Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by UAC and/or SKYNET


  • This topic is locked This topic is locked
26 replies to this topic

#1 johnsig

johnsig

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 16 August 2009 - 09:22 PM

Here is the link to my thread in the oher forum:

http://www.bleepingcomputer.com/forums/t/248409/infected-by-av-care-antivirus-popup-or-so-i-think/

and here is the DDS:


DDS (Ver_09-07-30.01) - NTFSx86
Run by John at 21:55:36.95 on Sun 08/16/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1343 [GMT -4:00]

AV: avast! antivirus 4.8.1169 [VPS 080331-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1169 [VPS 080331-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\John\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride =
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
TB: {02F7A7EB-89F8-47FF-A75C-52C1060EC144} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup162.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\john\appdata\roaming\move networks\plugins\npqmp071504000001.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-10 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-10 297752]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2006-10-29 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\system32\drivers\nmsgopro.sys [2006-9-27 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2006-10-19 7424]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2006-12-18 5504]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\system32\drivers\xcbda.sys [2007-5-22 155648]
S2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\google\update\GoogleUpdate.exe [2009-2-26 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\intel\inteldh\intel media server\tools\IntelDHSvcConf.exe [2006-11-18 36312]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-3-20 33176]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]

=============== Created Last 30 ================

2009-08-15 20:52 1,244 a------- c:\windows\system32\tmp.reg
2009-08-13 09:19 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 09:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-12 11:20 118 a------- c:\windows\system32\MRT.INI
2009-08-12 11:16 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 11:16 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 11:16 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 11:15 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-12 11:15 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 11:15 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 11:15 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 11:15 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 11:15 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 11:15 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 11:15 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-11 12:47 6,144 -------- c:\windows\system32\5981.tmp
2009-08-11 12:47 6,144 -------- c:\windows\system32\5877.tmp
2009-08-11 12:46 6,144 -------- c:\windows\system32\DE16.tmp
2009-08-11 08:30 --d----- c:\users\john\appdata\roaming\Malwarebytes
2009-08-11 08:28 --d----- c:\programdata\Malwarebytes
2009-08-11 08:28 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-11 08:28 --d----- c:\progra~2\Malwarebytes
2009-08-10 13:11 --d-h--- C:\$AVG8.VAULT$
2009-08-10 13:10 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-10 13:10 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-10 13:10 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-10 13:10 --d----- c:\windows\system32\drivers\Avg
2009-08-10 13:10 --d----- c:\programdata\avg8
2009-08-10 13:10 --d----- c:\progra~2\avg8
2009-08-10 13:08 --d----- c:\users\john\appdata\roaming\AVG8
2009-08-09 20:59 --d----- c:\program files\Loaris Trojan Remover
2009-08-09 14:54 1,110,399 a------- c:\windows\system32\UAClpssmchwtd.db
2009-08-08 13:01 --d----- c:\users\john\Audiobooks
2009-08-08 10:54 --d----- c:\program files\NirSoft

==================== Find3M ====================

2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-28 11:59 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-28 11:59 86,016 a------- c:\windows\inf\infstor.dat
2009-05-28 11:59 51,200 a------- c:\windows\inf\infpub.dat
2009-05-28 11:53 665,600 a------- c:\windows\inf\drvindex.dat
2008-09-20 03:17 174 a--sh--- c:\program files\desktop.ini
2007-04-10 16:12 110 a------- c:\users\john\appdata\roaming\wklnhst.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-03-24 08:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008031720080324\index.dat
2008-03-24 08:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008032420080325\index.dat
2008-03-24 08:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\internet explorer\userdata\index.dat

============= FINISH: 21:56:36.05 ===============
Attached File  attach.txt   15.67KB   3 downloads

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 22 August 2009 - 02:38 PM

Hello johnsig,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 4
    Java™ SE Runtime Environment 6

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
***************


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVAST Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

AVAST will cause BSOD unless you disable it like this:
Posted Image

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 22 August 2009 - 05:43 PM

Hello SifuMike. Thanks so much for helping me.

I have no internet connection on the infected Desktop, but I have full connectivity with my laptop. Thus updating from the internet is impossible from my desktop so I am downloading files on my laptop and transferring them via CDs.

I removed:
Java 6 Update4
Java SE Runtime Enviornment 6
Rebooted

Following your links to the Java update resulted in downloading JavaSetup6u15.exe (only 698K) rather than the file I expected.

Anyway I moved it over to the desktop and tried to run it which led to an error message about not being able to connect to the internet and a link to java.com/en/download/help. There I found an offline installation program jre-6u15-windows-i586-s.exe which I downloaded, transferred, and installed with apparent success.

ComboFix seemed to run smoothly but right after I copied the log to a CD for transfer back to my laptop, I tried to access the DVD drive using windows explorer to make sure the log was there and got the message:

C:\Users\John\AppData\Roaming\Microsoft\Start Menu "Illegal operation attempted on a registry key that has been marked for deletion"

Attempting to open the log on my desktop using Editpad, Wordpad, or Notepad resulted in the same message. Fortunately, the log is on the CD and has been transferred to my laptop.

After rebooting the desktop that message is gone and I can access the DVD drive and open the log.

Sorry to be so lengthy, here is the log. I won't do anything until I hear back.

ComboFix 09-08-22.06 - John 08/22/2009 17:49.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1245 [GMT -4:00]
Running from: c:\users\John\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1169 [VPS 080331-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1169 [VPS 080331-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-4278196236-3910043076-1921008887-500
c:\windows\Installer\1228ff0.msi
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
D:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETikktjiqt
-------\Legacy_UACd.sys
-------\Service_SKYNETikktjiqt
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-22 to 2009-08-22 )))))))))))))))))))))))))))))))
.

2009-08-22 21:34 . 2009-08-22 21:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 12:28 . 2009-08-11 12:28 -------- d-----w- c:\programdata\Malwarebytes
2009-08-10 17:11 . 2009-08-15 00:46 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-10 17:10 . 2009-08-10 17:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-10 17:10 . 2009-08-10 17:10 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-10 17:10 . 2009-08-10 17:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-10 17:10 . 2009-08-10 17:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 17:10 . 2009-08-12 15:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-10 17:10 . 2009-08-12 21:53 -------- d-----w- c:\programdata\avg8
2009-08-10 17:08 . 2009-08-10 17:08 -------- d-----w- c:\users\John\AppData\Roaming\AVG8
2009-08-10 00:59 . 2009-08-10 01:17 -------- d-----w- c:\program files\Loaris Trojan Remover
2009-08-08 17:01 . 2009-08-08 17:07 -------- d-----w- c:\users\John\Audiobooks
2009-08-08 14:54 . 2009-08-08 15:32 -------- d-----w- c:\program files\NirSoft
2009-07-26 14:38 . 2009-07-26 14:38 127921 ----a-w- c:\users\John\AppData\Roaming\Move Networks\uninstall.exe
2009-07-26 14:38 . 2009-07-26 23:08 -------- d-----w- c:\users\John\AppData\Roaming\Move Networks
2009-07-25 12:06 . 2009-07-25 12:06 746760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 21:34 . 2007-03-22 20:39 -------- d-----w- c:\program files\Java
2009-08-16 16:46 . 2007-02-21 16:12 1356 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2009-08-13 13:19 . 2009-08-11 12:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 15:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-11 23:46 . 2007-02-27 16:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-11 12:30 . 2009-08-11 12:30 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2009-08-09 18:46 . 2009-02-16 16:33 -------- d-----w- c:\users\John\AppData\Roaming\uTorrent
2009-08-08 18:02 . 2008-03-12 13:33 -------- d-----w- c:\program files\NCH Swift Sound
2009-08-08 17:35 . 2009-02-19 22:52 -------- d-----w- c:\users\John\AppData\Roaming\Winamp
2009-08-03 17:36 . 2009-08-13 13:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-13 13:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 13:21 . 2008-08-09 01:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 14:38 . 2009-06-17 07:52 4183416 ----a-w- c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll
2009-07-21 21:52 . 2009-07-29 08:28 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 08:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 08:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 08:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 15:16 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 15:15 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 15:15 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 15:15 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 15:15 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-28 18:44 . 2009-04-03 18:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-18 16:54 . 2009-08-11 16:47 6144 ------w- c:\windows\system32\5981.tmp
2009-06-18 16:54 . 2009-08-11 16:47 6144 ------w- c:\windows\system32\5877.tmp
2009-06-18 16:54 . 2009-08-11 16:46 6144 ------w- c:\windows\system32\DE16.tmp
2009-06-17 07:52 . 2009-06-17 07:52 97144 ----a-w- c:\users\John\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-15 14:53 . 2009-07-14 20:41 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-14 20:41 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-14 20:41 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-14 20:41 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-14 20:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 11:42 . 2009-08-12 15:16 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 11:38 . 2009-08-12 15:15 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-04 12:07 . 2009-08-12 15:16 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-05-28 15:53 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-10 2000152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-22 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::73,63,f8,2d,ad,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
"EnableNotificationsRef"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{72592CCC-849E-4851-A6CD-3BFFB95ECEC6}"= UDP:Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{431DDD6E-BF6C-4C7A-9F8C-981A08C66290}"= TCP:Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{926624ED-9D4F-4E6A-AA4C-5CCDB07412B5}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{BEFC67C9-7F47-4569-B8BF-119A09811BF5}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{508389C7-CEAB-4BEF-90D8-3A6550CBA922}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{C3ACC849-B464-4B8F-B9BA-F679A554ED0F}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{56317DDC-66D6-4C37-9639-B6884C0FD450}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{1D5A02A5-83F9-40BE-8A62-82B9396E4D7E}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{5C552426-AB82-4104-89C6-E9E02884ABA9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6598DDEB-06D5-4DE3-8702-8FE6AFEC93D2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1F2C31DE-430A-44EF-A7B6-5A7AAB50F7E0}c:\\program files\\quicktime\\quicktimeplayer.exe"= UDP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"UDP Query User{7F4E121B-0834-4AF1-8C28-B8992EBD6AA9}c:\\program files\\quicktime\\quicktimeplayer.exe"= TCP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"{57025AE6-D55E-44BB-ACFC-69A9227DD7FD}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{CE9C3FD5-2AE2-4DB6-8822-668AEEFEA500}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{3675BE28-212E-48AB-AF22-9EF65D1ED8D4}"= UDP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{CA891A40-E36C-4E7B-8DCA-7B4F813B1BAF}"= TCP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{595E60D3-2426-44EF-BEB0-8BA4A90431EA}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{CA6B044D-89FC-4AB9-B862-1E3FCF55A57F}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"TCP Query User{0A9D88E7-628A-445D-AD39-3954B1F027B4}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= UDP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"UDP Query User{86448CE1-1D37-4DB1-87FF-065087728178}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= TCP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"TCP Query User{17A744AF-1105-4EF7-8718-1A9B55042C2C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9FCAA13B-79E4-4151-8163-2BDB3A674B37}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{340BA9F2-FF4D-4DFE-87C4-60AA8604EFFB}"= UDP:c:\program files\Real\RealPlayer\realplay.exe:RealPlayer
"{52C31E5F-2F72-4A66-9A3E-D4C3D34A5106}"= TCP:c:\program files\Real\RealPlayer\realplay.exe:RealPlayer
"{426C3FBA-01AB-44C5-9A6D-C70B994D1103}"= Disabled:UDP:6346:Shareaza
"{27E33A80-E086-421B-A55F-F7FE2BD0C937}"= Disabled:TCP:6346:Shareaza
"{6EC6728D-DC8B-4C7B-A637-C51C5163F2A4}"= UDP:c:\users\John\Downloads\utorrent.exe:µTorrent
"{5FF0C0E4-1F2E-4B17-9377-C0B60C259E61}"= TCP:c:\users\John\Downloads\utorrent.exe:µTorrent
"TCP Query User{C2996A74-1349-4317-B563-7D0A39734D2C}c:\\program files\\abacast\\abaclient.exe"= UDP:c:\program files\abacast\abaclient.exe:Abaclient
"UDP Query User{D07C92DA-A2AC-4817-ABE9-0D57E4394568}c:\\program files\\abacast\\abaclient.exe"= TCP:c:\program files\abacast\abaclient.exe:Abaclient
"TCP Query User{5D29D0C7-BF35-43D3-804D-6076EC8862DE}c:\\program files\\winamp\\winamp.exe"= UDP:c:\program files\winamp\winamp.exe:Winamp
"UDP Query User{BAD4CBEF-2E8D-4BCD-9BED-B492EE42AEC9}c:\\program files\\winamp\\winamp.exe"= TCP:c:\program files\winamp\winamp.exe:Winamp
"{F7796B77-515D-4912-B5A1-77B16AFDEEBC}"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"{13DEAD10-F7F1-4E57-B61B-63C70F04D6F2}"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{2B2A14AF-4A4F-43EF-BFBA-2F2C9331E6D6}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= UDP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"UDP Query User{108CC807-C915-4F03-A2E0-A74210EF34E9}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= TCP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"TCP Query User{8D4AD730-297E-4BF9-BF24-C574C2791DD6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2C2CECB0-D5E7-4220-A88F-B5A628348200}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{AEDB6901-47B5-403F-B9C7-E070509E47FC}"= Disabled:UDP:c:\program files\Kazaa Lite Resurrection\klrun.exe:Kazaa Lite Resurrection
"{B6F790B2-AAB5-490C-8F50-A68280EECAF4}"= Disabled:TCP:c:\program files\Kazaa Lite Resurrection\klrun.exe:Kazaa Lite Resurrection
"TCP Query User{8D245728-52E3-4B31-81D1-A873D32110DD}c:\\program files\\kazaa lite resurrection\\kazaalite.kpp"= Disabled:UDP:c:\program files\kazaa lite resurrection\kazaalite.kpp:kazaalite.kpp
"UDP Query User{BC3D7E0A-305A-42C9-B676-3D8F55CCA164}c:\\program files\\kazaa lite resurrection\\kazaalite.kpp"= Disabled:TCP:c:\program files\kazaa lite resurrection\kazaalite.kpp:kazaalite.kpp
"{FF590CB5-46F8-47DC-8F25-918A5CD146D0}"= Disabled:UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{4D6F1D8B-08D3-4E75-80A2-DECC376CCE91}"= Disabled:TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{35A030F3-E267-4F87-B452-674297364EA9}"= Disabled:UDP:c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe:Spy Sweeper
"{19B49013-CE2E-4AC1-9BAD-529F5C10D507}"= Disabled:TCP:c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe:Spy Sweeper
"{30F5E4E2-AF26-45A4-A0E7-0893AE405C95}"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"{DE6E57CD-77FC-4834-A27D-495AAD0FD08F}"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{C2B21BDB-1F05-43D9-B2FC-AA29DDA4FD6B}"= Disabled:TCP:12915:utorrent
"{129705F6-6499-43C0-BCD3-27FAA14FEB96}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{9C2A5C80-9D2F-49C9-80DF-FDB19D0D7B73}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{B9D03E9E-0A88-47E1-BF74-FF001AD2B47E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [8/10/2009 13:10 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [8/10/2009 13:10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/10/2009 13:10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/10/2009 13:10 297752]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 13:03 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 20:37 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 19:49 7424]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [12/18/2006 13:09 5504]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [5/22/2007 16:23 155648]
S2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2009 11:21 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [11/18/2006 10:59 36312]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [3/20/2009 12:03 33176]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 06:25 2589184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2009-08-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2009-08-22 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 17:55
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\E411.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3640)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\WUDFHost.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-08-22 17:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-22 21:59

Pre-Run: 255,518,150,656 bytes free
Post-Run: 255,297,441,792 bytes free

299 --- E O F --- 2009-08-12 15:21

I haven't reenabled Windows Defender, AVG or Windows Firewall. Let me know if I should do this. As of now I still can't connect to the Internet.

Thanks again for your help.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 22 August 2009 - 06:48 PM

Hi johnsig,

I have no internet connection on the infected Desktop, but I have full connectivity with my laptop. Thus updating from the internet is impossible from my desktop so I am downloading files on my laptop and transferring them via CDs.


You should have told me this before we began using ComboFix. This makes it much more difficult to help you. :thumbup2:

Before running ComboFix on your desktop, was there an Internet connection?

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


You need to disable your AVAST Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

AVAST will cause BSOD unless you disable it like this:
Posted Image

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 22 August 2009 - 06:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 22 August 2009 - 08:15 PM

Hi SifuMike,

I mentioned that I could not connect to the internet in my post of Aug 15th in the link attached to the original post of this thread. I have not been able to connect since then or now.

I have rerun ComboFix with your script. Thanks for your continued help. Here is the log:

ComboFix 09-08-22.06 - John 08/22/2009 21:04.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1325 [GMT -4:00]
Running from: c:\users\John\Desktop\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1169 [VPS 080331-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1169 [VPS 080331-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 01:08 . 2009-08-23 01:08 -------- d-----w- c:\users\John\AppData\Local\temp
2009-08-23 01:08 . 2009-08-23 01:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-23 01:08 . 2009-08-23 01:08 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-08-23 01:08 . 2009-08-23 01:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-22 21:34 . 2009-08-22 21:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 12:28 . 2009-08-11 12:28 -------- d-----w- c:\programdata\Malwarebytes
2009-08-10 17:11 . 2009-08-15 00:46 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-10 17:10 . 2009-08-10 17:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-10 17:10 . 2009-08-10 17:10 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-10 17:10 . 2009-08-10 17:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-10 17:10 . 2009-08-10 17:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 17:10 . 2009-08-12 15:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-10 17:10 . 2009-08-12 21:53 -------- d-----w- c:\programdata\avg8
2009-08-10 17:08 . 2009-08-10 17:08 -------- d-----w- c:\users\John\AppData\Roaming\AVG8
2009-08-10 00:59 . 2009-08-10 01:17 -------- d-----w- c:\program files\Loaris Trojan Remover
2009-08-08 17:01 . 2009-08-08 17:07 -------- d-----w- c:\users\John\Audiobooks
2009-08-08 14:54 . 2009-08-08 15:32 -------- d-----w- c:\program files\NirSoft
2009-07-26 14:38 . 2009-07-26 14:38 127921 ----a-w- c:\users\John\AppData\Roaming\Move Networks\uninstall.exe
2009-07-26 14:38 . 2009-07-26 23:08 -------- d-----w- c:\users\John\AppData\Roaming\Move Networks
2009-07-25 12:06 . 2009-07-25 12:06 746760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 21:34 . 2007-03-22 20:39 -------- d-----w- c:\program files\Java
2009-08-16 16:46 . 2007-02-21 16:12 1356 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2009-08-13 13:19 . 2009-08-11 12:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 15:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-11 23:46 . 2007-02-27 16:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-11 12:30 . 2009-08-11 12:30 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2009-08-09 18:46 . 2009-02-16 16:33 -------- d-----w- c:\users\John\AppData\Roaming\uTorrent
2009-08-08 18:02 . 2008-03-12 13:33 -------- d-----w- c:\program files\NCH Swift Sound
2009-08-08 17:35 . 2009-02-19 22:52 -------- d-----w- c:\users\John\AppData\Roaming\Winamp
2009-08-03 17:36 . 2009-08-13 13:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-13 13:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 13:21 . 2008-08-09 01:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 14:38 . 2009-06-17 07:52 4183416 ----a-w- c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll
2009-07-21 21:52 . 2009-07-29 08:28 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 08:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 08:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 08:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 15:16 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 15:15 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 15:15 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 15:15 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 15:15 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-28 18:44 . 2009-04-03 18:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-18 16:54 . 2009-08-11 16:47 6144 ------w- c:\windows\system32\5981.tmp
2009-06-18 16:54 . 2009-08-11 16:47 6144 ------w- c:\windows\system32\5877.tmp
2009-06-18 16:54 . 2009-08-11 16:46 6144 ------w- c:\windows\system32\DE16.tmp
2009-06-17 07:52 . 2009-06-17 07:52 97144 ----a-w- c:\users\John\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-15 14:53 . 2009-07-14 20:41 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-14 20:41 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-14 20:41 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-14 20:41 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-14 20:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 11:42 . 2009-08-12 15:16 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 11:38 . 2009-08-12 15:15 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-04 12:07 . 2009-08-12 15:16 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-05-28 15:53 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-08-22_21.55.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-12 00:05 . 2009-08-23 00:27 77020 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2009-08-22 21:27 91154 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-23 00:27 91154 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-02-20 18:12 . 2009-08-23 00:27 18284 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4278196236-3910043076-1921008887-1001_UserData.bin
+ 2009-08-23 00:25 . 2009-08-23 00:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-23 00:25 . 2009-08-23 00:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-08-22 21:29 618020 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-08-23 00:30 618020 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-08-23 00:30 103644 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-08-22 21:29 103644 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-10 2000152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-22 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::73,63,f8,2d,ad,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
"EnableNotificationsRef"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{72592CCC-849E-4851-A6CD-3BFFB95ECEC6}"= UDP:Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{431DDD6E-BF6C-4C7A-9F8C-981A08C66290}"= TCP:Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{926624ED-9D4F-4E6A-AA4C-5CCDB07412B5}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{BEFC67C9-7F47-4569-B8BF-119A09811BF5}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{508389C7-CEAB-4BEF-90D8-3A6550CBA922}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{C3ACC849-B464-4B8F-B9BA-F679A554ED0F}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{56317DDC-66D6-4C37-9639-B6884C0FD450}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{1D5A02A5-83F9-40BE-8A62-82B9396E4D7E}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{5C552426-AB82-4104-89C6-E9E02884ABA9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6598DDEB-06D5-4DE3-8702-8FE6AFEC93D2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1F2C31DE-430A-44EF-A7B6-5A7AAB50F7E0}c:\\program files\\quicktime\\quicktimeplayer.exe"= UDP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"UDP Query User{7F4E121B-0834-4AF1-8C28-B8992EBD6AA9}c:\\program files\\quicktime\\quicktimeplayer.exe"= TCP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"{57025AE6-D55E-44BB-ACFC-69A9227DD7FD}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{CE9C3FD5-2AE2-4DB6-8822-668AEEFEA500}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{3675BE28-212E-48AB-AF22-9EF65D1ED8D4}"= UDP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{CA891A40-E36C-4E7B-8DCA-7B4F813B1BAF}"= TCP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{595E60D3-2426-44EF-BEB0-8BA4A90431EA}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{CA6B044D-89FC-4AB9-B862-1E3FCF55A57F}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"TCP Query User{0A9D88E7-628A-445D-AD39-3954B1F027B4}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= UDP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"UDP Query User{86448CE1-1D37-4DB1-87FF-065087728178}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= TCP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"TCP Query User{17A744AF-1105-4EF7-8718-1A9B55042C2C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9FCAA13B-79E4-4151-8163-2BDB3A674B37}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{340BA9F2-FF4D-4DFE-87C4-60AA8604EFFB}"= UDP:c:\program files\Real\RealPlayer\realplay.exe:RealPlayer
"{52C31E5F-2F72-4A66-9A3E-D4C3D34A5106}"= TCP:c:\program files\Real\RealPlayer\realplay.exe:RealPlayer
"{426C3FBA-01AB-44C5-9A6D-C70B994D1103}"= Disabled:UDP:6346:Shareaza
"{27E33A80-E086-421B-A55F-F7FE2BD0C937}"= Disabled:TCP:6346:Shareaza
"{6EC6728D-DC8B-4C7B-A637-C51C5163F2A4}"= UDP:c:\users\John\Downloads\utorrent.exe:µTorrent
"{5FF0C0E4-1F2E-4B17-9377-C0B60C259E61}"= TCP:c:\users\John\Downloads\utorrent.exe:µTorrent
"TCP Query User{C2996A74-1349-4317-B563-7D0A39734D2C}c:\\program files\\abacast\\abaclient.exe"= UDP:c:\program files\abacast\abaclient.exe:Abaclient
"UDP Query User{D07C92DA-A2AC-4817-ABE9-0D57E4394568}c:\\program files\\abacast\\abaclient.exe"= TCP:c:\program files\abacast\abaclient.exe:Abaclient
"TCP Query User{5D29D0C7-BF35-43D3-804D-6076EC8862DE}c:\\program files\\winamp\\winamp.exe"= UDP:c:\program files\winamp\winamp.exe:Winamp
"UDP Query User{BAD4CBEF-2E8D-4BCD-9BED-B492EE42AEC9}c:\\program files\\winamp\\winamp.exe"= TCP:c:\program files\winamp\winamp.exe:Winamp
"{F7796B77-515D-4912-B5A1-77B16AFDEEBC}"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"{13DEAD10-F7F1-4E57-B61B-63C70F04D6F2}"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{2B2A14AF-4A4F-43EF-BFBA-2F2C9331E6D6}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= UDP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"UDP Query User{108CC807-C915-4F03-A2E0-A74210EF34E9}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= TCP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"TCP Query User{8D4AD730-297E-4BF9-BF24-C574C2791DD6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2C2CECB0-D5E7-4220-A88F-B5A628348200}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{AEDB6901-47B5-403F-B9C7-E070509E47FC}"= Disabled:UDP:c:\program files\Kazaa Lite Resurrection\klrun.exe:Kazaa Lite Resurrection
"{B6F790B2-AAB5-490C-8F50-A68280EECAF4}"= Disabled:TCP:c:\program files\Kazaa Lite Resurrection\klrun.exe:Kazaa Lite Resurrection
"TCP Query User{8D245728-52E3-4B31-81D1-A873D32110DD}c:\\program files\\kazaa lite resurrection\\kazaalite.kpp"= Disabled:UDP:c:\program files\kazaa lite resurrection\kazaalite.kpp:kazaalite.kpp
"UDP Query User{BC3D7E0A-305A-42C9-B676-3D8F55CCA164}c:\\program files\\kazaa lite resurrection\\kazaalite.kpp"= Disabled:TCP:c:\program files\kazaa lite resurrection\kazaalite.kpp:kazaalite.kpp
"{FF590CB5-46F8-47DC-8F25-918A5CD146D0}"= Disabled:UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{4D6F1D8B-08D3-4E75-80A2-DECC376CCE91}"= Disabled:TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{35A030F3-E267-4F87-B452-674297364EA9}"= Disabled:UDP:c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe:Spy Sweeper
"{19B49013-CE2E-4AC1-9BAD-529F5C10D507}"= Disabled:TCP:c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe:Spy Sweeper
"{30F5E4E2-AF26-45A4-A0E7-0893AE405C95}"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"{DE6E57CD-77FC-4834-A27D-495AAD0FD08F}"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{C2B21BDB-1F05-43D9-B2FC-AA29DDA4FD6B}"= Disabled:TCP:12915:utorrent
"{129705F6-6499-43C0-BCD3-27FAA14FEB96}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{9C2A5C80-9D2F-49C9-80DF-FDB19D0D7B73}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{B9D03E9E-0A88-47E1-BF74-FF001AD2B47E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [8/10/2009 13:10 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [8/10/2009 13:10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/10/2009 13:10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/10/2009 13:10 297752]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 13:03 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 20:37 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 19:49 7424]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [12/18/2006 13:09 5504]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [5/22/2007 16:23 155648]
S2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2009 11:21 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [11/18/2006 10:59 36312]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [3/20/2009 12:03 33176]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 06:25 2589184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2009-08-23 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-22 21:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\E411.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2448)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-08-23 21:10
ComboFix-quarantined-files.txt 2009-08-23 01:10
ComboFix2.txt 2009-08-22 21:59

Pre-Run: 255,339,724,800 bytes free
Post-Run: 255,298,428,928 bytes free

268 --- E O F --- 2009-08-12 15:21

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 22 August 2009 - 09:12 PM

Hi johnsig,

See if this restores your internet connection:
How to reset Internet Protocol (TCP/IP) in Windows
http://support.microsoft.com/?kbid=299357

************


You need to disable your AVAST Antivirus and Windows Defender before running ComboFix, as they will prevent it from running.

AVAST will cause BSOD unless you disable it like this:
Posted Image

To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.




Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File::
c:\windows\system32\5981.tmp
c:\windows\system32\5877.tmp
c:\windows\system32\DE16.tmp


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 22 August 2009 - 09:14 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 23 August 2009 - 07:27 AM

Hello SifuMike,

I tried both the automatic and manual fixes to reset TCP/IP. They reported that they worked but I still have no internet connection. In the manual fix, resetlog.txt was not created.

I do not have AVAST

Windows Defender was disabled earlier.

Here is the new log:

ComboFix 09-08-22.06 - John 08/23/2009 8:16.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2021.1302 [GMT -4:00]
Running from: c:\users\John\Desktop\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1169 [VPS 080331-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1169 [VPS 080331-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\5877.tmp"
"c:\windows\system32\5981.tmp"
"c:\windows\system32\DE16.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\5877.tmp
c:\windows\system32\5981.tmp
c:\windows\system32\DE16.tmp

.
((((((((((((((((((((((((( Files Created from 2009-07-23 to 2009-08-23 )))))))))))))))))))))))))))))))
.

2009-08-23 12:19 . 2009-08-23 12:19 -------- d-----w- c:\users\John\AppData\Local\temp
2009-08-23 12:19 . 2009-08-23 12:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-23 12:19 . 2009-08-23 12:19 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2009-08-23 12:19 . 2009-08-23 12:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-22 21:34 . 2009-08-22 21:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-11 12:28 . 2009-08-11 12:28 -------- d-----w- c:\programdata\Malwarebytes
2009-08-10 17:11 . 2009-08-15 00:46 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-10 17:10 . 2009-08-10 17:10 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-10 17:10 . 2009-08-10 17:10 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-10 17:10 . 2009-08-10 17:10 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-10 17:10 . 2009-08-10 17:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 17:10 . 2009-08-12 15:11 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-10 17:10 . 2009-08-12 21:53 -------- d-----w- c:\programdata\avg8
2009-08-10 17:08 . 2009-08-10 17:08 -------- d-----w- c:\users\John\AppData\Roaming\AVG8
2009-08-10 00:59 . 2009-08-10 01:17 -------- d-----w- c:\program files\Loaris Trojan Remover
2009-08-08 17:01 . 2009-08-08 17:07 -------- d-----w- c:\users\John\Audiobooks
2009-08-08 14:54 . 2009-08-08 15:32 -------- d-----w- c:\program files\NirSoft
2009-07-26 14:38 . 2009-07-26 14:38 127921 ----a-w- c:\users\John\AppData\Roaming\Move Networks\uninstall.exe
2009-07-26 14:38 . 2009-07-26 23:08 -------- d-----w- c:\users\John\AppData\Roaming\Move Networks
2009-07-25 12:06 . 2009-07-25 12:06 746760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-22 21:34 . 2007-03-22 20:39 -------- d-----w- c:\program files\Java
2009-08-16 16:46 . 2007-02-21 16:12 1356 ----a-w- c:\users\John\AppData\Local\d3d9caps.dat
2009-08-13 13:19 . 2009-08-11 12:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 15:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-11 23:46 . 2007-02-27 16:40 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-08-11 12:30 . 2009-08-11 12:30 -------- d-----w- c:\users\John\AppData\Roaming\Malwarebytes
2009-08-09 18:46 . 2009-02-16 16:33 -------- d-----w- c:\users\John\AppData\Roaming\uTorrent
2009-08-08 18:02 . 2008-03-12 13:33 -------- d-----w- c:\program files\NCH Swift Sound
2009-08-08 17:35 . 2009-02-19 22:52 -------- d-----w- c:\users\John\AppData\Roaming\Winamp
2009-08-03 17:36 . 2009-08-13 13:19 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-08-13 13:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 13:21 . 2008-08-09 01:17 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-26 14:38 . 2009-06-17 07:52 4183416 ----a-w- c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071504000001.dll
2009-07-21 21:52 . 2009-07-29 08:28 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 08:28 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 08:28 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 08:28 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 15:16 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 15:15 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 15:15 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 15:15 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 15:15 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-06-28 18:44 . 2009-04-03 18:19 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-17 07:52 . 2009-06-17 07:52 97144 ----a-w- c:\users\John\AppData\Roaming\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-06-15 14:53 . 2009-07-14 20:41 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 14:52 . 2009-07-14 20:41 23552 ----a-w- c:\windows\system32\lpk.dll
2009-06-15 14:52 . 2009-07-14 20:41 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 14:51 . 2009-07-14 20:41 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:42 . 2009-07-14 20:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-10 11:42 . 2009-08-12 15:16 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 11:38 . 2009-08-12 15:15 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-06-04 12:07 . 2009-08-12 15:16 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-05-28 15:53 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-08-22_21.55.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-12 00:05 . 2009-08-23 12:08 77116 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2009-08-22 21:27 91154 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-23 12:08 91154 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-02-20 18:12 . 2009-08-23 12:08 18284 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4278196236-3910043076-1921008887-1001_UserData.bin
+ 2009-08-23 12:05 . 2009-08-23 12:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-08-23 12:05 . 2009-08-23 12:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 10:33 . 2009-08-22 21:29 618020 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-08-23 12:10 618020 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-08-23 12:10 103644 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-08-22 21:29 103644 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-10 2000152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-22 149280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-12-14 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-23 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GammaTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GammaTray.lnk
backup=c:\windows\pss\GammaTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^NCProTray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\NCProTray.lnk
backup=c:\windows\pss\NCProTray.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:thumbup2::73,63,f8,2d,ad,df,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-1001]
"EnableNotificationsRef"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4278196236-3910043076-1921008887-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{72592CCC-849E-4851-A6CD-3BFFB95ECEC6}"= UDP:Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{431DDD6E-BF6C-4C7A-9F8C-981A08C66290}"= TCP:Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{926624ED-9D4F-4E6A-AA4C-5CCDB07412B5}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{BEFC67C9-7F47-4569-B8BF-119A09811BF5}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe:Intel® Remoting Service
"{508389C7-CEAB-4BEF-90D8-3A6550CBA922}"= UDP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{C3ACC849-B464-4B8F-B9BA-F679A554ED0F}"= TCP:Profile=Private|Profile=Public:LocalSubnet:LocalSubnet|c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe:Intel® Viiv™ Media Server
"{56317DDC-66D6-4C37-9639-B6884C0FD450}"= TCP:Profile=Private|Profile=Public|9442:127.0.0.1:Intel® Viiv™ Media Server Discovery
"{1D5A02A5-83F9-40BE-8A62-82B9396E4D7E}"= TCP:Profile=Private|Profile=Public|1900:LocalSubnet:LocalSubnet:Intel® Viiv™ Media Server UPnP Discovery
"{5C552426-AB82-4104-89C6-E9E02884ABA9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6598DDEB-06D5-4DE3-8702-8FE6AFEC93D2}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1F2C31DE-430A-44EF-A7B6-5A7AAB50F7E0}c:\\program files\\quicktime\\quicktimeplayer.exe"= UDP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"UDP Query User{7F4E121B-0834-4AF1-8C28-B8992EBD6AA9}c:\\program files\\quicktime\\quicktimeplayer.exe"= TCP:c:\program files\quicktime\quicktimeplayer.exe:QuickTime Player
"{57025AE6-D55E-44BB-ACFC-69A9227DD7FD}"= UDP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{CE9C3FD5-2AE2-4DB6-8822-668AEEFEA500}"= TCP:c:\program files\Grisoft\AVG7\avginet.exe:avginet.exe
"{3675BE28-212E-48AB-AF22-9EF65D1ED8D4}"= UDP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{CA891A40-E36C-4E7B-8DCA-7B4F813B1BAF}"= TCP:c:\program files\Grisoft\AVG7\avgamsvr.exe:avgamsvr.exe
"{595E60D3-2426-44EF-BEB0-8BA4A90431EA}"= UDP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"{CA6B044D-89FC-4AB9-B862-1E3FCF55A57F}"= TCP:c:\program files\Grisoft\AVG7\avgcc.exe:avgcc.exe
"TCP Query User{0A9D88E7-628A-445D-AD39-3954B1F027B4}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= UDP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"UDP Query User{86448CE1-1D37-4DB1-87FF-065087728178}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= TCP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"TCP Query User{17A744AF-1105-4EF7-8718-1A9B55042C2C}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9FCAA13B-79E4-4151-8163-2BDB3A674B37}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{340BA9F2-FF4D-4DFE-87C4-60AA8604EFFB}"= UDP:c:\program files\Real\RealPlayer\realplay.exe:RealPlayer
"{52C31E5F-2F72-4A66-9A3E-D4C3D34A5106}"= TCP:c:\program files\Real\RealPlayer\realplay.exe:RealPlayer
"{426C3FBA-01AB-44C5-9A6D-C70B994D1103}"= Disabled:UDP:6346:Shareaza
"{27E33A80-E086-421B-A55F-F7FE2BD0C937}"= Disabled:TCP:6346:Shareaza
"{6EC6728D-DC8B-4C7B-A637-C51C5163F2A4}"= UDP:c:\users\John\Downloads\utorrent.exe:µTorrent
"{5FF0C0E4-1F2E-4B17-9377-C0B60C259E61}"= TCP:c:\users\John\Downloads\utorrent.exe:µTorrent
"TCP Query User{C2996A74-1349-4317-B563-7D0A39734D2C}c:\\program files\\abacast\\abaclient.exe"= UDP:c:\program files\abacast\abaclient.exe:Abaclient
"UDP Query User{D07C92DA-A2AC-4817-ABE9-0D57E4394568}c:\\program files\\abacast\\abaclient.exe"= TCP:c:\program files\abacast\abaclient.exe:Abaclient
"TCP Query User{5D29D0C7-BF35-43D3-804D-6076EC8862DE}c:\\program files\\winamp\\winamp.exe"= UDP:c:\program files\winamp\winamp.exe:Winamp
"UDP Query User{BAD4CBEF-2E8D-4BCD-9BED-B492EE42AEC9}c:\\program files\\winamp\\winamp.exe"= TCP:c:\program files\winamp\winamp.exe:Winamp
"{F7796B77-515D-4912-B5A1-77B16AFDEEBC}"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"{13DEAD10-F7F1-4E57-B61B-63C70F04D6F2}"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{2B2A14AF-4A4F-43EF-BFBA-2F2C9331E6D6}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= UDP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"UDP Query User{108CC807-C915-4F03-A2E0-A74210EF34E9}c:\\program files\\microsoft games\\links 2001\\linksmmi.exe"= TCP:c:\program files\microsoft games\links 2001\linksmmi.exe:LinksMMI
"TCP Query User{8D4AD730-297E-4BF9-BF24-C574C2791DD6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{2C2CECB0-D5E7-4220-A88F-B5A628348200}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{AEDB6901-47B5-403F-B9C7-E070509E47FC}"= Disabled:UDP:c:\program files\Kazaa Lite Resurrection\klrun.exe:Kazaa Lite Resurrection
"{B6F790B2-AAB5-490C-8F50-A68280EECAF4}"= Disabled:TCP:c:\program files\Kazaa Lite Resurrection\klrun.exe:Kazaa Lite Resurrection
"TCP Query User{8D245728-52E3-4B31-81D1-A873D32110DD}c:\\program files\\kazaa lite resurrection\\kazaalite.kpp"= Disabled:UDP:c:\program files\kazaa lite resurrection\kazaalite.kpp:kazaalite.kpp
"UDP Query User{BC3D7E0A-305A-42C9-B676-3D8F55CCA164}c:\\program files\\kazaa lite resurrection\\kazaalite.kpp"= Disabled:TCP:c:\program files\kazaa lite resurrection\kazaalite.kpp:kazaalite.kpp
"{FF590CB5-46F8-47DC-8F25-918A5CD146D0}"= Disabled:UDP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{4D6F1D8B-08D3-4E75-80A2-DECC376CCE91}"= Disabled:TCP:c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.exe:SPCM
"{35A030F3-E267-4F87-B452-674297364EA9}"= Disabled:UDP:c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe:Spy Sweeper
"{19B49013-CE2E-4AC1-9BAD-529F5C10D507}"= Disabled:TCP:c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe:Spy Sweeper
"{30F5E4E2-AF26-45A4-A0E7-0893AE405C95}"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"{DE6E57CD-77FC-4834-A27D-495AAD0FD08F}"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{C2B21BDB-1F05-43D9-B2FC-AA29DDA4FD6B}"= Disabled:TCP:12915:utorrent
"{129705F6-6499-43C0-BCD3-27FAA14FEB96}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{9C2A5C80-9D2F-49C9-80DF-FDB19D0D7B73}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{B9D03E9E-0A88-47E1-BF74-FF001AD2B47E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [8/10/2009 13:10 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [8/10/2009 13:10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/10/2009 13:10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/10/2009 13:10 297752]
R2 DQLWinService;DQLWinService;c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [10/29/2006 13:03 208896]
R2 nmsgopro;GoProto Protocol Driver for NMS;c:\windows\System32\drivers\nmsgopro.sys [9/27/2006 20:37 28672]
R2 nmsunidr;UniDriver for NMS;c:\windows\System32\drivers\nmsunidr.sys [10/19/2006 19:49 7424]
R3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [12/18/2006 13:09 5504]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [5/22/2007 16:23 155648]
S2 gupdate1c99825db5dda72;Google Update Service (gupdate1c99825db5dda72);c:\program files\Google\Update\GoogleUpdate.exe [2/26/2009 11:21 133104]
S2 IntelDHSvcConf;Intel DH Service;c:\program files\Intel\IntelDH\Intel Media Server\tools\IntelDHSvcConf.exe [11/18/2006 10:59 36312]
S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [3/20/2009 12:03 33176]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 06:25 2589184]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2009-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-26 15:21]

2009-08-23 c:\windows\Tasks\User_Feed_Synchronization-{1D222DBF-C551-436A-A026-133E4094B4E2}.job
- c:\windows\system32\msfeedssync.exe [2009-07-29 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GM5420
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\mkrc2kst.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 08:19
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\E411.tmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-08-23 8:21
ComboFix-quarantined-files.txt 2009-08-23 12:21
ComboFix2.txt 2009-08-23 01:10
ComboFix3.txt 2009-08-22 21:59

Pre-Run: 255,171,239,936 bytes free
Post-Run: 255,148,105,728 bytes free

272 --- E O F --- 2009-08-12 15:21

Thanks for your continued help.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 23 August 2009 - 12:33 PM

Hi John,

How do you connect, wireless, wired?

DSL, cable, dial-up? External modem type?

Are you using a router, type?

Are you using a firewall?

Did you have a working connection and at what point did it just quit working?.



Download the latest version of Kaspersky Virus Removal Tool

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Edited by SifuMike, 23 August 2009 - 12:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 23 August 2009 - 01:44 PM

Hi SifuMike,

This is bizarre, if I click on your link IE reports "Internet Explorer cannot display webpage" and Firefox reports "550 No such file or directory"

I went to the Kaspersky web site but it is not obvious which tool I need to download.

I have a wireless network using a Linksys WRT54G2 V1 router. My cable modem is hardwired to the router and the router is hardwired to my desktop (infected). I connect wirelessly to my laptop. On my desktop It shows in connected to a Public unidentified network with local only access through local area connection. The map shows only the Desktop, the unidentified network and no Internet. Apparently it can't see the router or the laptop. On the laptop (uninfected) it shows connected to the private network gradyland (which is what I named it) with local and internet access via a wireless network. The map from the laptop shows the laptop, router, and internet but doesn't show the desktop. I can print documents from my laptop to my printer which is hard wired to my desktop. When I click on network in windows explorer on my laptop the name of my desktop no longer shows up.

I normally just use the firewall that came with Vista Home Premium. At one point I was asked to turn the firewall off and was surprised to find it was off. I don't think it was off before I was attacked.

I think I lost internet connectivity after running Root Repeal on 08/14/09 in the other forum under the guidance of garmanma but I can't be sure. I definitely have not had it since 08/15/09. At on point I could not get my laptop to connect so I contacted Roadrunner (ISP). After doing some diagnostics and trying to ping from my desktop the technician advised me that there was something on my computer preventing the connection and I needed to get it cleaned up.

Hope some of this is useful. Please let me know what to do next. Thanks

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 23 August 2009 - 01:52 PM

Hi John,

I definitely have not had it since 08/15/09. At on point I could not get my laptop to connect so I contacted Roadrunner (ISP).


It looks like you had Internet access on you last post at the other forum, as you downloaded and ran SmitFraudFix.


I am not seeing any malware on your computer.

I went to the Kaspersky web site but it is not obvious which tool I need to download


Use this site:
http://majorgeeks.com/Kaspersky_Virus_Remo...Tool_d4515.html

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Edited by SifuMike, 23 August 2009 - 02:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 23 August 2009 - 02:26 PM

I've been downloading everything to my laptop and copy to cd to transfer to desktop as I will do wiyh Kaspersky

Log to follow:

#12 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 23 August 2009 - 02:45 PM

SifuMike,

Bad news, I saved the file to a cd on my laptop, then moved the file from the CD to the desktop of my Desktop. When it ran through the installation it put a folder on my desktop and ended with the message "Kaspersky Anti-Virus has stopped working" "A problem caused the program to stop working correctly. Windows will close the program and notify you... etc" No choice but to click oK. It never got to the point where I could select scanible items. The folder looks like it contains the files for the tool including one with an icon labeled "start" if I click on that the same message appears.

What now?

Edited by johnsig, 23 August 2009 - 03:24 PM.


#13 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 23 August 2009 - 04:36 PM

Wait,

I just booted up my desktop and Kaspersky started running. It showed me the selection window and it is now scanning. I will post the log.

Edited by johnsig, 23 August 2009 - 04:42 PM.


#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:04 AM

Posted 23 August 2009 - 04:38 PM

That is good news. I was looking for an alternate program.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 johnsig

johnsig
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 23 August 2009 - 04:55 PM

Finish time says it will take another 3 hours but the finish time is slowly getting earlier.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users