Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - Rootkits


  • This topic is locked This topic is locked
6 replies to this topic

#1 Zerruda

Zerruda

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:25 AM

Posted 12 August 2009 - 07:12 PM

My anti-virus software, avast!, has detected and warned me that it has found malware. The malware is named as Win32FakeAV-NO[Rtk]. Avast! has also detected several samples of this rootkit which I suspect is forming various .sys and .exe files to execute whatever damage it has planned. I have already run Malwarebyte's Anti-Malware in hopes of removing it all, but with no avail. I have the log file from Malwarebyte's Anti-Malware and will post that along with my HJT log if I need to.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:59 PM, on 8/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast!\aswUpdSv.exe
C:\Program Files\Avast!\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Avast!\ashDisp.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\msword98.exe
C:\WINDOWS\system32\msword98.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Russ\msword98.exe
C:\Documents and Settings\Russ\msword98.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Russ\LOCALS~1\Temp\BN1A.tmp
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Avast!\ashMaiSv.exe
C:\Program Files\Avast!\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Russ\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Russ\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [msword98] C:\WINDOWS\system32\msword98.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msword98] C:\Documents and Settings\Russ\msword98.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [braviax] (User 'Default user')
O4 - Startup: ikowin32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast!\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast!\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast!\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8370 bytes

Edited by Zerruda, 12 August 2009 - 07:16 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 13 August 2009 - 04:58 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Zerruda

Zerruda
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:25 AM

Posted 13 August 2009 - 04:48 PM

Here's my Combo-Fix Log:

ComboFix 09-08-10.06 - Russ 08/13/2009 17:28.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.260 [GMT -4:00]
Running from: c:\documents and settings\Russ\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090812-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\ajub.vbs
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\jukobafe.lib
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\ogatu.vbs
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\sixirob.sys
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Russ\Application Data\wiaserva.log
c:\documents and settings\Russ\Start Menu\Programs\Startup\ikowin32.exe
c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
c:\recycler\S-1-5-21-580904943-1621082120-2705454646-500
c:\windows\9129837.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\braviax.exe
c:\windows\system32\dllcache\figaro.sys
c:\windows\system32\wisdstr.exe

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\ntfs.sys

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP365\A0112874.sys

.
((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 21:32 . 2004-08-04 13:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-13 21:27 . 2009-08-13 21:27 29184 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-08-13 21:22 . 2009-08-13 21:23 -------- d-s---w- C:\ComboFix
2009-08-12 23:46 . 2009-08-12 23:46 17308 ----a-w- c:\windows\kudi.reg
2009-08-12 23:46 . 2009-08-12 23:46 13528 ----a-w- c:\windows\system32\zopyte.reg
2009-08-12 23:46 . 2009-08-12 23:46 19255 ----a-w- c:\documents and settings\LocalService\Application Data\hyryd.com
2009-08-12 23:46 . 2009-08-12 23:46 18660 ----a-w- c:\program files\Common Files\rytupiguqe.com
2009-08-12 23:46 . 2009-08-12 23:46 17652 ----a-w- c:\documents and settings\LocalService\Application Data\gezozybir.scr
2009-08-12 23:46 . 2009-08-12 23:46 16866 ----a-w- c:\documents and settings\All Users\Application Data\ypuk.scr
2009-08-12 23:46 . 2009-08-12 23:46 15387 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\awyt.sys
2009-08-12 23:46 . 2009-08-12 23:46 11881 ----a-w- c:\documents and settings\All Users\Application Data\buzoza.scr
2009-08-12 23:46 . 2009-08-12 23:46 11797 ----a-w- c:\windows\qyluwula.sys
2009-08-12 23:46 . 2009-08-12 23:46 19934 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\cutaq.dat
2009-08-12 23:46 . 2009-08-12 23:46 13868 ----a-w- c:\windows\system32\foma.bin
2009-08-12 23:46 . 2009-08-12 23:46 13148 ----a-w- c:\windows\omama.exe
2009-08-12 23:46 . 2009-08-12 23:46 11204 ----a-w- c:\documents and settings\LocalService\Application Data\jytupit.pif
2009-08-12 22:38 . 2009-08-12 22:38 -------- d-----w- c:\documents and settings\Russ\Application Data\Malwarebytes
2009-08-12 22:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 22:38 . 2009-08-12 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 22:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 22:38 . 2009-08-12 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 22:33 . 2009-08-12 22:33 -------- d-----w- C:\Backup
2009-08-12 22:32 . 2009-08-12 22:35 -------- d-----w- c:\windows\system32\NtmsData
2009-08-12 22:29 . 2009-08-12 22:29 -------- d-----w- c:\program files\Trend Micro
2009-08-12 21:43 . 2009-08-12 21:43 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 17:51 . 2009-08-10 17:51 -------- d-----w- c:\documents and settings\Russ\Local Settings\Application Data\ArcSoft
2009-08-10 17:51 . 2009-08-11 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-08-10 17:50 . 2009-08-10 17:51 -------- d-----w- c:\documents and settings\Russ\Application Data\ArcSoft
2009-08-10 17:50 . 2006-11-10 19:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2009-08-10 17:50 . 2005-04-27 20:36 245408 ----a-w- c:\windows\system32\unicows.dll
2009-08-10 17:50 . 1995-08-01 08:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\ArcSoft
2009-08-10 17:38 . 2009-08-10 17:38 -------- d-----w- c:\windows\OvtCam
2009-08-10 17:38 . 2009-08-10 17:38 -------- d-----w- c:\windows\OVT
2009-08-10 17:38 . 2009-08-10 17:38 -------- d-----w- c:\program files\OVT
2009-08-07 17:18 . 2009-08-07 17:18 -------- d-----w- C:\a64220acdf57a6d87d41bc000fc745
2009-08-06 00:53 . 2009-08-06 01:00 -------- d-----w- c:\documents and settings\Russ\Application Data\LimeWire
2009-08-06 00:46 . 2009-08-06 00:46 0 ----a-w- c:\documents and settings\Russ\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-08-06 00:21 . 2009-08-06 00:31 -------- d-----w- c:\documents and settings\Russ\Incomplete
2009-08-06 00:20 . 2009-08-06 00:55 -------- d-----w- c:\documents and settings\Russ\Application Data\FrostWire
2009-08-05 23:40 . 2009-08-06 00:34 -------- d-----w- c:\program files\FrostWire
2009-07-27 19:25 . 2009-07-27 19:25 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-27 00:11 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-27 00:11 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-24 20:38 . 2009-08-03 17:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-24 19:44 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-24 19:44 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-24 19:44 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-24 19:44 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-24 19:44 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-24 19:44 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-24 19:44 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-24 19:44 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-24 19:43 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-24 19:43 . 2009-07-24 20:39 -------- d-----w- c:\program files\Avast!
2009-07-24 19:26 . 2009-07-24 19:26 3584 ----a-r- c:\documents and settings\Russ\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-07-24 19:26 . 2009-07-24 19:26 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-07-24 19:26 . 2009-07-24 19:26 -------- d-----w- c:\program files\MSECACHE
2009-07-19 13:31 . 2009-06-26 05:01 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-19 13:31 . 2009-06-26 05:01 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-19 13:31 . 2009-06-26 05:01 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-19 13:31 . 2009-06-26 05:01 493336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-07-19 13:31 . 2009-06-26 05:01 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-19 13:31 . 2009-06-26 05:01 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-19 13:31 . 2009-06-26 05:01 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-19 13:31 . 2009-06-26 05:01 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-19 13:31 . 2009-06-26 05:01 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-19 13:31 . 2009-06-26 05:01 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-19 13:31 . 2009-06-26 05:01 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-19 13:31 . 2009-06-26 05:01 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-19 13:28 . 2009-06-26 04:58 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-19 13:28 . 2009-06-26 04:58 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-17 18:55 . 2009-07-17 18:55 58880 ------w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-12 23:46 . 2009-08-12 23:46 18575 ----a-w- c:\program files\Common Files\cyducuzypu.inf
2009-08-12 23:46 . 2009-08-12 23:46 16705 ----a-w- c:\documents and settings\All Users\Application Data\otopewyfi.reg
2009-08-12 23:46 . 2009-08-12 23:46 16646 ----a-w- c:\program files\Common Files\qezuko._sy
2009-08-12 23:46 . 2009-08-12 23:46 11351 ----a-w- c:\documents and settings\All Users\Application Data\exeky.vbs
2009-08-12 23:04 . 2009-08-12 23:04 47744 ----a-w- c:\windows\system32\drivers\OLD47.tmp
2009-08-12 21:58 . 2005-07-16 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 21:46 . 2005-07-16 14:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 18:50 . 2009-08-12 18:50 47744 ----a-w- c:\windows\system32\drivers\OLD36.tmp
2009-08-12 18:49 . 2009-08-12 18:49 47744 ----a-w- c:\windows\system32\drivers\OLD34.tmp
2009-08-12 18:49 . 2009-08-12 18:49 47744 ----a-w- c:\windows\system32\drivers\OLD32.tmp
2009-08-12 18:11 . 2009-06-27 05:49 -------- d-----w- c:\documents and settings\Russ\Application Data\Skype
2009-08-12 18:10 . 2009-06-27 05:08 -------- d-----w- c:\documents and settings\Russ\Application Data\skypePM
2009-08-11 17:52 . 2005-02-05 01:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 00:18 . 2005-02-05 01:57 -------- d-----w- c:\program files\Java
2009-08-05 09:11 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-24 19:35 . 2008-07-01 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-24 18:53 . 2005-02-05 02:34 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-07-24 18:52 . 2005-02-05 02:33 -------- d-----w- c:\program files\iPod
2009-07-24 18:47 . 2008-08-16 02:27 -------- d-----w- c:\program files\Paint.NET
2009-07-17 18:55 . 2009-07-17 18:55 58880 ----a-w- c:\windows\system32\SET9B.tmp
2009-07-13 06:18 . 2004-08-04 08:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 04:09 . 2005-07-16 06:16 109480 ----a-w- c:\documents and settings\Russ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 19:18 . 2007-01-13 05:38 -------- d-----w- c:\program files\AIM6
2009-07-01 19:17 . 2006-03-18 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-01 19:10 . 2006-09-18 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-27 05:48 . 2009-06-27 05:48 -------- d-----r- c:\program files\Skype
2009-06-27 05:48 . 2009-06-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-27 05:48 . 2009-06-27 05:48 -------- d-----w- c:\program files\Common Files\Skype
2009-06-27 05:08 . 2009-06-27 05:08 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-26 19:25 . 2009-06-26 19:24 -------- d-----w- c:\program files\DivX
2009-06-26 19:24 . 2009-06-26 19:24 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-26 16:18 . 2004-08-04 08:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-26 05:01 . 2009-06-26 05:03 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-22 11:49 . 2009-06-22 11:49 19968 ----a-w- c:\windows\system32\SET47.tmp
2009-06-22 11:49 . 2009-06-22 11:49 117248 ----a-w- c:\windows\system32\SET3D.tmp
2009-06-22 11:49 . 2004-08-04 08:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 08:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2009-06-22 11:49 4608 ----a-w- c:\windows\system32\SET3E.tmp
2009-06-22 11:49 . 2004-08-04 08:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2009-06-22 11:48 91776 ----a-w- c:\windows\system32\drivers\SET49.tmp
2009-06-22 11:48 . 2004-08-04 08:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2004-08-04 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 08:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-04 08:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 08:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 08:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-04 08:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 08:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-19 05:36 . 2009-07-01 19:10 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-07-01 19:10 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-07-01 19:10 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-07-01 19:10 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-07-01 19:10 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-07-01 19:10 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-07-01 19:10 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-07-01 19:10 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2008-08-16 00:13 . 2008-08-16 00:13 1586141 -c--a-w- c:\program files\Paint.NET.3.35.zip
2008-07-03 16:20 . 2008-07-03 16:20 1611128 -c--a-w- c:\program files\Paint.NET.3.35.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"avast!"="c:\progra~1\Avast!\ashDisp.exe" [2009-02-05 81000]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-22 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Konfabulator.lnk]
path=c:\documents and settings\Russ\Start Menu\Programs\Startup\Konfabulator.lnk
backup=c:\windows\pss\Konfabulator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/24/2009 3:44 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2009 3:44 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 11:23 PM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [7/16/2005 1:29 AM 200192]
.
Contents of the 'Scheduled Tasks' folder

2009-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-08-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1401380814-2840523903-578474627-1005Core.job
- c:\documents and settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 03:02]

2009-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1401380814-2840523903-578474627-1005UA.job
- c:\documents and settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 03:02]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 17:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?2?3?9??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avast!\aswUpdSv.exe
c:\program files\Avast!\ashServ.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avast!\ashMaiSv.exe
c:\program files\Avast!\ashWebSv.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-13 17:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 21:46

Pre-Run: 12,629,594,112 bytes free
Post-Run: 12,732,407,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

284 --- E O F --- 2009-08-13 17:47

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 14 August 2009 - 12:31 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\kudi.reg
c:\windows\system32\zopyte.reg
c:\documents and settings\LocalService\Application Data\hyryd.com
c:\program files\Common Files\rytupiguqe.com
c:\documents and settings\LocalService\Application Data\gezozybir.scr
c:\documents and settings\All Users\Application Data\ypuk.scr
c:\documents and settings\LocalService\Local Settings\Application Data\awyt.sys
c:\documents and settings\All Users\Application Data\buzoza.scr
c:\windows\qyluwula.sys
c:\documents and settings\LocalService\Local Settings\Application Data\cutaq.dat
c:\windows\system32\foma.bin
c:\windows\omama.exe
c:\documents and settings\LocalService\Application Data\jytupit.pif
c:\program files\Common Files\cyducuzypu.inf
c:\documents and settings\All Users\Application Data\otopewyfi.reg
c:\program files\Common Files\qezuko._sy
c:\documents and settings\All Users\Application Data\exeky.vbs
c:\windows\system32\drivers\OLD47.tmp

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Zerruda

Zerruda
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:25 AM

Posted 16 August 2009 - 05:32 PM

ComboFix Log:

ComboFix 09-08-10.06 - Russ 08/16/2009 18:12.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.281 [GMT -4:00]
Running from: c:\documents and settings\Russ\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Russ\Desktop\CFScript.text
AV: avast! antivirus 4.8.1335 [VPS 090815-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point

FILE ::
"c:\documents and settings\All Users\Application Data\buzoza.scr"
"c:\documents and settings\All Users\Application Data\exeky.vbs"
"c:\documents and settings\All Users\Application Data\otopewyfi.reg"
"c:\documents and settings\All Users\Application Data\ypuk.scr"
"c:\documents and settings\LocalService\Application Data\gezozybir.scr"
"c:\documents and settings\LocalService\Application Data\hyryd.com"
"c:\documents and settings\LocalService\Application Data\jytupit.pif"
"c:\documents and settings\LocalService\Local Settings\Application Data\awyt.sys"
"c:\documents and settings\LocalService\Local Settings\Application Data\cutaq.dat"
"c:\program files\Common Files\cyducuzypu.inf"
"c:\program files\Common Files\qezuko._sy"
"c:\program files\Common Files\rytupiguqe.com"
"c:\windows\kudi.reg"
"c:\windows\omama.exe"
"c:\windows\qyluwula.sys"
"c:\windows\system32\drivers\OLD47.tmp"
"c:\windows\system32\foma.bin"
"c:\windows\system32\zopyte.reg"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\buzoza.scr
c:\documents and settings\All Users\Application Data\exeky.vbs
c:\documents and settings\All Users\Application Data\otopewyfi.reg
c:\documents and settings\All Users\Application Data\ypuk.scr
c:\documents and settings\LocalService\Application Data\gezozybir.scr
c:\documents and settings\LocalService\Application Data\hyryd.com
c:\documents and settings\LocalService\Application Data\jytupit.pif
c:\documents and settings\LocalService\Local Settings\Application Data\awyt.sys
c:\documents and settings\LocalService\Local Settings\Application Data\cutaq.dat
c:\program files\Common Files\cyducuzypu.inf
c:\program files\Common Files\qezuko._sy
c:\program files\Common Files\rytupiguqe.com
c:\windows\kudi.reg
c:\windows\omama.exe
c:\windows\qyluwula.sys
c:\windows\system32\drivers\OLD47.tmp
c:\windows\system32\foma.bin
c:\windows\system32\zopyte.reg

.
((((((((((((((((((((((((( Files Created from 2009-07-16 to 2009-08-16 )))))))))))))))))))))))))))))))
.

2009-08-13 21:32 . 2004-08-04 13:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-08-13 21:27 . 2009-08-13 21:27 29184 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-08-13 21:22 . 2009-08-13 21:23 -------- d-s---w- C:\ComboFix
2009-08-12 22:38 . 2009-08-12 22:38 -------- d-----w- c:\documents and settings\Russ\Application Data\Malwarebytes
2009-08-12 22:38 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-12 22:38 . 2009-08-12 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-12 22:38 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-12 22:38 . 2009-08-12 22:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 22:33 . 2009-08-12 22:33 -------- d-----w- C:\Backup
2009-08-12 22:32 . 2009-08-12 22:35 -------- d-----w- c:\windows\system32\NtmsData
2009-08-12 22:29 . 2009-08-12 22:29 -------- d-----w- c:\program files\Trend Micro
2009-08-12 21:43 . 2009-08-12 21:43 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 17:51 . 2009-08-10 17:51 -------- d-----w- c:\documents and settings\Russ\Local Settings\Application Data\ArcSoft
2009-08-10 17:51 . 2009-08-11 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-08-10 17:50 . 2009-08-10 17:51 -------- d-----w- c:\documents and settings\Russ\Application Data\ArcSoft
2009-08-10 17:50 . 2006-11-10 19:05 18688 ----a-w- c:\windows\system32\drivers\afc.sys
2009-08-10 17:50 . 2005-04-27 20:36 245408 ----a-w- c:\windows\system32\unicows.dll
2009-08-10 17:50 . 1995-08-01 08:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-10 17:50 . 2009-08-10 17:50 -------- d-----w- c:\program files\ArcSoft
2009-08-10 17:38 . 2009-08-10 17:38 -------- d-----w- c:\windows\OvtCam
2009-08-10 17:38 . 2009-08-10 17:38 -------- d-----w- c:\windows\OVT
2009-08-10 17:38 . 2009-08-10 17:38 -------- d-----w- c:\program files\OVT
2009-08-07 17:18 . 2009-08-07 17:18 -------- d-----w- C:\a64220acdf57a6d87d41bc000fc745
2009-08-06 00:53 . 2009-08-06 01:00 -------- d-----w- c:\documents and settings\Russ\Application Data\LimeWire
2009-08-06 00:46 . 2009-08-06 00:46 0 ----a-w- c:\documents and settings\Russ\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-08-06 00:21 . 2009-08-06 00:31 -------- d-----w- c:\documents and settings\Russ\Incomplete
2009-08-06 00:20 . 2009-08-06 00:55 -------- d-----w- c:\documents and settings\Russ\Application Data\FrostWire
2009-08-05 23:40 . 2009-08-06 00:34 -------- d-----w- c:\program files\FrostWire
2009-07-27 19:25 . 2009-07-27 19:25 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-27 00:11 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-27 00:11 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-24 20:38 . 2009-08-03 17:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-24 19:44 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-07-24 19:44 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-07-24 19:44 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-07-24 19:44 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-07-24 19:44 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-07-24 19:44 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-07-24 19:44 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-07-24 19:44 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-07-24 19:43 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-07-24 19:43 . 2009-07-24 20:39 -------- d-----w- c:\program files\Avast!
2009-07-24 19:26 . 2009-07-24 19:26 3584 ----a-r- c:\documents and settings\Russ\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-07-24 19:26 . 2009-07-24 19:26 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-07-24 19:26 . 2009-07-24 19:26 -------- d-----w- c:\program files\MSECACHE
2009-07-19 13:31 . 2009-06-26 05:01 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-19 13:31 . 2009-06-26 05:01 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-19 13:31 . 2009-06-26 05:01 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-19 13:31 . 2009-06-26 05:01 493336 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtbapi.dll
2009-07-19 13:31 . 2009-06-26 05:01 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-19 13:31 . 2009-06-26 05:01 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-19 13:31 . 2009-06-26 05:01 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-19 13:31 . 2009-06-26 05:01 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-19 13:31 . 2009-06-26 05:01 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-19 13:31 . 2009-06-26 05:01 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-19 13:31 . 2009-06-26 05:01 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-19 13:31 . 2009-06-26 05:01 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-19 13:28 . 2009-06-26 04:58 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-19 13:28 . 2009-06-26 04:58 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 22:04 . 2005-07-16 06:16 109480 ----a-w- c:\documents and settings\Russ\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 03:17 . 2009-06-27 05:49 -------- d-----w- c:\documents and settings\Russ\Application Data\Skype
2009-08-14 00:18 . 2009-06-27 05:08 -------- d-----w- c:\documents and settings\Russ\Application Data\skypePM
2009-08-12 21:58 . 2005-07-16 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-12 21:46 . 2005-07-16 14:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 18:50 . 2009-08-12 18:50 47744 ----a-w- c:\windows\system32\drivers\OLD36.tmp
2009-08-12 18:49 . 2009-08-12 18:49 47744 ----a-w- c:\windows\system32\drivers\OLD34.tmp
2009-08-12 18:49 . 2009-08-12 18:49 47744 ----a-w- c:\windows\system32\drivers\OLD32.tmp
2009-08-11 17:52 . 2005-02-05 01:57 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-06 00:18 . 2005-02-05 01:57 -------- d-----w- c:\program files\Java
2009-08-05 09:11 . 2004-08-04 08:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-24 19:35 . 2008-07-01 23:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-24 18:53 . 2005-02-05 02:34 -------- d-----w- c:\program files\Common Files\muvee Technologies
2009-07-24 18:52 . 2005-02-05 02:33 -------- d-----w- c:\program files\iPod
2009-07-24 18:47 . 2008-08-16 02:27 -------- d-----w- c:\program files\Paint.NET
2009-07-17 18:55 . 2009-07-17 18:55 58880 ----a-w- c:\windows\system32\SET9B.tmp
2009-07-13 06:18 . 2004-08-04 08:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-01 19:18 . 2007-01-13 05:38 -------- d-----w- c:\program files\AIM6
2009-07-01 19:17 . 2006-03-18 12:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-01 19:10 . 2006-09-18 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-27 05:48 . 2009-06-27 05:48 -------- d-----r- c:\program files\Skype
2009-06-27 05:48 . 2009-06-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-27 05:48 . 2009-06-27 05:48 -------- d-----w- c:\program files\Common Files\Skype
2009-06-27 05:08 . 2009-06-27 05:08 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-06-26 19:25 . 2009-06-26 19:24 -------- d-----w- c:\program files\DivX
2009-06-26 19:24 . 2009-06-26 19:24 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-26 16:18 . 2004-08-04 08:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-26 05:01 . 2009-06-26 05:03 832144 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-06-22 11:49 . 2009-06-22 11:49 19968 ----a-w- c:\windows\system32\SET47.tmp
2009-06-22 11:49 . 2009-06-22 11:49 117248 ----a-w- c:\windows\system32\SET3D.tmp
2009-06-22 11:49 . 2004-08-04 08:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-04 08:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2009-06-22 11:49 4608 ----a-w- c:\windows\system32\SET3E.tmp
2009-06-22 11:49 . 2004-08-04 08:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2009-06-22 11:48 91776 ----a-w- c:\windows\system32\drivers\SET49.tmp
2009-06-22 11:48 . 2004-08-04 08:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2004-08-04 08:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2004-08-04 08:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2004-08-04 08:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2004-08-04 08:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2004-08-04 08:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2004-08-04 08:00 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2004-08-04 08:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-05-19 05:36 . 2009-07-01 19:10 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 05:36 . 2009-07-01 19:10 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 05:36 . 2009-07-01 19:10 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 05:36 . 2009-07-01 19:10 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 05:36 . 2009-07-01 19:10 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 05:36 . 2009-07-01 19:10 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 05:36 . 2009-07-01 19:10 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 05:36 . 2009-07-01 19:10 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2008-08-16 00:13 . 2008-08-16 00:13 1586141 -c--a-w- c:\program files\Paint.NET.3.35.zip
2008-07-03 16:20 . 2008-07-03 16:20 1611128 -c--a-w- c:\program files\Paint.NET.3.35.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_21.39.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-16 22:19 . 2009-08-16 22:19 16384 c:\windows\Temp\Perflib_Perfdata_6b0.dat
+ 2009-08-16 22:01 . 2009-08-16 22:01 16384 c:\windows\Temp\Perflib_Perfdata_690.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-09 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"avast!"="c:\progra~1\Avast!\ashDisp.exe" [2009-02-05 81000]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-07-10 195072]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-22 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=c:\windows\pss\NkbMonitor.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Russ^Start Menu^Programs^Startup^Konfabulator.lnk]
path=c:\documents and settings\Russ\Start Menu\Programs\Startup\Konfabulator.lnk
backup=c:\windows\pss\Konfabulator.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/24/2009 3:44 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2009 3:44 PM 20560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 11:23 PM 24652]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [7/16/2005 1:29 AM 200192]
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2009-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1401380814-2840523903-578474627-1005Core.job
- c:\documents and settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 03:02]

2009-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1401380814-2840523903-578474627-1005UA.job
- c:\documents and settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-09 03:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 18:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????5?2?3?9??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Avast!\aswUpdSv.exe
c:\program files\Avast!\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Avast!\ashMaiSv.exe
c:\program files\Avast!\ashWebSv.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-08-16 18:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-16 22:27
ComboFix2.txt 2009-08-13 21:46

Pre-Run: 12,755,640,320 bytes free
Post-Run: 12,737,298,432 bytes free

278 --- E O F --- 2009-08-14 03:30


HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:37 PM, on 8/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast!\aswUpdSv.exe
C:\Program Files\Avast!\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\Avast!\ashDisp.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Avast!\ashMaiSv.exe
C:\Program Files\Avast!\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast!\ashDisp.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Russ\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast!\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast!\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast!\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7012 bytes

Edited by Zerruda, 16 August 2009 - 05:33 PM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 17 August 2009 - 01:24 AM

\Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 22 August 2009 - 12:59 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users