Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Various Trojans


  • Please log in to reply
34 replies to this topic

#1 chele9

chele9

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:08:51 PM

Posted 28 September 2009 - 12:50 PM

Hi. Thanks for taking time to help me. I have various trojan horses and some of them will not go away even with the AVG virus scan. It actually somehow disables my virus scanner and I'm not sure but I think it removed some of it's components. So, here is my stuff... Thanks again in advance.

DDS.txt


DDS (Ver_09-09-24.01) - NTFSx86
Run by Chele at 13:18:55.41 on Mon 09/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.86 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Chele\My Documents\Downloads\dds(3).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: c:\windows\system32\o15fo91c.dll: {a249bc15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\o15fo91c.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DriverLoad]
dRun: [DriverCheck]
dRun: [SystemDriverLoad]
dRun: [SystemDriver]
dRun: [FDriver]
dRun: [ADriver]
dRun: [Login Software 2009] c:\windows\temp\gy9n99jv.exe
dRun: [Yjafosi8kdf98winmdkmnkmfnwe] c:\windows\temp\debug.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
mExplorerRun: [DriverLoad]
mExplorerRun: [DriverCheck]
mExplorerRun: [SystemDriverLoad]
mExplorerRun: [Winhost]
mExplorerRun: [Winhost1]
mExplorerRun: [Winhost2]
mExplorerRun: [Winhost3]
mExplorerRun: [Winhost4]
mExplorerRun: [SystemDriver]
mExplorerRun: [FDriver]
mExplorerRun: [ADriver]
mExplorerRun: [NoActiveDesktopChanges] 00000000
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
uPolicies-explorer: NoActiveDesktopChanges = 00000000
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRman000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
STS: c:\windows\system32\tajf83ikdmf.dll: {bf56a325-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\tajf83ikdmf.dll
STS: c:\windows\system32\nzfiu3h78di.dll: {ba603215-23f2-42ad-f4e4-00aac39caa53} - c:\windows\system32\nzfiu3h78di.dll
STS: c:\windows\system32\o15fo91c.dll: {a249bc15-23f2-42ad-f4e4-00aac39c0004} - c:\windows\system32\o15fo91c.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Notification Packages = scecli dbdscrt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chele\applic~1\mozilla\firefox\profiles\4j4xctbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {6FF210BF-BB6C-471B-985C-CBEFF535B0BD} - c:\documents and settings\chele\local settings\application data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
FF - HiddenExtension: XUL Cache: {ECAE5EFC-8CB8-49DD-B264-F2D7986621CA} - c:\documents and settings\localservice\local settings\application data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
FF - HiddenExtension: XUL Cache: {BB1FBF8E-0AFE-40DB-8CFB-25DA47798316} - c:\documents and settings\owner\local settings\application data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
FF - HiddenExtension: XUL Cache: {302EE7AF-A8FC-433B-B923-0B1553B35668} - c:\documents and settings\chris\local settings\application data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
FF - HiddenExtension: XUL Cache: {BE7346B4-1163-494A-A5D4-0A856F947C4D} - c:\windows\system32\config\systemprofile\local settings\application data\{be7346b4-1163-494a-a5d4-0a856f947c4d}\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-16 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-16 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-16 108552]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [2007-2-5 70144]
S2 msdirect;msdirect;\??\c:\windows\system32\msdirect.sys --> c:\windows\system32\msdirect.sys [?]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2007-2-5 15360]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2007-2-5 17920]
S3 sysrest.sys;sysrest.sys;\??\c:\windows\system32\sysrest.sys --> c:\windows\system32\sysrest.sys [?]
S4 pfcpr12;pfcpr12;\??\c:\windows\system32\drivers\senudfs.sys --> c:\windows\system32\drivers\senudfs.sys [?]

=============== Created Last 30 ================

2009-09-28 12:12 <DIR> --d----- c:\program files\Trend Micro
2009-09-28 11:13 15,000 a------- c:\windows\system32\o15fo91c.dll
2009-09-28 11:13 38 a------- C:\4F.tmp
2009-09-28 11:13 50,688 a------- C:\4D.tmp
2009-09-27 10:01 38 a------- C:\4C.tmp
2009-09-27 10:01 0 a------- C:\4B.tmp
2009-09-27 10:01 0 a------- C:\4A.tmp
2009-09-27 09:51 38 a------- C:\49.tmp
2009-09-27 09:51 0 a------- C:\48.tmp
2009-09-27 09:51 0 a------- C:\47.tmp
2009-09-26 23:07 38 a------- C:\46.tmp
2009-09-26 23:07 0 a------- C:\45.tmp
2009-09-26 23:07 0 a------- C:\44.tmp
2009-09-26 23:02 38 a------- C:\43.tmp
2009-09-26 23:02 0 a------- C:\42.tmp
2009-09-26 23:02 50,688 a------- C:\3E.tmp
2009-09-26 10:52 38 a------- C:\41.tmp
2009-09-26 10:52 0 a------- C:\40.tmp
2009-09-26 10:44 15,000 a------- c:\windows\system32\nzfiu3h78di.dll
2009-09-26 10:43 38 a------- C:\3F.tmp
2009-09-26 10:43 0 a------- C:\3D.tmp
2009-09-24 20:16 38 a------- C:\3C.tmp
2009-09-24 20:16 50,688 a------- C:\3A.tmp
2009-09-24 20:16 0 a------- C:\3B.tmp
2009-09-23 21:31 38 a------- C:\39.tmp
2009-09-23 21:31 96,768 a------- C:\38.tmp
2009-09-23 21:31 50,688 a------- C:\37.tmp
2009-09-23 15:48 38 a------- C:\36.tmp
2009-09-23 15:48 50,688 a------- C:\34.tmp
2009-09-23 15:48 0 a------- C:\35.tmp
2009-09-23 15:44 38 a------- C:\33.tmp
2009-09-23 15:44 50,688 a------- C:\31.tmp
2009-09-23 15:44 0 a------- C:\32.tmp
2009-09-22 15:23 0 a------- C:\30.tmp
2009-09-22 15:23 0 a------- C:\2F.tmp
2009-09-22 15:23 0 a------- C:\2E.tmp
2009-09-22 15:23 0 a------- C:\2D.tmp
2009-09-22 15:23 0 a------- C:\2C.tmp
2009-09-22 15:23 0 a------- C:\2B.tmp
2009-09-22 15:21 38 a------- C:\28.tmp
2009-09-22 15:21 0 a------- C:\2A.tmp
2009-09-22 15:21 0 a------- C:\29.tmp
2009-09-21 22:24 0 a------- C:\27.tmp
2009-09-21 22:24 0 a------- C:\26.tmp
2009-09-21 22:24 0 a------- C:\25.tmp
2009-09-21 22:23 0 a------- C:\24.tmp
2009-09-21 22:23 0 a------- C:\23.tmp
2009-09-21 22:23 0 a------- C:\22.tmp
2009-09-21 22:20 38 a------- C:\21.tmp
2009-09-21 22:20 0 a------- C:\20.tmp
2009-09-21 22:20 0 a------- C:\1F.tmp
2009-09-21 22:03 0 a------- C:\1E.tmp
2009-09-21 22:03 0 a------- C:\1D.tmp
2009-09-21 22:03 0 a------- C:\1B.tmp
2009-09-21 22:03 0 a------- C:\16.tmp
2009-09-21 22:03 0 a------- C:\12.tmp
2009-09-21 22:03 0 a------- C:\10.tmp
2009-09-21 22:00 38 a------- C:\F.tmp
2009-09-21 22:00 0 a------- C:\E.tmp
2009-09-21 22:00 0 a------- C:\D.tmp
2009-09-21 14:23 38 a------- C:\C.tmp
2009-09-21 14:23 0 a------- C:\9.tmp
2009-09-21 14:23 0 a------- C:\6.tmp
2009-09-20 13:48 38 a------- C:\B.tmp
2009-09-19 08:22 38 a------- C:\8.tmp
2009-09-19 08:22 0 a------- C:\3.tmp
2009-09-19 08:13 38 a------- C:\5.tmp
2009-09-19 08:13 0 a------- C:\2.tmp
2009-09-18 07:30 38 a------- C:\1C.tmp
2009-09-18 07:30 0 a------- C:\19.tmp
2009-09-18 07:22 38 a------- C:\1A.tmp
2009-09-18 07:22 0 a------- C:\17.tmp
2009-09-18 07:10 38 a------- C:\18.tmp
2009-09-16 13:33 38 a------- C:\15.tmp
2009-09-16 13:33 0 a------- C:\14.tmp
2009-09-16 13:33 0 a------- C:\13.tmp
2009-09-16 08:41 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-09-16 07:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-09-16 07:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-16 07:29 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 07:29 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 07:28 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-16 07:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-16 07:21 <DIR> --d----- c:\docume~1\chele\applic~1\AVG8
2009-09-11 21:02 <DIR> --d----- c:\program files\WinPcap
2009-09-11 21:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\16775154
2009-09-11 17:55 <DIR> --d----- c:\program files\AskBarDis
2009-09-05 17:01 38 a------- C:\A.tmp
2009-09-05 13:24 38 a------- C:\7.tmp
2009-09-04 04:52 26,112 ac------ c:\windows\system32\dllcache\usbser.sys
2009-09-04 04:52 26,112 a------- c:\windows\system32\drivers\usbser.sys
2009-09-04 04:50 <DIR> --d----- c:\program files\Motorola Phone Tools
2009-09-03 06:44 38 a------- C:\11.tmp
2009-09-03 01:50 38 a------- C:\4.tmp
2009-09-02 15:26 120 a------- c:\windows\Ugovani.dat
2009-09-01 19:56 <DIR> --dsh--- c:\windows\system32\wsnpoem
2009-09-01 19:56 38 a------- C:\EB1.tmp
2009-08-31 08:20 182,656 ac------ c:\windows\system32\dllcache\ndis.sys
2009-08-30 18:12 <DIR> --d----- c:\program files\common files\DivX Shared
2009-08-30 18:12 <DIR> --d----- c:\program files\DivX
2009-08-29 22:28 13 a------- C:\Load

==================== Find3M ====================

2009-09-28 11:13 50,688 a----r-- c:\windows\system32\ntos.exe
2009-08-31 08:20 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-08-26 03:39 48,616 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-19 03:41 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-05 16:37 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\wmpdxm.dll
2008-10-02 21:35 111,737 ac------ c:\program files\INSTALL.LOG
2008-10-08 06:34 287 ac-sh--- c:\windows\system32\4229845883.dat
2008-07-09 07:25 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008070920080710\index.dat
2008-08-06 02:54 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080520080806\index.dat
2008-08-07 16:02 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080720080808\index.dat
2008-08-25 02:29 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082420080825\index.dat

============= FINISH: 13:21:22.54 ===============


Not sure if this will help but I have this also. It's the first one, since I didn't know what to do with this log. Nothing has changed.

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:56 PM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Chele\LOCALS~1\Temp\drweb.exe
C:\DOCUME~1\Chele\LOCALS~1\Temp\winamp.exe
C:\DOCUME~1\Chele\LOCALS~1\Temp\system.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: C:\WINDOWS\system32\o15fo91c.dll - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\o15fo91c.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Chele\LOCALS~1\Temp\system.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DriverLoad] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DriverCheck] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SystemDriverLoad] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SystemDriver] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [FDriver] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ADriver] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Login Software 2009] C:\WINDOWS\TEMP\gy9n99jv.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\WINDOWS\TEMP\debug.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DriverLoad] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRman000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll (file missing)
O22 - SharedTaskScheduler: ksfe98wjkodsngiwiojndg873hundggdd - {BA603215-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\nzfiu3h78di.dll
O22 - SharedTaskScheduler: iukjsf8w3jirojs9f8u3jruhsf78s3jijdif - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\o15fo91c.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7304 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 28 September 2009 - 02:42 PM

Hello chele9,

Posted Image

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :(

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If ComboFix will not run the first time, then rename ComboFix.exe to chele9.exe and try it again. :(

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 chele9

chele9
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:08:51 PM

Posted 28 September 2009 - 06:02 PM

I ran combofix. Here are the results.

ComboFix 09-09-27.05 - Chele 09/28/2009 18:11.1.1 - NTFSx86
Running from: c:\documents and settings\Chele\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\10.tmp
C:\12.tmp
C:\13.tmp
C:\14.tmp
C:\16.tmp
C:\17.tmp
C:\19.tmp
C:\1B.tmp
C:\1D.tmp
C:\1E.tmp
C:\1F.tmp
C:\2.tmp
C:\20.tmp
C:\22.tmp
C:\23.tmp
C:\24.tmp
C:\25.tmp
C:\26.tmp
C:\27.tmp
C:\29.tmp
C:\2A.tmp
C:\2B.tmp
C:\2C.tmp
C:\2D.tmp
C:\2E.tmp
C:\2F.tmp
C:\3.tmp
C:\30.tmp
C:\32.tmp
C:\35.tmp
C:\3B.tmp
C:\3D.tmp
C:\40.tmp
C:\42.tmp
C:\44.tmp
C:\45.tmp
C:\47.tmp
C:\48.tmp
C:\4A.tmp
C:\4B.tmp
C:\6.tmp
C:\9.tmp
C:\D.tmp
c:\docume~1\Chele\LOCALS~1\Temp\csrss.exe
c:\docume~1\Chele\LOCALS~1\Temp\lsass.exe
c:\docume~1\Chele\LOCALS~1\Temp\services.exe
c:\docume~1\Chele\LOCALS~1\Temp\svchost.exe
c:\docume~1\Chele\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Chele\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Chele\Application Data\wiaserva.log
c:\documents and settings\Chris\Start Menu\Programs\Antivirus XP 2008.lnk
c:\documents and settings\LocalService\Application Data\rhcgo0j0et2v
c:\documents and settings\NetworkService\Application Data\wsnpoem
c:\documents and settings\NetworkService\Application Data\wsnpoem\video.dll
c:\documents and settings\Owner\Application Data\~tmp.html
c:\documents and settings\Owner\Application Data\config.cfg
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
c:\documents and settings\Owner\Application Data\rhcgo0j0et2v
C:\E.tmp
C:\Microsoft
c:\microsoft\Dr Watson\drwtsn32.log
c:\program files\INSTALL.LOG
c:\program files\Microsoft Security Adviser
c:\program files\Microsoft Security Adviser\msctrl.log
c:\program files\Microsoft Security Adviser\mssadv.log
c:\program files\Microsoft Security Adviser\mssadv_sp.log
c:\program files\Seekmo Programs
c:\program files\ShoppingReport
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\crock+mock.config
c:\windows\Installer\1e4f75.msp
c:\windows\Installer\1ea3b87.msp
c:\windows\Installer\3cb755.msp
c:\windows\Installer\99584e.msp
c:\windows\Installer\ac85850.msp
c:\windows\PeMon
c:\windows\PerfInfo
c:\windows\system32\4229845883.dat
c:\windows\system32\A.tmp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\F.tmp
c:\windows\system32\ntos.exe
c:\windows\system32\nzFIu3h78di.dll
c:\windows\system32\o15fo91c.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\Temp\1183017800.exe
c:\windows\Temp\15130268.exe
c:\windows\Temp\18099018.exe
c:\windows\Temp\1955205300.exe
c:\windows\Temp\3038555515.exe
c:\windows\Temp\4205176022.exe
c:\windows\Temp\685553930.exe
c:\windows\ufilufujuf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DNLSVC
-------\Legacy_MSDIRECT
-------\Legacy_NPF
-------\Legacy_SYSREST.SYS
-------\Service_dnlsvc
-------\Service_msdirect
-------\Service_npf
-------\Service_sysrest.sys


((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-28 )))))))))))))))))))))))))))))))
.

2009-09-28 16:12 . 2009-09-28 16:12 -------- d-----w- c:\program files\Trend Micro
2009-09-16 12:41 . 2009-09-16 12:42 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-09-16 11:37 . 2009-09-28 07:24 -------- d-----w- C:\$AVG8.VAULT$
2009-09-16 11:30 . 2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-16 11:29 . 2009-09-16 11:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 11:29 . 2009-09-16 11:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 11:29 . 2009-09-16 11:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-16 11:28 . 2009-09-25 21:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-16 11:27 . 2009-09-28 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 11:21 . 2009-09-16 11:21 -------- d-----w- c:\documents and settings\Chele\Application Data\AVG8
2009-09-12 01:00 . 2009-09-16 12:05 -------- d-----w- c:\documents and settings\All Users\Application Data\16775154
2009-09-11 21:55 . 2009-09-11 21:55 -------- d-----w- c:\program files\AskBarDis
2009-09-04 08:55 . 2009-09-04 08:55 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\BVRP Software
2009-09-04 08:52 . 2008-04-13 15:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-09-04 08:52 . 2008-04-13 15:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-09-04 08:50 . 2009-09-04 08:53 -------- d-----w- c:\program files\Motorola Phone Tools
2009-09-04 08:50 . 2009-09-04 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-09-04 07:48 . 2009-09-04 07:48 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
2009-09-03 11:02 . 2009-09-03 11:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
2009-09-03 05:53 . 2009-09-03 05:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
2009-09-02 19:26 . 2009-09-06 19:11 120 ----a-w- c:\windows\Ugovani.dat
2009-09-02 03:26 . 2009-09-02 03:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Deployment
2009-08-31 12:20 . 2009-09-28 21:59 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-08-31 12:07 . 2009-08-31 12:07 -------- d-----w- c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
2009-08-30 22:32 . 2009-08-30 22:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-30 22:14 . 2009-08-30 22:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-30 22:12 . 2009-08-30 22:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-30 22:12 . 2009-08-30 22:14 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:59 . 2003-07-16 20:37 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-09-28 15:13 . 2009-09-28 15:13 38 ----a-w- C:\4F.tmp
2009-09-28 15:13 . 2009-09-28 15:13 50688 ----a-w- C:\4D.tmp
2009-09-27 14:03 . 2009-09-27 14:01 38 ----a-w- C:\4C.tmp
2009-09-27 13:53 . 2009-09-27 13:51 38 ----a-w- C:\49.tmp
2009-09-27 03:08 . 2009-09-27 03:07 38 ----a-w- C:\46.tmp
2009-09-27 03:02 . 2009-09-27 03:02 38 ----a-w- C:\43.tmp
2009-09-27 03:02 . 2009-09-27 03:02 50688 ----a-w- C:\3E.tmp
2009-09-26 14:53 . 2009-09-26 14:52 38 ----a-w- C:\41.tmp
2009-09-26 14:44 . 2009-09-26 14:43 38 ----a-w- C:\3F.tmp
2009-09-25 00:19 . 2009-09-25 00:16 38 ----a-w- C:\3C.tmp
2009-09-25 00:19 . 2009-09-25 00:16 50688 ----a-w- C:\3A.tmp
2009-09-25 00:10 . 2009-06-11 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-24 23:30 . 2009-06-11 01:55 -------- d-----w- c:\program files\DNA
2009-09-24 01:34 . 2009-09-24 01:31 38 ----a-w- C:\39.tmp
2009-09-24 01:34 . 2009-09-24 01:31 50688 ----a-w- C:\37.tmp
2009-09-24 01:33 . 2009-09-24 01:31 96768 ----a-w- C:\38.tmp
2009-09-23 19:51 . 2009-09-23 19:48 38 ----a-w- C:\36.tmp
2009-09-23 19:51 . 2009-09-23 19:48 50688 ----a-w- C:\34.tmp
2009-09-23 19:46 . 2009-09-23 19:44 38 ----a-w- C:\33.tmp
2009-09-23 19:46 . 2009-09-23 19:44 50688 ----a-w- C:\31.tmp
2009-09-22 19:23 . 2009-09-22 19:21 38 ----a-w- C:\28.tmp
2009-09-22 02:24 . 2009-09-22 02:20 38 ----a-w- C:\21.tmp
2009-09-22 02:03 . 2009-09-22 02:00 38 ----a-w- C:\F.tmp
2009-09-21 18:24 . 2009-09-21 18:23 38 ----a-w- C:\C.tmp
2009-09-20 17:49 . 2009-09-20 17:48 38 ----a-w- C:\B.tmp
2009-09-19 12:25 . 2009-09-19 12:22 38 ----a-w- C:\8.tmp
2009-09-19 12:13 . 2009-09-19 12:13 38 ----a-w- C:\5.tmp
2009-09-18 11:34 . 2009-09-18 11:30 38 ----a-w- C:\1C.tmp
2009-09-18 11:24 . 2009-09-18 11:22 38 ----a-w- C:\1A.tmp
2009-09-18 11:14 . 2009-09-18 11:10 38 ----a-w- C:\18.tmp
2009-09-16 17:34 . 2009-09-16 17:33 38 ----a-w- C:\15.tmp
2009-09-12 00:54 . 2009-06-11 01:56 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-09-07 10:53 . 2009-06-04 03:00 -------- d-----w- c:\program files\Opera
2009-09-07 08:38 . 2009-06-25 14:08 -------- d-----w- c:\documents and settings\Chris\Application Data\BitTorrent
2009-09-07 01:38 . 2009-06-07 03:44 -------- d-----w- c:\program files\Magic Workstation
2009-09-05 21:01 . 2009-09-05 21:01 38 ----a-w- C:\A.tmp
2009-09-05 17:26 . 2009-09-05 17:24 38 ----a-w- C:\7.tmp
2009-09-04 08:50 . 2005-09-25 03:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-03 10:44 . 2009-09-03 10:44 38 ----a-w- C:\11.tmp
2009-09-03 05:50 . 2009-09-03 05:50 38 ----a-w- C:\4.tmp
2009-09-01 23:56 . 2009-09-01 23:56 38 ----a-w- C:\EB1.tmp
2009-08-31 12:27 . 2009-08-15 13:03 -------- d-----w- c:\documents and settings\Chele\Application Data\BitTorrent
2009-08-31 11:36 . 2009-07-10 08:17 -------- d-----w- c:\documents and settings\Chele\Application Data\Audacity
2009-08-31 04:33 . 2005-09-25 03:25 -------- d-----w- c:\program files\Google
2009-08-29 00:31 . 2009-08-29 00:31 -------- d-----w- c:\documents and settings\Chele\Application Data\Apple Computer
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\program files\TeamViewer
2009-08-28 20:21 . 2009-08-28 20:18 -------- d-----w- c:\documents and settings\Chris\Application Data\TeamViewer
2009-08-28 19:03 . 2009-08-23 19:04 -------- d-----w- c:\program files\URL-Run
2009-08-27 20:14 . 2009-08-01 19:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\documents and settings\Chris\Application Data\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\program files\Seesmic Desktop
2009-08-27 11:11 . 2009-08-27 10:55 -------- d-----w- c:\documents and settings\Chele\Application Data\AveDesk
2009-08-27 10:54 . 2009-08-22 12:34 -------- d-----w- c:\program files\RocketDock
2009-08-27 10:54 . 2009-06-03 23:53 48616 ----a-w- c:\documents and settings\Chele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:27 . 2009-08-13 23:09 -------- d-----w- c:\documents and settings\Chris\Application Data\Apple Computer
2009-08-26 08:06 . 2009-08-13 19:19 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVU
2009-08-26 07:39 . 2009-08-26 07:39 48616 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-26 07:39 . 2009-06-04 00:53 8224 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\MSBuild
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 12:02 . 2009-08-24 11:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Sony
2009-08-24 12:00 . 2009-08-24 12:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Publish Providers
2009-08-23 19:41 . 2009-08-22 17:10 -------- d-----w- c:\program files\DesktopCoral
2009-08-22 17:15 . 2009-08-22 14:57 -------- d-----w- c:\program files\QuickTime
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\windows\system32\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\Chris\Application Data\DonationCoder
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-08-22 16:09 . 2009-08-22 16:09 -------- d-----w- c:\program files\Stardock
2009-08-22 16:00 . 2009-08-22 16:00 -------- d-----w- c:\program files\Magic Bullet Editors 2.0 Vegas
2009-08-22 15:55 . 2009-08-22 15:54 -------- d-----w- c:\program files\NewBlue
2009-08-22 15:54 . 2009-08-22 15:54 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-22 15:52 . 2009-08-22 15:52 -------- d-----w- c:\program files\Pixelan
2009-08-22 15:51 . 2009-08-22 15:51 -------- d-----w- c:\program files\Sonic Foundry
2009-08-22 15:49 . 2009-08-22 15:49 -------- d-----w- c:\program files\Vstplugins
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\program files\Sony
2009-08-22 15:45 . 2009-08-22 15:45 -------- d-----w- c:\program files\Sony Setup
2009-08-22 15:36 . 2005-09-28 04:40 -------- d-----w- c:\program files\iTunes
2009-08-22 15:35 . 2005-09-26 05:47 -------- d-----w- c:\program files\iPod
2009-08-22 15:35 . 2007-11-08 02:54 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 15:33 . 2009-08-22 15:33 -------- d-----w- c:\program files\Bonjour
2009-08-22 15:30 . 2009-08-22 14:32 -------- d-----w- c:\documents and settings\Chris\Application Data\AveDesk
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Apple Software Update
2009-08-21 23:25 . 2009-06-06 04:47 -------- d-----w- c:\documents and settings\Chele\Application Data\AdobeUM
2009-08-19 09:24 . 2009-08-19 09:10 -------- d-----w- c:\program files\VOCALOID2
2009-08-19 09:11 . 2009-08-19 09:11 -------- d-----w- c:\program files\Steinberg
2009-08-19 09:03 . 2009-08-19 09:03 -------- d-----w- c:\documents and settings\Chris\Application Data\InstallShield
2009-08-19 09:02 . 2009-08-19 07:41 -------- d-----w- c:\documents and settings\Chris\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-19 07:41 . 2009-08-19 07:41 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-18 17:45 . 2009-06-16 11:16 -------- d-----w- c:\documents and settings\Chris\Application Data\Audacity
2009-08-18 03:59 . 2009-08-13 23:24 -------- d-----w- c:\program files\Desktop iPhone
2009-08-16 03:22 . 2009-08-16 03:15 -------- d-----w- c:\program files\My.Freeze.com Toolbar
2009-08-16 03:18 . 2009-08-16 03:15 -------- d-----w- c:\program files\Winferno
2009-08-15 13:26 . 2005-09-26 05:37 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-15 13:25 . 2008-10-14 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-15 13:25 . 2009-06-06 21:36 -------- d-----w- c:\program files\Full Tilt Poker.Net
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NoActiveDesktopChanges"="00000000" [X]
"NoActiveDesktop"="0 (0x0)" [X]
"NoSaveSettings"="0 (0x0)" [X]
"ClassicShell"="0 (0x0)" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chele^Start Menu^Programs^Startup^ikowin32.exe]
backup=c:\windows\pss\ikowin32.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8OBh$v/fNC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8OBh$v/fNC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8OBh$v/fNc:\program files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\8OBhCeeq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"NgVpnMgr"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"dnlsvc"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"c:\\Program Files\\Logitech\\VideoCall\\VideoCall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/16/2009 7:29 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/16/2009 7:29 AM 108552]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\NgVpn.sys [2/5/2007 1:53 PM 70144]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2/5/2007 1:53 PM 15360]
S3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2/5/2007 1:52 PM 17920]
S4 pfcpr12;pfcpr12;\??\c:\windows\system32\drivers\senudfs.sys --> c:\windows\system32\drivers\senudfs.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRman000
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chele\Application Data\Mozilla\Firefox\Profiles\4j4xctbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {6FF210BF-BB6C-471B-985C-CBEFF535B0BD} - c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
FF - HiddenExtension: XUL Cache: {ECAE5EFC-8CB8-49DD-B264-F2D7986621CA} - c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
FF - HiddenExtension: XUL Cache: {BB1FBF8E-0AFE-40DB-8CFB-25DA47798316} - c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
FF - HiddenExtension: XUL Cache: {302EE7AF-A8FC-433B-B923-0B1553B35668} - c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
FF - HiddenExtension: XUL Cache: {BE7346B4-1163-494A-A5D4-0A856F947C4D} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BE7346B4-1163-494A-A5D4-0A856F947C4D}\
.
- - - - ORPHANS REMOVED - - - -

BHO-{A249BC15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\o15fo91c.dll
HKU-Default-Run-DriverLoad - (no file)
HKU-Default-Run-DriverCheck - (no file)
HKU-Default-Run-SystemDriverLoad - (no file)
HKU-Default-Run-SystemDriver - (no file)
HKU-Default-Run-FDriver - (no file)
HKU-Default-Run-ADriver - (no file)
SharedTaskScheduler-IPC Configuration Utility - (no file)
SharedTaskScheduler-{A249BC15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\o15fo91c.dll
MSConfigStartUp-istsvc - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 18:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(528)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2009-09-28 18:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-28 22:53

Pre-Run: 31,739,654,144 bytes free
Post-Run: 34,597,306,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

432 --- E O F --- 2009-09-16 12:46



Here is the HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:36 PM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRman000
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5259 bytes


Thanks for the help, is this all I need to do?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 28 September 2009 - 06:14 PM

Hello,

Thanks for the help, is this all I need to do?

You're welcome, and good heavens no.....how long have you been having problems??? Some of this garbage is very old. :( We still have a LOT to do to fix you up.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 chele9

chele9
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:08:51 PM

Posted 28 September 2009 - 08:51 PM

Wow, this is all so involved. I had no idea how messed up things really were. :(

I have the logs you asked for. And this is an old computer of my roomies so I really have no idea how long it's been messed up like this or how it got this way. I'm just using it for now, so I thought I'd try to get it working for myself. I had no idea it was going to be such a long process but I'm so very happy that you are helping me. I really appreciate it!!

Ok. Here goes.

Malwarebytes' Anti-Malware 1.41
Database version: 2869
Windows 5.1.2600 Service Pack 3

9/28/2009 9:36:50 PM
mbam-log-2009-09-28 (21-36-50).txt

Scan type: Quick Scan
Objects scanned: 111393
Time elapsed: 1 hour(s), 1 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0ac49246-419b-4ee0-8917-8818daad6a4e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcgo0j0et2v (Rogue.AntiVirusXP) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Lsa\UpdateWin (Backdoor.Sdbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\16775154 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\google.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\z_Drivers (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\38.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\dli32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16775154\16775154 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\16775154\pc16775154ins (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\31.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


And then here's my new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:41 PM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5310 bytes


Thanks!

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 28 September 2009 - 08:58 PM

Hi there,

Give me just a few minutes to put the next part together for you. :( I'll be right back.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 28 September 2009 - 09:10 PM

Hello,

Here we go :

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\documents and settings\All Users\Application Data\16775154
c:\program files\AskBarDis
c:\program files\My.Freeze.com Toolbar
c:\program files\Winferno
c:\program files\Full Tilt Poker.Net
c:\program files\ISTsvc

File::
c:\windows\Ugovani.dat
C:\4F.tmp
C:\4D.tmp
C:\4C.tmp
C:\49.tmp
C:\46.tmp
C:\43.tmp
C:\3E.tmp
C:\41.tmp
C:\3F.tmp
C:\3C.tmp
C:\3A.tmp
C:\39.tmp
C:\37.tmp
C:\38.tmp
C:\36.tmp
C:\34.tmp
C:\33.tmp
C:\31.tmp
C:\28.tmp
C:\21.tmp
C:\F.tmp
C:\C.tmp
C:\B.tmp
C:\8.tmp
C:\5.tmp
C:\1C.tmp
C:\1A.tmp
C:\18.tmp
C:\15.tmp
C:\A.tmp
C:\7.tmp
C:\11.tmp
C:\4.tmp
C:\EB1.tmp

Registry::
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running please? :(

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 chele9

chele9
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:08:51 PM

Posted 28 September 2009 - 10:14 PM

Hey there again, Tea. Well, it's running. Not sure it's faster because I mainly use it to watch tv shows, and those are still sort of lagging and stuttering about while they play, but the good news is that there have been no new IE randomness interrupting the shows like it usually does.

So here is the new Combofix log.


ComboFix 09-09-28.01 - Chele 09/28/2009 22:40.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.73 [GMT -4:00]
Running from: c:\documents and settings\Chele\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Chele\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\11.tmp"
"C:\15.tmp"
"C:\18.tmp"
"C:\1A.tmp"
"C:\1C.tmp"
"C:\21.tmp"
"C:\28.tmp"
"C:\31.tmp"
"C:\33.tmp"
"C:\34.tmp"
"C:\36.tmp"
"C:\37.tmp"
"C:\38.tmp"
"C:\39.tmp"
"C:\3A.tmp"
"C:\3C.tmp"
"C:\3E.tmp"
"C:\3F.tmp"
"C:\4.tmp"
"C:\41.tmp"
"C:\43.tmp"
"C:\46.tmp"
"C:\49.tmp"
"C:\4C.tmp"
"C:\4D.tmp"
"C:\4F.tmp"
"C:\5.tmp"
"C:\7.tmp"
"C:\8.tmp"
"C:\A.tmp"
"C:\B.tmp"
"C:\C.tmp"
"C:\EB1.tmp"
"C:\F.tmp"
"c:\windows\Ugovani.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\11.tmp
C:\15.tmp
C:\18.tmp
C:\1A.tmp
C:\1C.tmp
C:\21.tmp
C:\28.tmp
C:\33.tmp
C:\34.tmp
C:\36.tmp
C:\37.tmp
C:\39.tmp
C:\3A.tmp
C:\3C.tmp
C:\3E.tmp
C:\3F.tmp
C:\4.tmp
C:\41.tmp
C:\43.tmp
C:\46.tmp
C:\49.tmp
C:\4C.tmp
C:\4D.tmp
C:\4F.tmp
C:\5.tmp
C:\7.tmp
C:\8.tmp
C:\A.tmp
C:\B.tmp
C:\C.tmp
C:\EB1.tmp
C:\F.tmp
c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Settings\AskLogo.ico
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\program files\Full Tilt Poker.Net
c:\program files\Full Tilt Poker.Net\application.prefs
c:\program files\Full Tilt Poker.Net\Cache\42D4EB830001.dc
c:\program files\Full Tilt Poker.Net\DarkwaveDasIch.xml
c:\program files\My.Freeze.com Toolbar
c:\program files\My.Freeze.com Toolbar\INSTALL.LOG
c:\program files\My.Freeze.com Toolbar\remove.exe
c:\program files\Winferno
c:\program files\Winferno\RegistryPowerCleaner\CHives.dll
c:\program files\Winferno\RegistryPowerCleaner\regpowerclean.chm
c:\program files\Winferno\RegistryPowerCleaner\RPCL.DLL
c:\program files\Winferno\RegistryPowerCleaner\RPCReminder.exe
c:\program files\Winferno\RegistryPowerCleaner\SysRst.exe
c:\program files\Winferno\RegistryPowerCleaner\unins000.dat
c:\program files\Winferno\RegistryPowerCleaner\unins000.exe
c:\program files\Winferno\RegistryPowerCleaner\WinCMR.dll
c:\windows\Ugovani.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\Chele\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 16:12 . 2009-09-28 16:12 -------- d-----w- c:\program files\Trend Micro
2009-09-16 12:41 . 2009-09-16 12:42 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-09-16 11:37 . 2009-09-28 07:24 -------- d-----w- C:\$AVG8.VAULT$
2009-09-16 11:30 . 2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-16 11:29 . 2009-09-16 11:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 11:29 . 2009-09-16 11:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 11:29 . 2009-09-16 11:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-16 11:28 . 2009-09-25 21:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-16 11:27 . 2009-09-28 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 11:21 . 2009-09-16 11:21 -------- d-----w- c:\documents and settings\Chele\Application Data\AVG8
2009-09-04 08:55 . 2009-09-04 08:55 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\BVRP Software
2009-09-04 08:52 . 2008-04-13 15:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-09-04 08:52 . 2008-04-13 15:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-09-04 08:50 . 2009-09-04 08:53 -------- d-----w- c:\program files\Motorola Phone Tools
2009-09-04 08:50 . 2009-09-04 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-09-04 07:48 . 2009-09-04 07:48 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
2009-09-03 11:02 . 2009-09-03 11:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
2009-09-03 05:53 . 2009-09-03 05:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
2009-09-02 03:26 . 2009-09-02 03:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Deployment
2009-08-31 12:20 . 2009-09-28 21:59 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-08-31 12:07 . 2009-08-31 12:07 -------- d-----w- c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
2009-08-30 22:32 . 2009-08-30 22:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-30 22:14 . 2009-08-30 22:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-30 22:12 . 2009-08-30 22:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-30 22:12 . 2009-08-30 22:14 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:59 . 2003-07-16 20:37 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-25 00:10 . 2009-06-11 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-24 23:30 . 2009-06-11 01:55 -------- d-----w- c:\program files\DNA
2009-09-12 00:54 . 2009-06-11 01:56 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-09-07 10:53 . 2009-06-04 03:00 -------- d-----w- c:\program files\Opera
2009-09-07 08:38 . 2009-06-25 14:08 -------- d-----w- c:\documents and settings\Chris\Application Data\BitTorrent
2009-09-07 01:38 . 2009-06-07 03:44 -------- d-----w- c:\program files\Magic Workstation
2009-09-04 08:50 . 2005-09-25 03:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 12:27 . 2009-08-15 13:03 -------- d-----w- c:\documents and settings\Chele\Application Data\BitTorrent
2009-08-31 11:36 . 2009-07-10 08:17 -------- d-----w- c:\documents and settings\Chele\Application Data\Audacity
2009-08-31 04:33 . 2005-09-25 03:25 -------- d-----w- c:\program files\Google
2009-08-29 00:31 . 2009-08-29 00:31 -------- d-----w- c:\documents and settings\Chele\Application Data\Apple Computer
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\program files\TeamViewer
2009-08-28 20:21 . 2009-08-28 20:18 -------- d-----w- c:\documents and settings\Chris\Application Data\TeamViewer
2009-08-28 19:03 . 2009-08-23 19:04 -------- d-----w- c:\program files\URL-Run
2009-08-27 20:14 . 2009-08-01 19:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\documents and settings\Chris\Application Data\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\program files\Seesmic Desktop
2009-08-27 11:11 . 2009-08-27 10:55 -------- d-----w- c:\documents and settings\Chele\Application Data\AveDesk
2009-08-27 10:54 . 2009-08-22 12:34 -------- d-----w- c:\program files\RocketDock
2009-08-27 10:54 . 2009-06-03 23:53 48616 ----a-w- c:\documents and settings\Chele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:27 . 2009-08-13 23:09 -------- d-----w- c:\documents and settings\Chris\Application Data\Apple Computer
2009-08-26 08:06 . 2009-08-13 19:19 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVU
2009-08-26 07:39 . 2009-08-26 07:39 48616 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-26 07:39 . 2009-06-04 00:53 8224 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\MSBuild
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 12:02 . 2009-08-24 11:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Sony
2009-08-24 12:00 . 2009-08-24 12:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Publish Providers
2009-08-23 19:41 . 2009-08-22 17:10 -------- d-----w- c:\program files\DesktopCoral
2009-08-22 17:15 . 2009-08-22 14:57 -------- d-----w- c:\program files\QuickTime
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\windows\system32\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\Chris\Application Data\DonationCoder
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-08-22 16:09 . 2009-08-22 16:09 -------- d-----w- c:\program files\Stardock
2009-08-22 16:00 . 2009-08-22 16:00 -------- d-----w- c:\program files\Magic Bullet Editors 2.0 Vegas
2009-08-22 15:55 . 2009-08-22 15:54 -------- d-----w- c:\program files\NewBlue
2009-08-22 15:54 . 2009-08-22 15:54 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-22 15:52 . 2009-08-22 15:52 -------- d-----w- c:\program files\Pixelan
2009-08-22 15:51 . 2009-08-22 15:51 -------- d-----w- c:\program files\Sonic Foundry
2009-08-22 15:49 . 2009-08-22 15:49 -------- d-----w- c:\program files\Vstplugins
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\program files\Sony
2009-08-22 15:45 . 2009-08-22 15:45 -------- d-----w- c:\program files\Sony Setup
2009-08-22 15:36 . 2005-09-28 04:40 -------- d-----w- c:\program files\iTunes
2009-08-22 15:35 . 2005-09-26 05:47 -------- d-----w- c:\program files\iPod
2009-08-22 15:35 . 2007-11-08 02:54 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 15:33 . 2009-08-22 15:33 -------- d-----w- c:\program files\Bonjour
2009-08-22 15:30 . 2009-08-22 14:32 -------- d-----w- c:\documents and settings\Chris\Application Data\AveDesk
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Apple Software Update
2009-08-21 23:25 . 2009-06-06 04:47 -------- d-----w- c:\documents and settings\Chele\Application Data\AdobeUM
2009-08-19 09:24 . 2009-08-19 09:10 -------- d-----w- c:\program files\VOCALOID2
2009-08-19 09:11 . 2009-08-19 09:11 -------- d-----w- c:\program files\Steinberg
2009-08-19 09:03 . 2009-08-19 09:03 -------- d-----w- c:\documents and settings\Chris\Application Data\InstallShield
2009-08-19 09:02 . 2009-08-19 07:41 -------- d-----w- c:\documents and settings\Chris\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-19 07:41 . 2009-08-19 07:41 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-18 17:45 . 2009-06-16 11:16 -------- d-----w- c:\documents and settings\Chris\Application Data\Audacity
2009-08-18 03:59 . 2009-08-13 23:24 -------- d-----w- c:\program files\Desktop iPhone
2009-08-15 13:26 . 2005-09-26 05:37 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-15 13:25 . 2008-10-14 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-15 13:24 . 2005-09-29 05:42 -------- d-----w- c:\program files\Yahoo!
2009-08-15 13:20 . 2008-10-14 18:45 -------- d-----w- c:\program files\RogueRemover FREE
2009-08-15 13:18 . 2007-07-29 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-15 12:27 . 2005-09-26 05:38 -------- d-----w- c:\program files\ArcSoft
2009-08-15 12:26 . 2005-09-26 05:40 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-13 23:32 . 2009-06-04 02:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-13 23:25 . 2009-08-13 23:25 -------- d-----w- c:\documents and settings\Chris\Application Data\iPhone.F4B6EDD4861104DF103CA831FC6755522BBBD9C1.1
2009-08-13 19:18 . 2009-08-13 19:18 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVUClient
2009-08-12 19:33 . 2009-08-12 19:10 -------- d-----w- c:\documents and settings\Chris\Application Data\FrostWire
2009-08-09 11:24 . 2009-06-05 00:15 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-09 11:24 . 2008-03-11 01:34 -------- d-----w- c:\program files\FrostWire
2009-08-09 09:36 . 2009-06-21 10:39 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\program files\coOpera
2009-08-05 20:37 . 2009-08-01 20:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-09-25 03:07 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 19:42 . 2009-07-10 19:42 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-07-07 01:04 . 2009-07-07 01:04 128 -c--a-w- c:\documents and settings\Chele\Local Settings\Application Data\fusioncache.dat
2009-07-03 19:45 . 2009-07-03 19:45 128 -c--a-w- c:\documents and settings\Chris\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NoActiveDesktopChanges"="00000000" [X]
"NoActiveDesktop"="0 (0x0)" [X]
"NoSaveSettings"="0 (0x0)" [X]
"ClassicShell"="0 (0x0)" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chele^Start Menu^Programs^Startup^ikowin32.exe]
backup=c:\windows\pss\ikowin32.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9œ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9œ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9œ3rWc:\program files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9œ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9œ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9œ3rWc:\program files\ISTsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9œ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9œ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"NgVpnMgr"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"dnlsvc"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"c:\\Program Files\\Logitech\\VideoCall\\VideoCall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

R3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys [2007-02-05 15360]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys [2007-02-05 17920]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-16 297752]
R4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2007-02-05 194115]
R4 pfcpr12;pfcpr12;c:\windows\system32\drivers\senudfs.sys [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-16 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-16 108552]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys [2007-02-05 70144]

.
Contents of the 'Scheduled Tasks' folder

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chele\Application Data\Mozilla\Firefox\Profiles\4j4xctbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {6FF210BF-BB6C-471B-985C-CBEFF535B0BD} - c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
FF - HiddenExtension: XUL Cache: {ECAE5EFC-8CB8-49DD-B264-F2D7986621CA} - c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
FF - HiddenExtension: XUL Cache: {BB1FBF8E-0AFE-40DB-8CFB-25DA47798316} - c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
FF - HiddenExtension: XUL Cache: {302EE7AF-A8FC-433B-B923-0B1553B35668} - c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
FF - HiddenExtension: XUL Cache: {BE7346B4-1163-494A-A5D4-0A856F947C4D} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BE7346B4-1163-494A-A5D4-0A856F947C4D}\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
SafeBoot-Wdf01000.sys
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-28 22:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-29 23:04
ComboFix-quarantined-files.txt 2009-09-29 03:04
ComboFix2.txt 2009-09-28 22:53

Pre-Run: 34,367,033,344 bytes free
Post-Run: 34,534,211,584 bytes free

364 --- E O F --- 2009-09-16 12:46


Ok here is the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:01 PM, on 9/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5044 bytes


Okay, so, what next? Not sure how late you are up, but I'm here for a while longer probably.

Thanks so much for your help. You rock!

PS. Neither time I ran the combofix was I able to completely shut down the virus scanner, so hopefully it worked out okay anyway, but I thought I should just let you know in case. I did disable it, but it kept telling me it was still there.

Edited by chele9, 28 September 2009 - 10:16 PM.


#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 29 September 2009 - 01:19 PM

Hi there,

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
c:\windows\pss\ikowin32.exe

Folder::
c:\program files\ISTsvc


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

We'll get it all. Really, this stuff on this computer has been here a long time. :(

I would also like for you to do a Windows search for the following. You'll have to copy and paste because I doubt your keyboard can make the symbols: # Gh'9œ3rWC: Tell me what it finds, please. :(

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 chele9

chele9
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:08:51 PM

Posted 29 September 2009 - 03:06 PM

Hey there. Here is my last combofix log.

ComboFix 09-09-28.01 - Chele 09/29/2009 15:27.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.127 [GMT -4:00]
Running from: c:\documents and settings\Chele\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Chele\Desktop\CFScript.txt

FILE ::
"c:\windows\pss\ikowin32.exe"
.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\Chele\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 16:12 . 2009-09-28 16:12 -------- d-----w- c:\program files\Trend Micro
2009-09-16 12:41 . 2009-09-16 12:42 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-09-16 11:37 . 2009-09-28 07:24 -------- d-----w- C:\$AVG8.VAULT$
2009-09-16 11:30 . 2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-16 11:29 . 2009-09-16 11:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 11:29 . 2009-09-16 11:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 11:29 . 2009-09-16 11:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-16 11:28 . 2009-09-25 21:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-16 11:27 . 2009-09-28 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 11:21 . 2009-09-16 11:21 -------- d-----w- c:\documents and settings\Chele\Application Data\AVG8
2009-09-04 08:55 . 2009-09-04 08:55 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\BVRP Software
2009-09-04 08:52 . 2008-04-13 15:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-09-04 08:52 . 2008-04-13 15:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-09-04 08:50 . 2009-09-04 08:53 -------- d-----w- c:\program files\Motorola Phone Tools
2009-09-04 08:50 . 2009-09-04 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-09-04 07:48 . 2009-09-04 07:48 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
2009-09-03 11:02 . 2009-09-03 11:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
2009-09-03 05:53 . 2009-09-03 05:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
2009-09-02 03:26 . 2009-09-02 03:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Deployment
2009-08-31 12:20 . 2009-09-28 21:59 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-08-31 12:07 . 2009-08-31 12:07 -------- d-----w- c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
2009-08-30 22:32 . 2009-08-30 22:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-30 22:14 . 2009-08-30 22:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-30 22:12 . 2009-08-30 22:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-30 22:12 . 2009-08-30 22:14 -------- d-----w- c:\program files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:59 . 2003-07-16 20:37 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-25 00:10 . 2009-06-11 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-24 23:30 . 2009-06-11 01:55 -------- d-----w- c:\program files\DNA
2009-09-12 00:54 . 2009-06-11 01:56 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-09-07 10:53 . 2009-06-04 03:00 -------- d-----w- c:\program files\Opera
2009-09-07 08:38 . 2009-06-25 14:08 -------- d-----w- c:\documents and settings\Chris\Application Data\BitTorrent
2009-09-07 01:38 . 2009-06-07 03:44 -------- d-----w- c:\program files\Magic Workstation
2009-09-04 08:50 . 2005-09-25 03:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 12:27 . 2009-08-15 13:03 -------- d-----w- c:\documents and settings\Chele\Application Data\BitTorrent
2009-08-31 11:36 . 2009-07-10 08:17 -------- d-----w- c:\documents and settings\Chele\Application Data\Audacity
2009-08-31 04:33 . 2005-09-25 03:25 -------- d-----w- c:\program files\Google
2009-08-29 00:31 . 2009-08-29 00:31 -------- d-----w- c:\documents and settings\Chele\Application Data\Apple Computer
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\program files\TeamViewer
2009-08-28 20:21 . 2009-08-28 20:18 -------- d-----w- c:\documents and settings\Chris\Application Data\TeamViewer
2009-08-28 19:03 . 2009-08-23 19:04 -------- d-----w- c:\program files\URL-Run
2009-08-27 20:14 . 2009-08-01 19:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\documents and settings\Chris\Application Data\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\program files\Seesmic Desktop
2009-08-27 11:11 . 2009-08-27 10:55 -------- d-----w- c:\documents and settings\Chele\Application Data\AveDesk
2009-08-27 10:54 . 2009-08-22 12:34 -------- d-----w- c:\program files\RocketDock
2009-08-27 10:54 . 2009-06-03 23:53 48616 ----a-w- c:\documents and settings\Chele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:27 . 2009-08-13 23:09 -------- d-----w- c:\documents and settings\Chris\Application Data\Apple Computer
2009-08-26 08:06 . 2009-08-13 19:19 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVU
2009-08-26 07:39 . 2009-08-26 07:39 48616 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-26 07:39 . 2009-06-04 00:53 8224 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\MSBuild
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 12:02 . 2009-08-24 11:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Sony
2009-08-24 12:00 . 2009-08-24 12:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Publish Providers
2009-08-23 19:41 . 2009-08-22 17:10 -------- d-----w- c:\program files\DesktopCoral
2009-08-22 17:15 . 2009-08-22 14:57 -------- d-----w- c:\program files\QuickTime
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\windows\system32\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\Chris\Application Data\DonationCoder
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-08-22 16:09 . 2009-08-22 16:09 -------- d-----w- c:\program files\Stardock
2009-08-22 16:00 . 2009-08-22 16:00 -------- d-----w- c:\program files\Magic Bullet Editors 2.0 Vegas
2009-08-22 15:55 . 2009-08-22 15:54 -------- d-----w- c:\program files\NewBlue
2009-08-22 15:54 . 2009-08-22 15:54 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-22 15:52 . 2009-08-22 15:52 -------- d-----w- c:\program files\Pixelan
2009-08-22 15:51 . 2009-08-22 15:51 -------- d-----w- c:\program files\Sonic Foundry
2009-08-22 15:49 . 2009-08-22 15:49 -------- d-----w- c:\program files\Vstplugins
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\program files\Sony
2009-08-22 15:45 . 2009-08-22 15:45 -------- d-----w- c:\program files\Sony Setup
2009-08-22 15:36 . 2005-09-28 04:40 -------- d-----w- c:\program files\iTunes
2009-08-22 15:35 . 2005-09-26 05:47 -------- d-----w- c:\program files\iPod
2009-08-22 15:35 . 2007-11-08 02:54 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 15:33 . 2009-08-22 15:33 -------- d-----w- c:\program files\Bonjour
2009-08-22 15:30 . 2009-08-22 14:32 -------- d-----w- c:\documents and settings\Chris\Application Data\AveDesk
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Apple Software Update
2009-08-21 23:25 . 2009-06-06 04:47 -------- d-----w- c:\documents and settings\Chele\Application Data\AdobeUM
2009-08-19 09:24 . 2009-08-19 09:10 -------- d-----w- c:\program files\VOCALOID2
2009-08-19 09:11 . 2009-08-19 09:11 -------- d-----w- c:\program files\Steinberg
2009-08-19 09:03 . 2009-08-19 09:03 -------- d-----w- c:\documents and settings\Chris\Application Data\InstallShield
2009-08-19 09:02 . 2009-08-19 07:41 -------- d-----w- c:\documents and settings\Chris\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-19 07:41 . 2009-08-19 07:41 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-18 17:45 . 2009-06-16 11:16 -------- d-----w- c:\documents and settings\Chris\Application Data\Audacity
2009-08-18 03:59 . 2009-08-13 23:24 -------- d-----w- c:\program files\Desktop iPhone
2009-08-15 13:26 . 2005-09-26 05:37 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-15 13:25 . 2008-10-14 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-15 13:24 . 2005-09-29 05:42 -------- d-----w- c:\program files\Yahoo!
2009-08-15 13:20 . 2008-10-14 18:45 -------- d-----w- c:\program files\RogueRemover FREE
2009-08-15 13:18 . 2007-07-29 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-15 12:27 . 2005-09-26 05:38 -------- d-----w- c:\program files\ArcSoft
2009-08-15 12:26 . 2005-09-26 05:40 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-13 23:32 . 2009-06-04 02:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-13 23:25 . 2009-08-13 23:25 -------- d-----w- c:\documents and settings\Chris\Application Data\iPhone.F4B6EDD4861104DF103CA831FC6755522BBBD9C1.1
2009-08-13 19:18 . 2009-08-13 19:18 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVUClient
2009-08-12 19:33 . 2009-08-12 19:10 -------- d-----w- c:\documents and settings\Chris\Application Data\FrostWire
2009-08-09 11:24 . 2009-06-05 00:15 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-09 11:24 . 2008-03-11 01:34 -------- d-----w- c:\program files\FrostWire
2009-08-09 09:36 . 2009-06-21 10:39 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\program files\coOpera
2009-08-05 20:37 . 2009-08-01 20:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-09-25 03:07 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 19:42 . 2009-07-10 19:42 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-07-07 01:04 . 2009-07-07 01:04 128 -c--a-w- c:\documents and settings\Chele\Local Settings\Application Data\fusioncache.dat
2009-07-03 19:45 . 2009-07-03 19:45 128 -c--a-w- c:\documents and settings\Chris\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NoActiveDesktopChanges"="00000000" [X]
"NoActiveDesktop"="0 (0x0)" [X]
"NoSaveSettings"="0 (0x0)" [X]
"ClassicShell"="0 (0x0)" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chele^Start Menu^Programs^Startup^ikowin32.exe]
backup=c:\windows\pss\ikowin32.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"NgVpnMgr"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"dnlsvc"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"c:\\Program Files\\Logitech\\VideoCall\\VideoCall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

R3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys [2007-02-05 15360]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys [2007-02-05 17920]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-16 297752]
R4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2007-02-05 194115]
R4 pfcpr12;pfcpr12;c:\windows\system32\drivers\senudfs.sys [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-16 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-16 108552]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys [2007-02-05 70144]

.
Contents of the 'Scheduled Tasks' folder

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chele\Application Data\Mozilla\Firefox\Profiles\4j4xctbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {6FF210BF-BB6C-471B-985C-CBEFF535B0BD} - c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
FF - HiddenExtension: XUL Cache: {ECAE5EFC-8CB8-49DD-B264-F2D7986621CA} - c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
FF - HiddenExtension: XUL Cache: {BB1FBF8E-0AFE-40DB-8CFB-25DA47798316} - c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
FF - HiddenExtension: XUL Cache: {302EE7AF-A8FC-433B-B923-0B1553B35668} - c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
FF - HiddenExtension: XUL Cache: {BE7346B4-1163-494A-A5D4-0A856F947C4D} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BE7346B4-1163-494A-A5D4-0A856F947C4D}\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 15:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(960)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-29 15:51
ComboFix-quarantined-files.txt 2009-09-29 19:51
ComboFix2.txt 2009-09-29 03:04
ComboFix3.txt 2009-09-28 22:53

Pre-Run: 34,728,194,048 bytes free
Post-Run: 34,664,505,344 bytes free

274 --- E O F --- 2009-09-16 12:46

I'm curious if you could give me the name of whatever this is that is infecting my computer.

Also the search results gave nothing but I'm not really sure I did it correctly. I searched files and folders in C is that right?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 29 September 2009 - 05:18 PM

Hi,

To answer your question....it's more than just one thing. It's several actually, and they've been there a long time. There are some newer infections also, but I'm willing to bet that some of these have been there for years and not just weeks or months.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next.

Let me know how it's running after that. That helps as much as the logs and reports do. :(

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 chele9

chele9
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:08:51 PM

Posted 29 September 2009 - 06:39 PM

Hello again. This machine does have issues I'll admit. I had no idea that things had been on here for years. My roomie said that it's been acting up ever since he got it, which was a couple years ago. He said he tried to fix it but never could. Anyway, as for how it's running now, it's better, but still not normal. For instance, when I click on some pages, even though I have the popup blocker enabled, some still manage to pop on up. But not near as bad as it was. Thanks again for helping me. Here's the log.

ComboFix 09-09-28.01 - Chele 09/29/2009 19:09.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.133 [GMT -4:00]
Running from: c:\documents and settings\Chele\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Chele\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-29 )))))))))))))))))))))))))))))))
.

2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\Chele\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 16:12 . 2009-09-28 16:12 -------- d-----w- c:\program files\Trend Micro
2009-09-16 12:41 . 2009-09-16 12:42 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-09-16 11:37 . 2009-09-28 07:24 -------- d-----w- C:\$AVG8.VAULT$
2009-09-16 11:30 . 2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-16 11:29 . 2009-09-16 11:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 11:29 . 2009-09-16 11:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 11:29 . 2009-09-16 11:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-16 11:28 . 2009-09-25 21:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-16 11:27 . 2009-09-28 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 11:21 . 2009-09-16 11:21 -------- d-----w- c:\documents and settings\Chele\Application Data\AVG8
2009-09-04 08:55 . 2009-09-04 08:55 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\BVRP Software
2009-09-04 08:52 . 2008-04-13 15:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-09-04 08:52 . 2008-04-13 15:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-09-04 08:50 . 2009-09-04 08:53 -------- d-----w- c:\program files\Motorola Phone Tools
2009-09-04 08:50 . 2009-09-04 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-09-04 07:48 . 2009-09-04 07:48 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
2009-09-03 11:02 . 2009-09-03 11:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
2009-09-03 05:53 . 2009-09-03 05:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
2009-09-02 03:26 . 2009-09-02 03:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Deployment
2009-08-31 12:20 . 2009-09-28 21:59 182656 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-08-31 12:07 . 2009-08-31 12:07 -------- d-----w- c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:59 . 2003-07-16 20:37 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-25 00:10 . 2009-06-11 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-24 23:30 . 2009-06-11 01:55 -------- d-----w- c:\program files\DNA
2009-09-12 00:54 . 2009-06-11 01:56 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-09-07 10:53 . 2009-06-04 03:00 -------- d-----w- c:\program files\Opera
2009-09-07 08:38 . 2009-06-25 14:08 -------- d-----w- c:\documents and settings\Chris\Application Data\BitTorrent
2009-09-07 01:38 . 2009-06-07 03:44 -------- d-----w- c:\program files\Magic Workstation
2009-09-04 08:50 . 2005-09-25 03:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 12:27 . 2009-08-15 13:03 -------- d-----w- c:\documents and settings\Chele\Application Data\BitTorrent
2009-08-31 11:36 . 2009-07-10 08:17 -------- d-----w- c:\documents and settings\Chele\Application Data\Audacity
2009-08-31 04:33 . 2005-09-25 03:25 -------- d-----w- c:\program files\Google
2009-08-30 22:14 . 2009-08-30 22:12 -------- d-----w- c:\program files\DivX
2009-08-30 22:12 . 2009-08-30 22:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-29 00:31 . 2009-08-29 00:31 -------- d-----w- c:\documents and settings\Chele\Application Data\Apple Computer
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\program files\TeamViewer
2009-08-28 20:21 . 2009-08-28 20:18 -------- d-----w- c:\documents and settings\Chris\Application Data\TeamViewer
2009-08-28 19:03 . 2009-08-23 19:04 -------- d-----w- c:\program files\URL-Run
2009-08-27 20:14 . 2009-08-01 19:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\documents and settings\Chris\Application Data\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\program files\Seesmic Desktop
2009-08-27 11:11 . 2009-08-27 10:55 -------- d-----w- c:\documents and settings\Chele\Application Data\AveDesk
2009-08-27 10:54 . 2009-08-22 12:34 -------- d-----w- c:\program files\RocketDock
2009-08-27 10:54 . 2009-06-03 23:53 48616 ----a-w- c:\documents and settings\Chele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:27 . 2009-08-13 23:09 -------- d-----w- c:\documents and settings\Chris\Application Data\Apple Computer
2009-08-26 08:06 . 2009-08-13 19:19 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVU
2009-08-26 07:39 . 2009-08-26 07:39 48616 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-26 07:39 . 2009-06-04 00:53 8224 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\MSBuild
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 12:02 . 2009-08-24 11:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Sony
2009-08-24 12:00 . 2009-08-24 12:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Publish Providers
2009-08-23 19:41 . 2009-08-22 17:10 -------- d-----w- c:\program files\DesktopCoral
2009-08-22 17:15 . 2009-08-22 14:57 -------- d-----w- c:\program files\QuickTime
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\windows\system32\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\Chris\Application Data\DonationCoder
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-08-22 16:09 . 2009-08-22 16:09 -------- d-----w- c:\program files\Stardock
2009-08-22 16:00 . 2009-08-22 16:00 -------- d-----w- c:\program files\Magic Bullet Editors 2.0 Vegas
2009-08-22 15:55 . 2009-08-22 15:54 -------- d-----w- c:\program files\NewBlue
2009-08-22 15:54 . 2009-08-22 15:54 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-22 15:52 . 2009-08-22 15:52 -------- d-----w- c:\program files\Pixelan
2009-08-22 15:51 . 2009-08-22 15:51 -------- d-----w- c:\program files\Sonic Foundry
2009-08-22 15:49 . 2009-08-22 15:49 -------- d-----w- c:\program files\Vstplugins
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\program files\Sony
2009-08-22 15:45 . 2009-08-22 15:45 -------- d-----w- c:\program files\Sony Setup
2009-08-22 15:36 . 2005-09-28 04:40 -------- d-----w- c:\program files\iTunes
2009-08-22 15:35 . 2005-09-26 05:47 -------- d-----w- c:\program files\iPod
2009-08-22 15:35 . 2007-11-08 02:54 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 15:33 . 2009-08-22 15:33 -------- d-----w- c:\program files\Bonjour
2009-08-22 15:30 . 2009-08-22 14:32 -------- d-----w- c:\documents and settings\Chris\Application Data\AveDesk
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Apple Software Update
2009-08-21 23:25 . 2009-06-06 04:47 -------- d-----w- c:\documents and settings\Chele\Application Data\AdobeUM
2009-08-19 09:24 . 2009-08-19 09:10 -------- d-----w- c:\program files\VOCALOID2
2009-08-19 09:11 . 2009-08-19 09:11 -------- d-----w- c:\program files\Steinberg
2009-08-19 09:03 . 2009-08-19 09:03 -------- d-----w- c:\documents and settings\Chris\Application Data\InstallShield
2009-08-19 09:02 . 2009-08-19 07:41 -------- d-----w- c:\documents and settings\Chris\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-19 07:41 . 2009-08-19 07:41 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-18 17:45 . 2009-06-16 11:16 -------- d-----w- c:\documents and settings\Chris\Application Data\Audacity
2009-08-18 03:59 . 2009-08-13 23:24 -------- d-----w- c:\program files\Desktop iPhone
2009-08-15 13:26 . 2005-09-26 05:37 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-15 13:25 . 2008-10-14 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-15 13:24 . 2005-09-29 05:42 -------- d-----w- c:\program files\Yahoo!
2009-08-15 13:20 . 2008-10-14 18:45 -------- d-----w- c:\program files\RogueRemover FREE
2009-08-15 13:18 . 2007-07-29 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-15 12:27 . 2005-09-26 05:38 -------- d-----w- c:\program files\ArcSoft
2009-08-15 12:26 . 2005-09-26 05:40 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-13 23:32 . 2009-06-04 02:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-13 23:25 . 2009-08-13 23:25 -------- d-----w- c:\documents and settings\Chris\Application Data\iPhone.F4B6EDD4861104DF103CA831FC6755522BBBD9C1.1
2009-08-13 19:18 . 2009-08-13 19:18 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVUClient
2009-08-12 19:33 . 2009-08-12 19:10 -------- d-----w- c:\documents and settings\Chris\Application Data\FrostWire
2009-08-09 11:24 . 2009-06-05 00:15 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-09 11:24 . 2008-03-11 01:34 -------- d-----w- c:\program files\FrostWire
2009-08-09 09:36 . 2009-06-21 10:39 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\program files\coOpera
2009-08-05 20:37 . 2009-08-01 20:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-09-25 03:07 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 19:42 . 2009-07-10 19:42 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-07-07 01:04 . 2009-07-07 01:04 128 -c--a-w- c:\documents and settings\Chele\Local Settings\Application Data\fusioncache.dat
2009-07-03 19:45 . 2009-07-03 19:45 128 -c--a-w- c:\documents and settings\Chris\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NoActiveDesktopChanges"="00000000" [X]
"NoActiveDesktop"="0 (0x0)" [X]
"NoSaveSettings"="0 (0x0)" [X]
"ClassicShell"="0 (0x0)" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chele^Start Menu^Programs^Startup^ikowin32.exe]
backup=c:\windows\pss\ikowin32.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"NgVpnMgr"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"dnlsvc"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"c:\\Program Files\\Logitech\\VideoCall\\VideoCall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

R3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys [2007-02-05 15360]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys [2007-02-05 17920]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-16 297752]
R4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2007-02-05 194115]
R4 pfcpr12;pfcpr12;c:\windows\system32\drivers\senudfs.sys [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-16 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-16 108552]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys [2007-02-05 70144]

.
Contents of the 'Scheduled Tasks' folder

2009-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chele\Application Data\Mozilla\Firefox\Profiles\4j4xctbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {6FF210BF-BB6C-471B-985C-CBEFF535B0BD} - c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
FF - HiddenExtension: XUL Cache: {ECAE5EFC-8CB8-49DD-B264-F2D7986621CA} - c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
FF - HiddenExtension: XUL Cache: {BB1FBF8E-0AFE-40DB-8CFB-25DA47798316} - c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
FF - HiddenExtension: XUL Cache: {302EE7AF-A8FC-433B-B923-0B1553B35668} - c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
FF - HiddenExtension: XUL Cache: {BE7346B4-1163-494A-A5D4-0A856F947C4D} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BE7346B4-1163-494A-A5D4-0A856F947C4D}\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-29 19:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1536)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-29 19:33
ComboFix-quarantined-files.txt 2009-09-29 23:33
ComboFix2.txt 2009-09-29 19:51
ComboFix3.txt 2009-09-29 03:04
ComboFix4.txt 2009-09-28 22:53

Pre-Run: 34,702,876,672 bytes free
Post-Run: 34,671,349,760 bytes free

271 --- E O F --- 2009-09-16 12:46

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 30 September 2009 - 03:09 PM

Hello,

This one is being sticky. :( Please make sure all your protection programs are disabled for this.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[-HKLM\~\startupfolder\C:\Documents and Settings\Chele\Start Menu\Programs\Startup\ikowin32.exe]

File::
c:\windows\pss\ikowin32.exe


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 chele9

chele9
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Atlanta
  • Local time:08:51 PM

Posted 30 September 2009 - 04:19 PM

Hi Tea. Even though I am certain my virus scanner is disabled it continues to tell me it is on. I'm not sure why. Here is my new log. Thanks.

ComboFix 09-09-29.04 - Chele 09/30/2009 16:32.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.135 [GMT -4:00]
Running from: c:\documents and settings\Chele\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Chele\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\pss\ikowin32.exe"
.

((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\Chele\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-28 23:57 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-28 23:57 . 2009-09-28 23:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-28 16:12 . 2009-09-28 16:12 -------- d-----w- c:\program files\Trend Micro
2009-09-16 12:41 . 2009-09-16 12:42 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-09-16 11:37 . 2009-09-28 07:24 -------- d-----w- C:\$AVG8.VAULT$
2009-09-16 11:30 . 2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-16 11:29 . 2009-09-16 11:29 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-16 11:29 . 2009-09-16 11:29 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-16 11:29 . 2009-09-16 11:29 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-16 11:28 . 2009-09-25 21:29 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-16 11:27 . 2009-09-28 07:24 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-16 11:21 . 2009-09-16 11:21 -------- d-----w- c:\documents and settings\Chele\Application Data\AVG8
2009-09-04 08:55 . 2009-09-04 08:55 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\BVRP Software
2009-09-04 08:52 . 2008-04-13 15:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-09-04 08:52 . 2008-04-13 15:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-09-04 08:50 . 2009-09-04 08:53 -------- d-----w- c:\program files\Motorola Phone Tools
2009-09-04 08:50 . 2009-09-04 08:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-09-04 07:48 . 2009-09-04 07:48 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
2009-09-03 11:02 . 2009-09-03 11:02 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
2009-09-03 05:53 . 2009-09-03 05:53 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
2009-09-02 03:26 . 2009-09-02 03:45 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Deployment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:59 . 2003-07-16 20:37 182656 ------w- c:\windows\system32\drivers\ndis.sys
2009-09-25 00:10 . 2009-06-11 01:55 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-24 23:30 . 2009-06-11 01:55 -------- d-----w- c:\program files\DNA
2009-09-12 00:54 . 2009-06-11 01:56 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-09-07 10:53 . 2009-06-04 03:00 -------- d-----w- c:\program files\Opera
2009-09-07 08:38 . 2009-06-25 14:08 -------- d-----w- c:\documents and settings\Chris\Application Data\BitTorrent
2009-09-07 01:38 . 2009-06-07 03:44 -------- d-----w- c:\program files\Magic Workstation
2009-09-04 08:50 . 2005-09-25 03:19 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-31 12:27 . 2009-08-15 13:03 -------- d-----w- c:\documents and settings\Chele\Application Data\BitTorrent
2009-08-31 11:36 . 2009-07-10 08:17 -------- d-----w- c:\documents and settings\Chele\Application Data\Audacity
2009-08-31 04:33 . 2005-09-25 03:25 -------- d-----w- c:\program files\Google
2009-08-30 22:14 . 2009-08-30 22:12 -------- d-----w- c:\program files\DivX
2009-08-30 22:12 . 2009-08-30 22:12 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-29 00:31 . 2009-08-29 00:31 -------- d-----w- c:\documents and settings\Chele\Application Data\Apple Computer
2009-08-28 20:22 . 2009-08-28 20:22 -------- d-----w- c:\program files\TeamViewer
2009-08-28 20:21 . 2009-08-28 20:18 -------- d-----w- c:\documents and settings\Chris\Application Data\TeamViewer
2009-08-28 19:03 . 2009-08-23 19:04 -------- d-----w- c:\program files\URL-Run
2009-08-27 20:14 . 2009-08-01 19:48 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\documents and settings\Chris\Application Data\com.seesmic.desktop.client.D89F32799270693BEF34AAA36E9B2632B59240FA.1
2009-08-27 12:18 . 2009-08-27 12:18 -------- d-----w- c:\program files\Seesmic Desktop
2009-08-27 11:11 . 2009-08-27 10:55 -------- d-----w- c:\documents and settings\Chele\Application Data\AveDesk
2009-08-27 10:54 . 2009-08-22 12:34 -------- d-----w- c:\program files\RocketDock
2009-08-27 10:54 . 2009-06-03 23:53 48616 ----a-w- c:\documents and settings\Chele\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 08:27 . 2009-08-13 23:09 -------- d-----w- c:\documents and settings\Chris\Application Data\Apple Computer
2009-08-26 08:06 . 2009-08-13 19:19 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVU
2009-08-26 07:39 . 2009-08-26 07:39 48616 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-26 07:39 . 2009-06-04 00:53 8224 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\MSBuild
2009-08-26 07:17 . 2009-08-26 07:17 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 12:02 . 2009-08-24 11:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Sony
2009-08-24 12:00 . 2009-08-24 12:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Publish Providers
2009-08-23 19:41 . 2009-08-22 17:10 -------- d-----w- c:\program files\DesktopCoral
2009-08-22 17:15 . 2009-08-22 14:57 -------- d-----w- c:\program files\QuickTime
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\windows\system32\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 46 ----a-w- c:\documents and settings\Chris\Local Settings\Application Data\DonationCoder_desktopcoral_InstallInfo.dat
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\Chris\Application Data\DonationCoder
2009-08-22 17:10 . 2009-08-22 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\DonationCoder
2009-08-22 16:09 . 2009-08-22 16:09 -------- d-----w- c:\program files\Stardock
2009-08-22 16:00 . 2009-08-22 16:00 -------- d-----w- c:\program files\Magic Bullet Editors 2.0 Vegas
2009-08-22 15:55 . 2009-08-22 15:54 -------- d-----w- c:\program files\NewBlue
2009-08-22 15:54 . 2009-08-22 15:54 -------- d-----w- c:\program files\Common Files\eSellerate
2009-08-22 15:52 . 2009-08-22 15:52 -------- d-----w- c:\program files\Pixelan
2009-08-22 15:51 . 2009-08-22 15:51 -------- d-----w- c:\program files\Sonic Foundry
2009-08-22 15:49 . 2009-08-22 15:49 -------- d-----w- c:\program files\Vstplugins
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2009-08-22 15:48 . 2009-08-22 15:48 -------- d-----w- c:\program files\Sony
2009-08-22 15:45 . 2009-08-22 15:45 -------- d-----w- c:\program files\Sony Setup
2009-08-22 15:36 . 2005-09-28 04:40 -------- d-----w- c:\program files\iTunes
2009-08-22 15:35 . 2005-09-26 05:47 -------- d-----w- c:\program files\iPod
2009-08-22 15:35 . 2007-11-08 02:54 -------- d-----w- c:\program files\Common Files\Apple
2009-08-22 15:33 . 2009-08-22 15:33 -------- d-----w- c:\program files\Bonjour
2009-08-22 15:30 . 2009-08-22 14:32 -------- d-----w- c:\documents and settings\Chris\Application Data\AveDesk
2009-08-22 15:25 . 2009-08-22 15:25 -------- d-----w- c:\program files\Apple Software Update
2009-08-21 23:25 . 2009-06-06 04:47 -------- d-----w- c:\documents and settings\Chele\Application Data\AdobeUM
2009-08-19 09:24 . 2009-08-19 09:10 -------- d-----w- c:\program files\VOCALOID2
2009-08-19 09:11 . 2009-08-19 09:11 -------- d-----w- c:\program files\Steinberg
2009-08-19 09:03 . 2009-08-19 09:03 -------- d-----w- c:\documents and settings\Chris\Application Data\InstallShield
2009-08-19 09:02 . 2009-08-19 07:41 -------- d-----w- c:\documents and settings\Chris\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-08-19 08:59 . 2009-08-19 08:59 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-08-19 07:41 . 2009-08-19 07:41 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-18 17:45 . 2009-06-16 11:16 -------- d-----w- c:\documents and settings\Chris\Application Data\Audacity
2009-08-18 03:59 . 2009-08-13 23:24 -------- d-----w- c:\program files\Desktop iPhone
2009-08-15 13:26 . 2005-09-26 05:37 -------- d-----w- c:\program files\Common Files\SureThing Shared
2009-08-15 13:25 . 2008-10-14 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-15 13:24 . 2005-09-29 05:42 -------- d-----w- c:\program files\Yahoo!
2009-08-15 13:20 . 2008-10-14 18:45 -------- d-----w- c:\program files\RogueRemover FREE
2009-08-15 13:18 . 2007-07-29 04:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-15 12:27 . 2005-09-26 05:38 -------- d-----w- c:\program files\ArcSoft
2009-08-15 12:26 . 2005-09-26 05:40 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-08-13 23:32 . 2009-06-04 02:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-13 23:25 . 2009-08-13 23:25 -------- d-----w- c:\documents and settings\Chris\Application Data\iPhone.F4B6EDD4861104DF103CA831FC6755522BBBD9C1.1
2009-08-13 19:18 . 2009-08-13 19:18 -------- d-----w- c:\documents and settings\Chris\Application Data\IMVUClient
2009-08-12 19:33 . 2009-08-12 19:10 -------- d-----w- c:\documents and settings\Chris\Application Data\FrostWire
2009-08-09 11:24 . 2009-06-05 00:15 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-09 11:24 . 2008-03-11 01:34 -------- d-----w- c:\program files\FrostWire
2009-08-09 09:36 . 2009-06-21 10:39 -------- d-----w- c:\program files\Messenger Plus! Live
2009-08-08 18:11 . 2009-08-08 18:11 -------- d-----w- c:\program files\coOpera
2009-08-05 20:37 . 2009-08-01 20:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-09-25 03:07 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-10 19:42 . 2009-07-10 19:42 56 -c-ha-w- c:\windows\system32\ezsidmv.dat
2009-07-07 01:04 . 2009-07-07 01:04 128 -c--a-w- c:\documents and settings\Chele\Local Settings\Application Data\fusioncache.dat
2009-07-03 19:45 . 2009-07-03 19:45 128 -c--a-w- c:\documents and settings\Chris\Local Settings\Application Data\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-09-16 2007832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"NoActiveDesktopChanges"="00000000" [X]
"NoActiveDesktop"="0 (0x0)" [X]
"NoSaveSettings"="0 (0x0)" [X]
"ClassicShell"="0 (0x0)" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-16 11:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Chele^Start Menu^Programs^Startup^ikowin32.exe]
backup=c:\windows\pss\ikowin32.exeStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWC:\Program Files
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Gh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\# Lh'9Ӝ3rWc:\program files\ISTsvc\istsvc.exe]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Pml Driver HPZ12"=3 (0x3)
"ose"=3 (0x3)
"NgVpnMgr"=2 (0x2)
"LVSrvLauncher"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"dnlsvc"=2 (0x2)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"helpsvc"=2 (0x2)
"gusvc"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kazaa Lite K++\\Kazaa.kpp"=
"c:\\Program Files\\Logitech\\VideoCall\\VideoCall.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Magic Workstation\\MWSPlay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

R3 NgFilter;Aventail VPN Filter;c:\windows\system32\DRIVERS\ngfilter.sys [2007-02-05 15360]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\DRIVERS\nglog.sys [2007-02-05 17920]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-09-16 297752]
R4 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2007-02-05 194115]
R4 pfcpr12;pfcpr12;c:\windows\system32\drivers\senudfs.sys [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-09-16 335240]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-09-16 108552]
S3 NgVpn;Aventail VPN Adapter;c:\windows\system32\DRIVERS\ngvpn.sys [2007-02-05 70144]

.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = actsvr.comcastonline.com:8100
uInternet Settings,ProxyOverride = cdn
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Chele\Application Data\Mozilla\Firefox\Profiles\4j4xctbt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XUL Cache: {6FF210BF-BB6C-471B-985C-CBEFF535B0BD} - c:\documents and settings\Chele\Local Settings\Application Data\{6FF210BF-BB6C-471B-985C-CBEFF535B0BD}
FF - HiddenExtension: XUL Cache: {ECAE5EFC-8CB8-49DD-B264-F2D7986621CA} - c:\documents and settings\LocalService\Local Settings\Application Data\{ECAE5EFC-8CB8-49DD-B264-F2D7986621CA}
FF - HiddenExtension: XUL Cache: {BB1FBF8E-0AFE-40DB-8CFB-25DA47798316} - c:\documents and settings\Owner\Local Settings\Application Data\{BB1FBF8E-0AFE-40DB-8CFB-25DA47798316}
FF - HiddenExtension: XUL Cache: {302EE7AF-A8FC-433B-B923-0B1553B35668} - c:\documents and settings\Chris\Local Settings\Application Data\{302EE7AF-A8FC-433B-B923-0B1553B35668}
FF - HiddenExtension: XUL Cache: {BE7346B4-1163-494A-A5D4-0A856F947C4D} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BE7346B4-1163-494A-A5D4-0A856F947C4D}\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 16:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
NoActiveDesktopChanges = 3F 00 00 00
NoActiveDesktop = 63
NoSaveSettings = 63
ClassicShell = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-30 16:56
ComboFix-quarantined-files.txt 2009-09-30 20:56
ComboFix2.txt 2009-09-29 23:33
ComboFix3.txt 2009-09-29 19:51
ComboFix4.txt 2009-09-29 03:04
ComboFix5.txt 2009-09-30 20:29

Pre-Run: 34,686,459,904 bytes free
Post-Run: 34,653,917,184 bytes free

273 --- E O F --- 2009-09-16 12:46

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:51 PM

Posted 30 September 2009 - 04:31 PM

Hi,

Thanks for letting me know. :( I think you posted the log from last night. The date is from last night. Could you look for the one from today? :(

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users