02:07 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPcd91.tmp
2009-07-13 02:03 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd11b.tmp
2009-07-13 01:33 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd60c.tmp
2009-07-13 00:08 . 2007-03-17 07:06 98304 ----a-w- c:\windows\DUMPd040.tmp
2009-07-12 04:50 . 2007-04-08 03:26 -------- d-----w- c:\documents and settings\BOC\Application Data\uTorrent
2009-07-05 22:54 . 2008-12-12 23:02 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 05:00 . 2009-05-22 02:21 -------- d-----w- c:\documents and settings\BOC\Application Data\VMware
2009-06-20 01:58 . 2008-09-15 22:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-19 03:09 . 2007-04-20 03:19 -------- d-----w- c:\program files\MediaMonkey
2009-06-17 18:16 . 2008-12-12 23:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-04 21:30 . 2009-01-19 06:43 -------- d-----w- c:\program files\uTorrent
2009-05-27 05:56 . 2007-04-08 04:50 -------- d-----w- c:\program files\Warcraft III
2009-05-25 21:53 . 2007-11-14 03:50 -------- d-----w- c:\documents and settings\BOC\Application Data\Vso
2009-05-21 15:33 . 2009-02-13 23:43 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-10 13:23 . 2009-02-05 21:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2008-05-30 00:50 . 2008-05-30 00:50 1048576 ----a-w- c:\program files\6a79lg0d.0
2008-05-30 00:48 . 2008-05-30 00:48 71703 ----a-w- c:\program files\bios.ini
2008-05-30 00:48 . 2006-11-03 22:09 528 ----a-w- c:\program files\CONFIG.INI
2008-05-30 00:48 . 2008-05-30 00:48 29 ----a-w- c:\program files\new_ver.ini
2008-02-14 18:28 . 2008-02-14 18:28 29 ----a-w- c:\program files\version.ini
2008-02-14 18:23 . 2008-02-14 18:23 231944 ----a-w- c:\program files\gwflash.exe
2007-09-21 23:42 . 2007-09-21 23:42 19008 ----a-w- c:\program files\markfun.a64
2007-08-21 23:49 . 2007-08-21 23:49 17912 ----a-w- c:\program files\markfun.w32
2007-04-04 22:35 . 2007-04-04 22:35 207680 ----a-w- c:\program files\updateutility.exe
2007-03-30 08:36 . 2007-03-30 08:36 301 ----a-w- c:\program files\update.ini
2007-03-02 08:48 . 2007-03-02 08:48 240448 ----a-w- c:\program files\gwf32.exe
2006-11-24 03:47 . 2006-11-24 03:47 207680 ----a-w- c:\program files\BIOS_Run.exe
2005-04-27 23:40 . 2005-04-27 23:40 6800 ----a-w- c:\program files\W95_HUA.vxd
2009-06-30 20:04 . 2008-06-18 01:50 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-03 23:03 . 2007-05-20 16:31 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-23_01.26.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-24 02:08 . 2009-07-24 02:08 16384 c:\windows\Temp\Perflib_Perfdata_d78.dat
+ 2009-07-24 05:49 . 2009-07-24 05:49 16384 c:\windows\Temp\Perflib_Perfdata_c00.dat
+ 2003-03-19 00:44 . 2003-03-19 00:44 49152 c:\windows\system32\MFC71KOR.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 49152 c:\windows\system32\MFC71JPN.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 61440 c:\windows\system32\MFC71ITA.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 61440 c:\windows\system32\MFC71FRA.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 61440 c:\windows\system32\MFC71ESP.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 57344 c:\windows\system32\MFC71ENU.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 65536 c:\windows\system32\MFC71DEU.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 45056 c:\windows\system32\MFC71CHT.DLL
+ 2003-03-19 00:44 . 2003-03-19 00:44 40960 c:\windows\system32\MFC71CHS.DLL
+ 2009-02-26 16:46 . 2009-02-26 16:46 74760 c:\windows\system32\drivers\UniversalDD.sys
+ 2009-02-26 16:46 . 2009-02-26 16:46 25608 c:\windows\system32\drivers\AVGIDSErHr.sys
+ 2009-07-24 01:54 . 2009-07-24 01:54 21630 c:\windows\Installer\{7583D2F8-8E7D-40C5-9862-4D218006FB84}\ARPPRODUCTICON.exe
+ 2009-07-24 01:54 . 2009-07-24 01:54 61440 c:\windows\Installer\{7583D2F8-8E7D-40C5-9862-4D218006FB84}\Agent_8EDF55C6E6D140DB86045C34C4AEBFCE.exe
+ 2009-07-24 01:54 . 2009-07-24 01:54 1717760 c:\windows\Installer\129e81.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-27 18:35 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-27 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-04-30 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyTuneV"="c:\program files\Gigabyte\ET5\GUI.exe" [2008-06-02 207680]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-09-12 160160]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-24 1948440]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-10 16384000]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-5 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 14:10 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-10 13:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"hpbdfawep"=c:\program files\HP\Dfawep\bin\hpbdfawep.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\GWF32.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\HP1006MC.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"m:\\Program Files\\VMware\\vmware-authd.exe"=
"i:\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/12/2008 7:02 PM 335752]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/23/2009 9:54 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/5/2009 5:33 PM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [7/23/2009 9:54 PM 1368952]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2/26/2009 12:46 PM 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2/26/2009 12:46 PM 563720]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 11:05 PM 54960]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [7/23/2009 9:53 PM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 6:46 AM 284016]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [7/23/2009 9:53 PM 29208]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/20/2007 12:31 PM 29744]
S3 mgau;mgau;c:\windows\system32\drivers\mgaum.sys [7/12/2009 4:48 PM 320384]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MARKFUN_NT
*Deregistered* - MarkFun_NT

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {3CBBEE47-C8F4-316A-92FF-ED7E3DFAE41E} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-07-24 c:\windows\Tasks\1-Click Maintenance.job
- i:\tuneup utilities\OneClickStarter.exe [2008-02-27 17:44]

2009-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1801674531-725345543-1003Core.job
- c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 23:48]

2009-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1177238915-1801674531-725345543-1003UA.job
- c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-02 23:48]

2009-07-22 c:\windows\Tasks\HP WEP.job
- c:\program files\HP\Dfawep\bin\hpbdfawep.exe [2007-04-25 18:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Evernote - i:\evernote\enbar.dll/2000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: m:\program files\VMware\vsocklib.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\BOC\Application Data\Mozilla\Firefox\Profiles\2gmeve4h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npSeaTools_EN.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin2.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin3.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin4.dll
FF - plugin: m:\program files\quicktime\Plugins\npqtplugin5.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-24 01:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1177238915-1801674531-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:df,f1,6b,48,ec,6b,d4,85,f4,b0,45,22,17,85,aa,50,23,a1,98,d0,55,31,0d,
7d,36,2c,f1,2c,04,8e,07,89,78,01,a3,ec,33,86,53,ae,cb,4c,34,4d,97,44,bf,2c,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-1177238915-1801674531-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:33,00,ce,bb,e7,77,70,b7,ac,ff,e3,f1,d4,1a,2a,7e,50,8a,9e,bb,a5,
e2,c7,63,6a,b8,5c,eb,c6,91,ff,88,5c,a5,ac,86,12,4e,83,b5,7a,92,26,2c,ae,f2,\
"rkeysecu"=hex:cd,70,55,eb,4b,f0,26,c5,12,e3,b6,19,48,e5,01,82
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1544)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3412)
c:\windows\system32\nview.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\documents and settings\BOC\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\vmnetdhcp.exe
m:\program files\VMware\vmware-authd.exe
c:\windows\system32\spool\drivers\w32x86\3\HP1006MC.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-24 1:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-24 05:53
ComboFix2.txt 2009-07-24 01:39
ComboFix3.txt 2009-07-23 01:29

Pre-Run: 16,609,644,544 bytes free
Post-Run: 16,748,761,088 bytes free

369 --- E O F --- 2008-05-16 07:01

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:58 PM

Posted 24 July 2009 - 10:07 AM

Hi Half,

Looks good. :thumbup2: Now we will check for lingering malware.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users