Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Feisty infection


  • This topic is locked This topic is locked
57 replies to this topic

#1 bilham

bilham

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 09 November 2009 - 03:42 PM

I'm not sure how I got it, but it's bad. I'm running Vista on a Dell XPS 210.
It started with this phantom music. I found b.exe in Task Mgr and deleted it. That fixed that.
Then I ran Reg Repair, which quit halfway thru and then could not be reopened (MIA).
Similarly HijackThis quit and disappeared, MIA. After replacing HJT several times, I did get it to run once, and I saved the log.
ComboFix won't run
AVG won't run
MalwareBytes won't run, MIA
Rootkit buster won't run, MIA
Spybot won't run, MIA
AdAware runs but finds nothing.
Trend PC-cillin stops, crashes.
DDS did run.
esat online virus search ran, found about 6 things but it didn't cure my problem.

Twice today Firefox has been crashing as I try to post to this topic. Weird.

I have several free anti-spy apps, redundant, I know. None of them show any problem, or else they don't work at all.

And, get this: In C:\Documents and Settings\bilham\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\... goes on infinitely. What the heck is is that?

Also, there is a Yahoo\Common directory in Programs that is suspicious, last modified 11/02.

Let me know if you need anything else.

DDS log:

DDS (Ver_09-10-26.01) - NTFSx86
Run by bilham at 14:52:58.69 on Mon 11/09/2009
Internet Explorer: 7.0.6000.16764 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3061.1367 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: PC-cillin Internet Security - Spyware Protection *disabled* (Outdated) {003DD9A8-02A6-43CF-81BA-5D403CAD001E}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security 14\PcCtlCom.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security 14\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security 14\tmproxy.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\stsystra.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\BitTorrent_DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\LogonUI.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\dllhost.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\explorer.exe
C:\Program Files\Glary Utilities\Integrator.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\bilham\Downloads\dds - Copy.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://www.myschoolmeals.com/pages/login.aspx
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6070202
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [BitTorrent DNA] "c:\program files\bittorrent_dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
StartupFolder: c:\users\bilham\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {229591D9-79F4-426E-BF85-FA55471F23A1} = 192.168.1.1,192.168.1.3
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\bittorrent_dna\plugins\npbtdna.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{0ffcc8d1-8198-4b2f-9a96-2b4d4a65ecc9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: XUL Cache: {21C4648E-2EF5-4C49-8617-E498D80E9416} - c:\users\bilham\appdata\local\{21C4648E-2EF5-4C49-8617-E498D80E9416}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-7 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-7 108552]
R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-5-16 256000]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [2007-5-15 112624]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-5-16 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-5-16 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-5-16 52309]

=============== Created Last 30 ================

2009-11-06 14:27:16 673280 ----a-w- c:\windows\isRS-000.tmp
2009-11-05 19:08:16 0 d-----w- c:\program files\ESET
2009-11-02 15:39:03 320000 ----a-w- c:\windows\system32\cmd.execf
2009-11-02 15:38:15 0 d-----w- C:\ComboFixx
2009-11-02 15:38:14 320000 ----a-w- c:\windows\system32\CF4402.exe
2009-11-02 15:37:36 320000 ----a-w- c:\windows\system32\CF4274.exe
2009-11-02 14:43:30 0 d-----w- c:\program files\rRegistry Repair
2009-10-29 13:32:50 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-29 13:02:32 0 d-----w- c:\program files\Glary Utilities
2009-10-23 23:41:53 320000 ----a-w- c:\windows\system32\CF30198.exe
2009-10-19 03:26:03 498 ----a-w- C:\Program Files.lnk
2009-10-18 03:20:50 0 d-----w- c:\program files\common files\DivX Shared
2009-10-17 13:19:16 0 ----a-w- c:\windows\win32k.sys

==================== Find3M ====================

2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-10 18:53:37 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-10 18:53:37 86016 ----a-w- c:\windows\inf\infpub.dat
2009-10-10 18:53:37 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-10 16:30:00 529 ----a-w- c:\program files\hycam license.txt
2009-09-17 03:01:49 115248 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-19 09:18:36 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-08-15 10:06:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-01-24 15:24:18 174 --sha-w- c:\program files\desktop.ini
2008-11-29 21:44:24 0 ----a-w- c:\program files\re
2008-06-15 07:14:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 14:57:01 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:55:23.47 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 15 November 2009 - 06:48 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 15 November 2009 - 01:03 PM

Since my last post I have done the following:
Downloaded a fresh version of Malwarebytes and ran it successfully. It found a handful of problems, mostly cookies.
Downloaded a fresh version of HijackThis and ran it successfully.
AV programs seem to be working better now, after Malwarebytes ran, but there are still a few issues. All the MIA programs resist deleting, no permission. Also, when I download a program in FireFox, many times it’s not saved anywhere. FF has been crashing a lot.



DDS (Ver_09-10-26.01) - NTFSx86
Run by bilham at 12:44:15.51 on Sun 11/15/2009
Internet Explorer: 7.0.6000.16764 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3061.1217 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: PC-cillin Internet Security - Spyware Protection *disabled* (Outdated) {003DD9A8-02A6-43CF-81BA-5D403CAD001E}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\stsystra.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\BitTorrent_DNA\btdna.exe
C:\Program Files\Spy-bot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\sdclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wscript.exe
C:\Windows\system32\taskeng.exe
C:\Users\bilham\Desktop\Anti Spye\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://www.myschoolmeals.com/pages/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spy-bot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [BitTorrent DNA] "c:\program files\bittorrent_dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spy-bot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [pccguide.exe] "c:\program files\trend micro\internet security 14\pccguide.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\users\bilham\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spy-bot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {229591D9-79F4-426E-BF85-FA55471F23A1} = 192.168.1.1,192.168.1.3
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\bittorrent_dna\plugins\npbtdna.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{0ffcc8d1-8198-4b2f-9a96-2b4d4a65ecc9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: XUL Cache: {21C4648E-2EF5-4C49-8617-E498D80E9416} - c:\users\bilham\appdata\local\{21C4648E-2EF5-4C49-8617-E498D80E9416}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-11 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-7 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-7 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-7 297752]
R2 DbgSvc;Debug Diagnostic Service;c:\program files\debugdiag\DbgSvc.exe [2007-1-16 316256]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-2-2 36368]
R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-5-16 256000]
S2 gupdate1c9a5b5fe05daf0;Google Update Service (gupdate1c9a5b5fe05daf0);c:\program files\google\update\GoogleUpdate.exe [2009-3-15 133104]
S2 Tmntsrv;Trend Micro Real-time Service;c:\program files\trend micro\internet security 14\Tmntsrv.exe [2006-9-25 345696]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security 14\TmPfw.exe [2006-9-25 923216]
S2 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security 14\tmproxy.exe [2006-9-25 566872]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [2007-5-15 112624]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-2-2 29744]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-5-16 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-5-16 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-5-16 52309]

=============== Created Last 30 ================

2009-11-15 15:58:32 0 d-----w- c:\program files\SyncBack
2009-11-14 21:11:56 0 d-----w- c:\program files\BitTornado
2009-11-14 17:32:17 0 d-----w- c:\program files\Spy-bot - Search & Destroy
2009-11-14 15:17:34 0 d-----w- C:\ComboFixx
2009-11-13 16:21:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 16:21:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 16:21:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-11-11 06:55:35 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-11 06:54:58 0 d-----w- c:\program files\Panda Security
2009-11-05 19:08:16 0 d-----w- c:\program files\ESET
2009-11-02 14:43:30 0 d-----w- c:\program files\rRegistry Repair
2009-10-29 13:02:32 0 d-----w- c:\program files\Glary Utilities
2009-10-19 03:26:03 498 ----a-w- C:\Program Files.lnk
2009-10-18 03:20:50 0 d-----w- c:\program files\common files\DivX Shared

==================== Find3M ====================

2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-10 18:53:37 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-10 18:53:37 86016 ----a-w- c:\windows\inf\infpub.dat
2009-10-10 18:53:37 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-10 16:30:00 529 ----a-w- c:\program files\hycam license.txt
2009-09-17 03:01:49 115248 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-19 09:18:36 107864 ----a-w- c:\windows\system32\tsccvid.dll
2009-01-24 15:24:18 174 --sha-w- c:\program files\desktop.ini
2008-11-29 21:44:24 0 ----a-w- c:\program files\re
2008-06-15 07:14:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 14:57:01 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 12:44:32.11 ===============

Attached Files



#4 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 15 November 2009 - 05:42 PM

Just deleted Trend PC-cillin and updated to AVG 9
Also installed FF 3.5.5
Both installations required repeated downloads which would disappear from the downloads directory. Odd.
FWIW

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,638 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:14 PM

Posted 17 November 2009 - 09:35 AM

Hello bilham,

And :( to the Bleeping Computer Malware Removal Forum
, My name is Elise. I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.


P2P WARNING
-------------------
Going over your logs I noticed that you have utorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgĺsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall utorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



I notice the presence of Registry Repair Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners

Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.


http://miekiemoes.blogspot.com/2008/02/reg...weaking_13.html
http://forums.whatthetech.com/Regcleaner_t42862.html


You mentioned you tried to run Combofix.

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Please read and follow all these instructions very carefully.
  • Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe to run it.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).
In your next reply, please include the following:
  • Goored log

Edited by elise025, 17 November 2009 - 09:35 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#6 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 17 November 2009 - 05:25 PM

Thanks, Elise.
I'm hoping MalwareBytes did some good, but I'm hoping that you can check things over.
I ran an AVG scan last night and all it found were some cookies to delete.
I ran rootkitBuster last week, if that log is of any use. It indicates there is something called mcupdate that runs frequently, even though I don't have McAfee. Weird?



GooredFix by jpshortstuff (17.11.09.1)
Log created at 17:03 on 17/11/2009 (bilham)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{21C4648E-2EF5-4C49-8617-E498D80E9416} -> Success!
Deleting C:\Users\bilham\AppData\Local\{21C4648E-2EF5-4C49-8617-E498D80E9416} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:09 11/03/2007]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [05:00 08/02/2009]
{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [06:01 13/07/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"paypalfirefoxplugin@orbiscom"="C:\Program Files\PayPal\PayPal Plug-In" []
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [21:33 15/11/2009]

-=E.O.F=-

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,638 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:14 PM

Posted 18 November 2009 - 02:58 AM

How are you FireFox issues now?

You mentioned something aobut Malwarebytes Antimalware. Did you install it?

If so, please start it, update it and run a full scan.

Also, please post me a new DDS log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#8 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 18 November 2009 - 05:31 PM

hi elise
here ya go

Malwarebytes' Anti-Malware 1.41
Database version: 3193
Windows 6.0.6000

11/18/2009 2:31:12 PM
mbam-log-2009-11-18 (14-31-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 381087
Time elapsed: 1 hour(s), 42 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------



DDS (Ver_09-10-26.01) - NTFSx86
Run by bilham at 14:32:15.43 on Wed 11/18/2009
Internet Explorer: 7.0.6000.16764 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3061.1261 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\stsystra.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\BitTorrent_DNA\btdna.exe
C:\Program Files\Spy-bot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DebugDiag\DbgSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
C:\Windows\explorer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\WerCon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware2\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\bilham\Desktop\Anti Spye\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://www.myschoolmeals.com/pages/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spy-bot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [BitTorrent DNA] "c:\program files\bittorrent_dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spy-bot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
StartupFolder: c:\users\bilham\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spy-bot - search & destroy\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {229591D9-79F4-426E-BF85-FA55471F23A1} = 192.168.1.1,192.168.1.3
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayAccessComponent.dll
FF - component: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{62760fd6-b943-48c9-ab09-f99c6fe96088}\platform\winnt\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\bittorrent_dna\plugins\npbtdna.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\bilham\appdata\roaming\mozilla\firefox\profiles\pvmo5mhh.default\extensions\{0ffcc8d1-8198-4b2f-9a96-2b4d4a65ecc9}\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-11 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-7 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-7 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-15 285392]
R2 DbgSvc;Debug Diagnostic Service;c:\program files\debugdiag\DbgSvc.exe [2007-1-16 316256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-13 38224]
R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-5-16 256000]
S2 gupdate1c9a5b5fe05daf0;Google Update Service (gupdate1c9a5b5fe05daf0);c:\program files\google\update\GoogleUpdate.exe [2009-3-15 133104]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security 14\tmpfw.exe --> c:\program files\trend micro\internet security 14\TmPfw.exe [?]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\drivers\dvc325.sys [2007-5-15 112624]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-2-2 29744]
S3 mam4410c;mam4410c;c:\windows\system32\drivers\mam4410c.sys [2008-5-16 24784]
S3 mam4410m;mam4410m;c:\windows\system32\drivers\mam4410m.sys [2008-5-16 25044]
S3 mam4410u;mam4410u;c:\windows\system32\drivers\mam4410u.sys [2008-5-16 52309]

=============== Created Last 30 ================

2009-11-17 23:33:15 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-17 23:27:20 0 d-----r- c:\program files\Skype
2009-11-17 23:27:16 0 d-----w- c:\programdata\Skype
2009-11-16 21:41:53 0 d-----w- C:\symcache
2009-11-15 23:04:30 0 d-----w- c:\users\bilham\appdata\roaming\wsInspector
2009-11-15 22:59:26 0 d-----w- c:\program files\Startup Inspector for Windows
2009-11-15 22:44:38 0 d-----w- c:\users\bilham\appdata\roaming\IObit
2009-11-15 22:44:37 0 d-----w- c:\program files\Advanced SystemCare 3
2009-11-15 22:05:50 0 d-----w- c:\program files\SyncBackk
2009-11-15 21:35:05 0 d--h--w- C:\$AVG
2009-11-15 21:33:23 0 d-----w- c:\programdata\avg9
2009-11-15 19:56:00 0 d-----w- C:\ComboFixx
2009-11-15 15:58:32 0 d-----w- c:\program files\SyncBack
2009-11-14 17:32:17 0 d-----w- c:\program files\Spy-bot - Search & Destroy
2009-11-13 16:21:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 16:21:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 16:21:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-11-11 06:55:35 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-11 06:54:58 0 d-----w- c:\program files\Panda Security
2009-11-05 19:08:16 0 d-----w- c:\program files\ESET
2009-11-02 14:43:30 0 d-----w- c:\program files\rRegistry Repair
2009-10-29 13:02:32 0 d-----w- c:\program files\Glary Utilities

==================== Find3M ====================

2009-11-15 21:33:33 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-15 21:33:33 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-15 21:33:28 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-15 20:22:04 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-15 20:22:04 86016 ----a-w- c:\windows\inf\infpub.dat
2009-11-15 20:22:04 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-03 01:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-10 16:30:00 529 ----a-w- c:\program files\hycam license.txt
2009-09-17 03:01:49 115248 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-24 15:24:18 174 --sha-w- c:\program files\desktop.ini
2008-11-29 21:44:24 0 ----a-w- c:\program files\re
2008-06-15 07:14:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2006-11-22 14:57:01 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 14:32:55.87 ===============

#9 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 18 November 2009 - 09:22 PM

and this



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 5/16/2008 3:33:44 PM
System Uptime: 11/17/2009 11:04:33 PM (15 hours ago)

Motherboard: Dell Inc. | | 0WG860
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz | Microprocessor | 1862/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 288 GiB total, 19.199 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 3.23 GiB free.
E: is CDROM ()
G: is Removable
H: is Removable
I: is FIXED (NTFS) - 149 GiB total, 125.502 GiB free.
J: is Removable
K: is Removable
M: is Removable
N: is CDROM (UDF)
R: is FIXED (FAT32) - 149 GiB total, 59.361 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: DUAL MODE CAMERA SL310
Device ID: ROOT\IMAGE\0000
Manufacturer: MY CAMERA
Name: DUAL MODE CAMERA SL310
PNP Device ID: ROOT\IMAGE\0000
Service: MR97310_USB_DUAL_CAMERA

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
3ivx D4 4.5.1 Decoder (remove only)
Acoustica Effects Pack
Acoustica Mixcraft 4.5
Ad-Aware
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Advanced SystemCare 3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
Avery Wizard 3.1
AVG Free 9.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.3
Banctec Service Agreement
BitTorrent 5.0.9
Bonjour
Camera Driver
Camtasia Studio 6
CCleaner (remove only)
CDDRV_Installer
CommandBurner 3.3
Compatibility Pack for the 2007 Office system
Debug Diagnostics Tool 1.1 (x86)
DebugMode Wax 2.0
DesignPro 5.0 Limited Edition
Digital Line Detect
DNA
Documentation & Support Launcher
Duplicate Cleaner 1.2
ESET Online Scanner v3
ExtraPutty 0.22
FileASSASSIN
Flickr Uploadr 2.5.0.14
foobar2000 v0.9.5
Freecorder Toolbar 3.0 Application
Freecorder Toolbar 3.02 Application
Games, Music, & Photos Launcher
Gimp 2.6.2 Debug
Glary Utilities 2.16.0.758
Glarysoft Registry Repair 2.7
Google Desktop
Google SketchUp
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HijackThis 2.0.2
HP OfficeJet K Series
HyperCam 2
Icons from File 3.32
ImageMate 8 in 1 Read/Writer (SDDR-88)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
Java™ 6 Update 14
Java™ SE Runtime Environment 6
KhalInstallWrapper
Kodak DVC325 Digital Video Camera Software Installation
LG PhoneManager
LG VX5300 USB - Handset Manager V9.5
Logitech Audio Echo Cancellation Component
Logitech ImageStudio
Logitech QuickCam
Logitech SetPoint
Logitech Video Enumerator
Logitech® Camera Driver
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Microsoft Office Small Business Edition 2003
Microsoft Outlook Personal Folders Backup
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Modem Diagnostic Tool
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Multimedia Samples
MVision
NetWaiting
Panda ActiveScan 2.0
PayPal Plug-In
Pdf995
PeaZip 2.5.1
Picasa 3
Pivot Stickfigure Animator
Player
Quick StartUp 2.3
QuickTime
Real Alternative 1.9.0
Revo Uninstaller 1.83
Roblox
Security Update for CAPICOM (KB931906)
SigmaTel Audio
Skype web features
Skype™ 4.1
Sonic Activation Module
Spybot - Search & Destroy
Stop Motion Animator 1.1.XP
SyncBack
Trader's Little Helper 2.4.1
Uninstall 1.0.0.1
Uninstall Startup Inspector
User's Guides
VC80CRTRedist - 8.0.50727.762
ViewonLog
Vista Shortcut Manager
Voice Recorder v1.0
Winamp
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant

==== Event Viewer Messages From Past Week ========

11/17/2009 11:05:04 PM, Error: EventLog [6008] - The previous system shutdown at 11:03:42 PM on 11/17/2009 was unexpected.
11/14/2009 10:18:03 AM, Error: Service Control Manager [7034] - The Process Monitor service terminated unexpectedly. It has done

this 1 time(s).
11/13/2009 4:34:32 AM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.
11/13/2009 2:26:05 PM, Error: Service Control Manager [7003] - The Trend Micro Personal Firewall service depends the following

service: tmcfw. This service might not be installed.
11/13/2009 2:14:57 PM, Error: volsnap [25] - The shadow copies of volume C: were deleted because the shadow copy storage could

not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow

copied.
11/13/2009 2:10:45 PM, Error: volmgr [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on

the boot partition and that is large enough to contain all physical memory.
11/12/2009 7:40:40 PM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
11/11/2009 11:42:54 AM, Error: Microsoft-Windows-SpoolerWin32SPL [3] - The print spooler failed to reopen an existing printer

connection because it could not read the configuration information from the registry key S-1-5-21-2323285983-2546708959-

2513610121-1001\Printers\Connections\S-1-5-21-2323285983-2546708959-2513610121-1001\Printers\Connections. This can occur if the

key name or values are malformed or missing.

==== End Of File ===========================

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,638 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:14 PM

Posted 19 November 2009 - 02:54 AM

Hello bilham,

Now lets see if we can run Combofix. Please make sure Spybots Teatimer is turned off.

COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • A description of the remaining problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 19 November 2009 - 02:28 PM

EEK!

I followed directions above and turned off adaware and avg. i downloaded combofix from your site. I ran combofix, and it saw adaware as active although it was not. I ran combofix anyway. No MS Recovery Console prompt appeared.

It ran for a good amount of time, then rebooted the computer and finished running, presenting a log file.

BUT, when I tried to open FireFox, I get this message: "Illegal operation attempted on a registry key that has been marked for deletion."

NOW, any and every program I try to open gives this message. I need advice immediately!
I'm afraid to reboot, as it might finalize the deletions.
ALSO, as I scrambled for help, I see "No restore points have been created on your computer's system disk."

Now what? Please respond soonest.

I copied the log file, and am using my kid's Mac to log in.


ComboFix 09-11-18.09 - bilham 11/19/2009 12:27.5.2 - x86
MicrosoftĆ Windows Vistaô Home Premium 6.0.6000.0.1252.1.1033.18.3061.1344 [GMT -5:00]
Running from: c:\users\bilham\Downloads\ComboFix2.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC-cillin Internet Security - Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2323285983-2546708959-2513610121-500

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-19 17:11 . 2009-11-19 17:24 -------- d-----w- C:\32788R22FWJFW
2009-11-19 17:09 . 2009-11-19 17:09 36864 d-----w- C:\ComboFixx
2009-11-17 23:33 . 2009-11-17 23:33 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-17 23:33 . 2009-11-19 13:07 -------- d-----w- c:\users\bilham\AppData\Roaming\skypePM
2009-11-17 23:27 . 2009-11-19 13:58 -------- d-----w- c:\users\bilham\AppData\Roaming\Skype
2009-11-17 23:27 . 2009-11-17 23:27 -------- d-----w- c:\program files\Common Files\Skype
2009-11-17 23:27 . 2009-11-17 23:27 -------- d-----r- c:\program files\Skype
2009-11-17 23:27 . 2009-11-17 23:27 -------- d-----w- c:\programdata\Skype
2009-11-16 21:41 . 2009-11-16 21:42 -------- d-----w- C:\symcache
2009-11-16 05:34 . 2009-11-19 17:16 47124 ----a-w- c:\users\bilham\AppData\Local\prvlcl.dat
2009-11-15 23:04 . 2009-11-18 04:56 -------- d-----w- c:\users\bilham\AppData\Roaming\wsInspector
2009-11-15 22:59 . 2009-11-15 23:01 4096 d-----w- c:\program files\Startup Inspector for Windows
2009-11-15 22:44 . 2009-11-15 22:54 -------- d-----w- c:\users\bilham\AppData\Roaming\IObit
2009-11-15 22:44 . 2009-11-19 13:59 20480 d-----w- c:\program files\Advanced SystemCare 3
2009-11-15 22:05 . 2009-11-15 23:46 12288 d-----w- c:\program files\SyncBackk
2009-11-15 21:35 . 2009-11-15 21:35 -------- d-----w- C:\$AVG
2009-11-15 21:33 . 2009-11-18 04:06 4096 d-----w- c:\programdata\avg9
2009-11-15 15:58 . 2009-11-15 22:04 -------- d-----w- c:\program files\SyncBack
2009-11-14 17:32 . 2009-11-14 17:39 8192 d-----w- c:\program files\Spy-bot - Search & Destroy
2009-11-13 16:21 . 2009-11-13 16:21 4045527 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-13 16:21 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-13 16:21 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-13 16:21 . 2009-11-15 15:37 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware2
2009-11-11 06:55 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-11 06:54 . 2009-11-11 06:54 -------- d-----w- c:\program files\Panda Security
2009-11-05 19:08 . 2009-11-05 19:08 -------- d-----w- c:\program files\ESET
2009-11-02 14:43 . 2009-11-15 15:52 4096 d-----w- c:\program files\rRegistry Repair
2009-10-31 05:08 . 2009-10-26 14:21 50176 ----a-w- c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
2009-10-31 05:08 . 2009-10-26 14:21 94208 ----a-w- c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
2009-10-30 10:29 . 2009-10-30 10:29 -------- d-----w- c:\users\Woo Hoo!\AppData\Local\Apple
2009-10-29 13:02 . 2009-11-09 16:25 16384 d-----w- c:\program files\Glary Utilities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 18:00 . 2007-06-04 01:58 4096 d-----w- c:\users\bilham\AppData\Roaming\DNA
2009-11-19 17:53 . 2008-05-24 22:25 479232 d-----w- c:\users\bilham\AppData\Roaming\uTorrent
2009-11-19 17:50 . 2007-06-04 01:58 4096 d-----w- c:\program files\BitTorrent_DNA
2009-11-19 13:12 . 2008-12-11 16:52 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-19 13:09 . 2008-12-11 16:52 8192 d-----r- c:\program files\Spybot - Search & Destroy
2009-11-19 02:43 . 2008-11-04 16:34 -------- d-----w- c:\program files\DebugMode
2009-11-19 01:06 . 2008-05-30 23:02 4096 d-----w- c:\programdata\Google Updater
2009-11-16 21:41 . 2007-10-09 23:55 4096 d-----w- c:\program files\DebugDiag
2009-11-15 22:28 . 2007-02-02 15:18 4096 d-----w- c:\program files\Trend Micro
2009-11-15 21:35 . 2008-12-15 15:43 4096 d-----w- c:\programdata\avg8
2009-11-15 21:35 . 2009-04-07 21:34 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-15 21:33 . 2009-04-07 21:34 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-15 21:33 . 2009-04-07 21:34 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-15 21:33 . 2009-04-07 21:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-15 21:33 . 2008-12-15 15:43 -------- d-----w- c:\program files\AVG
2009-11-13 19:10 . 2008-12-11 18:59 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-13 00:34 . 2007-04-12 13:37 4096 d-----w- c:\program files\Common Files\Adobe
2009-11-12 23:53 . 2007-02-02 15:22 4096 d-----w- c:\program files\Google
2009-11-04 15:38 . 2009-10-04 23:02 8192 d-----w- c:\program files\HyCam2
2009-11-03 01:42 . 2009-10-03 05:15 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-01 19:12 . 2008-01-20 16:12 4096 d-----w- c:\users\bilham\AppData\Roaming\foobar2000
2009-11-01 07:45 . 2009-05-25 23:58 4096 d-----w- c:\users\Woo Hoo!\AppData\Roaming\BitTorrent
2009-10-26 13:43 . 2009-09-09 19:48 4096 d-----w- c:\users\bilham\AppData\Roaming\Move Networks
2009-10-18 20:45 . 2008-12-15 17:51 1356 ----a-w- c:\users\bilham\AppData\Local\d3d9caps.dat
2009-10-18 03:20 . 2009-10-18 03:20 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-17 15:57 . 2009-05-25 02:57 -------- d-----w- c:\users\Woo Hoo!\AppData\Roaming\Apple Computer
2009-10-13 22:25 . 2009-02-26 17:52 4096 d-----w- c:\program files\CommandBurner
2009-10-10 18:04 . 2009-10-10 18:04 -------- d-----w- c:\program files\Camtasia Studio
2009-10-10 17:58 . 2009-10-10 17:58 -------- d-----w- c:\programdata\TechSmith
2009-10-10 17:57 . 2009-10-10 17:57 -------- d-----w- c:\program files\Common Files\TechSmith Shared
2009-10-10 17:57 . 2009-10-10 17:57 -------- d-----w- c:\program files\TechSmith
2009-10-10 16:30 . 2009-10-10 16:30 529 ----a-w- c:\program files\hycam license.txt
2009-10-06 13:58 . 2007-08-04 18:35 -------- d-----w- c:\program files\iPod(15)
2009-10-06 00:47 . 2009-10-06 00:47 -------- d-----w- c:\program files\Microsoft ATS
2009-09-29 14:53 . 2009-01-31 01:04 -------- d-----w- c:\users\bilham\AppData\Roaming\MonkeyJam
2009-09-23 21:47 . 2007-03-14 12:28 4096 d-----w- c:\users\bilham\AppData\Roaming\Apple Computer
2009-09-23 19:13 . 2009-09-23 19:10 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-23 19:13 . 2007-11-15 13:07 4096 d-----w- c:\program files\iTunes
2009-09-23 19:10 . 2009-09-23 19:10 -------- d-----w- c:\program files\iPod
2009-09-23 19:10 . 2007-07-07 19:12 -------- d-----w- c:\program files\Common Files\Apple
2009-09-23 19:08 . 2009-09-23 19:08 4096 d-----w- c:\program files\QuickTime
2009-09-23 18:59 . 2009-09-23 18:59 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-19 23:52 . 2009-05-26 01:33 115248 ----a-w- c:\users\Woo Hoo!\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-17 03:01 . 2007-07-27 18:49 115248 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-08-31 22:16 . 2009-09-23 17:02 52224 ----a-w- c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
2009-08-31 22:16 . 2009-09-23 17:02 114688 ----a-w- c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\npmozax.dll
2009-08-31 14:23 . 2009-09-23 17:02 52224 ----a-w- c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\FFExternalAlert.dll
2009-08-31 14:23 . 2009-09-23 17:02 114688 ----a-w- c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{a33fa729-d155-4b23-842b-2c665ecabdb6}\components\npmozax.dll
2008-11-29 21:44 . 2008-11-29 21:44 0 ----a-w- c:\program files\re
2008-08-07 06:24 . 2008-08-07 06:24 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2006-11-22 14:57 . 2006-11-22 14:57 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-10-22 289072]
"BitTorrent DNA"="c:\program files\BitTorrent_DNA\btdna.exe" [2009-10-06 323392]
"SpybotSD TeaTimer"="c:\program files\Spy-bot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-15 2020120]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-12-19 76304]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-20 282624]

c:\users\bilham\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-22 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/11/2009 1:55 AM 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [4/7/2009 4:34 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [4/7/2009 4:34 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/15/2009 4:33 PM 285392]
R2 DbgSvc;Debug Diagnostic Service;c:\program files\DebugDiag\DbgSvc.exe [1/16/2007 9:10 AM 316256]
R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\System32\drivers\WUSB54GCx86.sys [5/16/2008 5:37 PM 256000]
S2 gupdate1c9a5b5fe05daf0;Google Update Service (gupdate1c9a5b5fe05daf0);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2009 4:35 PM 133104]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security 14\TmPfw.exe --> c:\program files\Trend Micro\Internet Security 14\TmPfw.exe [?]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\System32\drivers\dvc325.sys [5/15/2007 7:35 PM 112624]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/2/2007 10:22 AM 29744]
S3 mam4410c;mam4410c;c:\windows\System32\drivers\mam4410c.sys [5/16/2008 5:37 PM 24784]
S3 mam4410m;mam4410m;c:\windows\System32\drivers\mam4410m.sys [5/16/2008 5:37 PM 25044]
S3 mam4410u;mam4410u;c:\windows\System32\drivers\mam4410u.sys [5/16/2008 5:37 PM 52309]

--- Other Services/Drivers In Memory ---

*Deregistered* - tmtdi
.
Contents of the 'Scheduled Tasks' folder

2009-11-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-10-29 00:27]

2009-11-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-15 05:42]

2009-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-15 21:35]

2009-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-15 21:35]

2009-11-15 c:\windows\Tasks\SyncBack BilHam.job
- c:\program files\SyncBackk\SyncBack.exe [2009-11-15 17:00]

2009-11-19 c:\windows\Tasks\User_Feed_Synchronization-{ACE31DEC-FC3C-4319-A748-0CFBA8F72609}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = https://www.myschoolmeals.com/pages/login.aspx
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: {229591D9-79F4-426E-BF85-FA55471F23A1} = 192.168.1.1,192.168.1.3
FF - ProfilePath - c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayAccessComponent.dll
FF - component: c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}\platform\WINNT\components\ebayShortcutMaker.dll
FF - plugin: c:\program files\BitTorrent_DNA\plugins\npbtdna.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\users\bilham\AppData\Roaming\Mozilla\Firefox\Profiles\pvmo5mhh.default\extensions\{0FFCC8D1-8198-4b2f-9A96-2B4D4A65ECC9}\plugins\npGoogleGadgetPluginFirefoxWin.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.homepage.dontask - true
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-3ivx D4 4.5.1 Decoder - c:\program files\3ivx\3ivx D4 4.5.1
AddRemove-Uninstall_is1 - c:\program files\Common Files\DVDVideoSoft\unins000.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(940)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\msdtc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\DebugDiag\DbgHost.exe
c:\windows\system32\sdclt.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-11-19 13:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 18:07
ComboFix2.txt 2009-11-15 20:09
ComboFix3.txt 2009-11-14 15:26
ComboFix4.txt 2009-05-07 03:48
ComboFix5.txt 2009-11-19 17:25

Pre-Run: 20,455,723,008 bytes free
Post-Run: 20,934,987,776 bytes free

- - End Of File - - A41AF39E55F349F546CA5549AE1B4A28

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,638 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:14 PM

Posted 19 November 2009 - 02:53 PM

Don't panic here :(

* Created a new restore point

There's your new restore point.

I see you ran Combofix already 5 times on your own. Thats not a good idea :(
I need to see the oldest log. Please post me the log you will find at c:\qoobox\combofix5.txt

Thats also the reason why you didn't get prompted to install any Recovery Console (anyway Vista has its own Recovery environment).

For now, try rebooting the computer and let me know what happens.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 19 November 2009 - 04:49 PM

Cool I am less panicked
Will reboot shortly



ComboFix 08-12-12.05 - bilham 2008-12-13 13:25:08.1 - NTFSx86
MicrosoftĆ Windows Vistaô Home Premium 6.0.6000.0.1252.1.1033.18.3061.1759 [GMT -5:00]
Running from: c:\users\bilham\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\windows\jestertb.dll
c:\windows\system32\x64
c:\windows\uhekukas.dll
M:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-13 09:34 . 2008-12-13 09:35 7,009,656 --a------ C:\cx103.avi
2008-12-13 00:43 . 2008-12-13 00:45 <DIR> d-------- c:\users\All Users\Lavasoft
2008-12-13 00:43 . 2008-12-13 00:45 <DIR> d-------- c:\programdata\Lavasoft
2008-12-13 00:43 . 2008-12-13 00:43 <DIR> d-------- c:\program files\Lavasoft
2008-12-13 00:39 . 2008-12-13 00:39 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-12 20:34 . 2008-12-12 20:35 611,880 --a------ C:\CAPTURE.AVI
2008-12-12 19:35 . 2008-12-12 19:35 <DIR> d-------- c:\users\bilham\AppData\Roaming\Uniblue
2008-12-12 19:35 . 2008-12-12 19:35 <DIR> d-------- c:\users\All Users\Uniblue
2008-12-12 19:35 . 2008-12-12 19:35 <DIR> d-------- c:\programdata\Uniblue
2008-12-12 19:34 . 2008-10-26 02:01 20,232 --a------ c:\windows\System32\AntiSpyNative64.exe
2008-12-12 19:34 . 2008-10-26 02:01 16,648 --a------ c:\windows\System32\AntiSpyNative32.exe
2008-12-12 19:25 . 2008-12-12 19:34 <DIR> d-------- c:\program files\Uniblue
2008-12-11 13:59 . 2008-12-11 13:59 <DIR> d-------- c:\users\bilham\AppData\Roaming\Malwarebytes
2008-12-11 13:59 . 2008-12-11 13:59 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-11 13:59 . 2008-12-11 13:59 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-11 13:59 . 2008-12-11 13:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 13:59 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-11 13:59 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-11 11:52 . 2008-12-11 14:13 <DIR> d-------- c:\users\All Users\Spybot - Search & Destroy
2008-12-11 11:52 . 2008-12-11 14:13 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-12-11 11:52 . 2008-12-11 14:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-10 13:35 . 2008-12-10 13:35 132,096 --a------ c:\windows\Osatiyunolif.dat
2008-11-30 11:40 . 2008-12-10 12:07 <DIR> d-------- c:\program files\HyperCam2
2008-11-21 00:24 . 2008-11-21 00:25 <DIR> d-------- c:\users\All Users\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 00:24 . 2008-11-21 00:25 <DIR> d-------- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 00:24 . 2008-11-21 00:24 <DIR> d-------- c:\program files\iPod
2008-11-21 00:23 . 2008-11-21 00:23 <DIR> d-------- c:\program files\QuickTime
2008-11-20 17:48 . 2008-11-20 19:21 <DIR> d-------- c:\users\bilham\AppData\Roaming\gtk-2.0
2008-11-20 17:48 . 2008-11-20 17:48 <DIR> d-------- c:\users\bilham\.thumbnails
2008-11-20 17:28 . 2008-12-03 09:40 <DIR> d-------- c:\users\bilham\.gimp-2.6
2008-11-20 17:28 . 2008-11-20 17:28 <DIR> d-------- c:\users\bilham\.gegl-0.0
2008-11-20 17:26 . 2008-11-20 17:26 <DIR> d-------- c:\program files\Gimp-2.0
2008-11-20 12:58 . 2008-06-04 18:42 364,544 --a------ c:\windows\System32\PropertyGrid.ocx
2008-11-20 12:58 . 2008-10-24 17:05 270,336 --a------ c:\windows\System32\TubeFinder.exe
2008-11-20 12:58 . 2008-06-04 18:42 208,500 --a------ c:\windows\System32\ReyXpBasics.tlb
2008-11-20 12:58 . 2008-06-04 18:42 84,512 --a------ c:\windows\System32\PICCLP32.OCX
2008-11-20 12:58 . 2008-06-04 18:42 24,576 --a------ c:\windows\System32\ControlSubX.ocx
2008-11-20 12:58 . 2008-06-04 18:42 9,728 --a------ c:\windows\System32\PCCLPFR.DLL
2008-11-18 21:09 . 2008-11-18 21:09 <DIR> d-------- c:\program files\Frameworkx
2008-11-16 07:41 . 2008-12-12 19:24 <DIR> d-------- c:\users\bilham\Tal w 08

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-13 18:26 --------- d-----w c:\users\bilham\AppData\Roaming\uTorrent
2008-12-13 18:22 --------- d-----w c:\users\bilham\AppData\Roaming\DNA
2008-12-13 17:32 --------- d-----w c:\program files\BitTorrent_DNA
2008-12-12 19:15 --------- d-----w c:\programdata\Google Updater
2008-12-10 17:11 --------- d-----w c:\program files\Common Files\LogiShrd
2008-12-10 17:07 --------- d-----w c:\users\bilham\AppData\Roaming\foobar2000
2008-12-10 17:07 --------- d-----w c:\programdata\pdf995
2008-12-10 17:07 --------- d-----w c:\program files\Revo Uninstaller
2008-11-29 21:44 0 ----a-w c:\program files\re
2008-11-21 16:02 --------- d-----w c:\program files\Trend Micro
2008-11-21 05:25 --------- d-----w c:\program files\iTunes
2008-11-21 05:24 --------- d-----w c:\program files\Common Files\Apple
2008-11-17 01:47 --------- d-----w c:\users\bilham\AppData\Roaming\DivX
2008-11-11 21:16 --------- d-----w c:\program files\DivX
2008-11-11 21:15 --------- d-----w c:\program files\Common Files\PX Storage Engine
2008-11-04 16:59 --------- d-----w c:\program files\ViewonCode
2008-11-04 16:34 --------- d-----w c:\program files\Sonic Foundry
2008-11-04 16:34 --------- d-----w c:\program files\Pure Motion
2008-11-04 16:34 --------- d-----w c:\program files\DebugMode
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx0c.dll
2008-10-28 22:36 823,296 ----a-w c:\windows\System32\divx_xx07.dll
2008-10-28 22:35 815,104 ----a-w c:\windows\System32\divx_xx0a.dll
2008-10-28 22:35 802,816 ----a-w c:\windows\System32\divx_xx11.dll
2008-10-28 22:35 684,032 ----a-w c:\windows\System32\DivX.dll
2008-10-24 13:32 --------- d-----w c:\program files\Windows Mail
2008-10-20 14:23 --------- d--h--w c:\programdata\CanonBJ
2008-10-19 14:23 --------- d-----w c:\program files\Game_Maker7
2008-10-18 00:14 --------- d-----w c:\program files\CCleaner
2008-10-18 00:09 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-18 00:09 --------- d-----w c:\program files\ExtraPutty 0.22
2008-10-16 15:06 --------- d-----w c:\program files\Avery Wizard 3.1
2008-10-02 03:49 826,368 ----a-w c:\windows\System32\wininet.dll
2008-10-02 03:49 56,320 ----a-w c:\windows\System32\iesetup.dll
2008-10-02 03:49 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-10-02 03:48 26,624 ----a-w c:\windows\System32\ieUnatt.exe
2008-09-25 08:03 81,920 ----a-w c:\windows\System32\dpl100.dll
2008-09-25 08:03 593,920 ----a-w c:\windows\System32\dpuGUI11.dll
2008-09-25 08:03 57,344 ----a-w c:\windows\System32\dpv11.dll
2008-09-25 08:03 53,248 ----a-w c:\windows\System32\dpuGUI10.dll
2008-09-25 08:03 524,288 ----a-w c:\windows\System32\DivXsm.exe
2008-09-25 08:03 344,064 ----a-w c:\windows\System32\dpus11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\System32\dpu11.dll
2008-09-25 08:03 294,912 ----a-w c:\windows\System32\dpu10.dll
2008-09-25 08:03 196,608 ----a-w c:\windows\System32\dtu100.dll
2008-09-25 08:03 161,096 ----a-w c:\windows\System32\DivXCodecVersionChecker.exe
2008-09-19 21:57 3,596,288 ----a-w c:\windows\System32\qt-dx331.dll
2008-09-19 21:57 129,784 ------w c:\windows\System32\PxAFS.DLL
2008-09-19 21:55 200,704 ----a-w c:\windows\System32\ssldivx.dll
2008-09-19 21:55 1,044,480 ----a-w c:\windows\System32\libdivx.dll
2008-09-19 21:54 12,288 ----a-w c:\windows\System32\DivXWMPExtType.dll
2008-09-19 17:36 2,560 ----a-w c:\windows\_MSRSTRT.EXE
2008-09-18 04:35 3,505,208 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 04:35 3,470,904 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 02:03 2,027,520 ----a-w c:\windows\System32\win32k.sys
2008-07-13 07:16 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-08 270128]
"DNA"="c:\program files\BitTorrent_DNA\dna.exe" [2007-06-03 216064]
"BitTorrent DNA"="c:\program files\BitTorrent_DNA\btdna.exe" [2008-11-11 342336]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Uniblue SpyEraser"="c:\program files\Uniblue\SpyEraser\SpyEraser.exe" [2008-10-26 1431816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-07 29744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 151552]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2006-10-03 221184]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Kjuhihod"="c:\windows\Osatiyunolif.dat" [2008-12-10 132096]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]

c:\users\bilham\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.cegsm"= MobileV.dll
"vidc.dmb1"= m3jpeg32.dll
"vidc.MJPG"= m3jpeg32.dll
"VIDC.VQC1"= vqdecode.dll
"VIDC.VQC2"= vqdecode.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"AppleSyncNotifier"=c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DefaultInboundAction"= 1 (0x1)
"DefaultOutboundAction"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{093DAACA-B8D5-4426-A2CF-FB5976F02439}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{E831AB87-136B-4C76-B7A2-A6F026F3B683}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{027FDA28-7240-4985-8853-B30F5AB99CD6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{53A0B3FF-2DBB-4E6D-B270-74E35258960A}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{0A904433-3AA1-4200-A9D3-BFA60E291B4E}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{F73B4476-9E0B-4A14-97BE-46F5788860A5}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D160C625-309A-47DA-9383-E22D7867ECA6}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0E61F372-2027-4391-846C-E0F4E3CAE5D9}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:DNA
"{E9BE65A8-950B-42A6-93BD-24621E2440D7}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:DNA
"TCP Query User{85322648-03DB-4B8E-9756-B0D16E8E128D}c:\\program files\\home series\\home ftp server\\homeftpserver.exe"= UDP:c:\program files\home series\home ftp server\homeftpserver.exe:HomeFtpServer
"UDP Query User{616E3B65-9E30-41AB-848E-52E00132FAAA}c:\\program files\\home series\\home ftp server\\homeftpserver.exe"= TCP:c:\program files\home series\home ftp server\homeftpserver.exe:HomeFtpServer
"TCP Query User{EE569149-E1D9-4738-9277-51DA6CFCA400}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{3EF02C23-5712-4052-B2B8-0EF0CD3C142D}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"TCP Query User{8D2E8D64-59A4-46BA-8C8E-E9C47BEF442D}c:\\users\\bilham\\desktop\\installs\\ftp1\\ftpserver.exe"= UDP:c:\users\bilham\desktop\installs\ftp1\ftpserver.exe:ftpserver.exe
"UDP Query User{6D7C8027-BFD2-4359-BF02-9EA83CEE3817}c:\\users\\bilham\\desktop\\installs\\ftp1\\ftpserver.exe"= TCP:c:\users\bilham\desktop\installs\ftp1\ftpserver.exe:ftpserver.exe
"{01448010-F8C9-4B5D-BF5D-64545B818935}"= UDP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{EF1D1F3C-D6CB-4F19-AE9F-0AC3BBD3B0E0}"= TCP:c:\program files\SmartFTP Client\SmartFTP.exe:SmartFTP Client
"{6A80F2B5-21EB-4847-9089-20516A4EBE01}"= UDP:c:\program files\BitTorrent_DNA\dna.exe:DNA
"{C4910C97-A396-4FF6-941A-C3CC65BD4C6A}"= TCP:c:\program files\BitTorrent_DNA\dna.exe:DNA
"TCP Query User{5C043017-74FD-407D-8F9D-9A0E7A9667FB}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{CE6EA18E-B703-4E05-860F-544E1FE9F7E5}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus
"{79EDC4C2-2C6F-4054-8E61-A13081526240}"= UDP:6881:bittorrent
"TCP Query User{C3BE4B43-86F0-44CA-82E6-C77EA54D87BF}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{A8206B06-29BB-4712-B1A6-A12A2F631D23}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"{A49539C5-7FEF-4E0B-B429-703A66BC8DBF}"= UDP:6889:bittt
"TCP Query User{0B7A759A-C2CE-4CA8-BF37-C9E0ABB18588}c:\\program files\\bittornado\\btdownloadgui.exe"= UDP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"UDP Query User{E90CCBEC-6F1C-4448-B025-83C62BEE9DB8}c:\\program files\\bittornado\\btdownloadgui.exe"= TCP:c:\program files\bittornado\btdownloadgui.exe:btdownloadgui
"{D2CAFEAF-9719-4D03-896F-1E4D37EAAFF9}"= UDP:10000:bittor
"{8A1A8A68-49AB-4A34-8975-6D43D56032C1}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{C30BB4DD-47A5-4440-B7BB-E57FB0AC4146}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{1D5EE329-B349-4EA8-844E-61C1B1B06385}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{1E408D44-AABE-44D8-9E10-24BF18ACBFEE}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{32EF49D3-589D-4F25-8FE3-22DB8C4A18F7}c:\\program files\\azureus\\azureus.exe"= UDP:c:\program files\azureus\azureus.exe:Azureus
"UDP Query User{CEE3EB13-28C7-4510-A41B-D03FE737227B}c:\\program files\\azureus\\azureus.exe"= TCP:c:\program files\azureus\azureus.exe:Azureus
"TCP Query User{3C8E6063-15D1-43B5-8631-D501FC440250}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"UDP Query User{1E5EB8BD-B688-4420-B4D0-C0995E7D8BE3}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:bittorrent
"{3641361D-A917-4FA5-B6FF-B05C28273207}"= UDP:c:\program files\BitTorrent_DNA\btdna.exe:DNA
"{4C19D0DC-1D36-4AA3-A2A2-865ED6A0A1F0}"= TCP:c:\program files\BitTorrent_DNA\btdna.exe:DNA
"{782EF36E-48E8-4AB3-ADDA-CD22ACC3531C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{7BB13879-C0F4-41D0-8143-A4638FE7C731}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{427B8FC1-ABA7-4D9A-AFD4-DEEF08B6B9EF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3E35BAC7-2F58-4C53-AB21-4D3A7E4F0C2C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{53420DE8-B10A-41D9-A71D-3786F1D30630}"= UDP:c:\program files\BitTorrent_DNA\btdna.exe:DNA
"{676DBFE9-C1E7-46BC-915B-DBC0CF9F1BF9}"= TCP:c:\program files\BitTorrent_DNA\btdna.exe:DNA
"TCP Query User{F183EBD9-C5A2-41B8-A25A-2A19FE84AEED}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{A093AA76-34E3-4AB8-BC25-E04B7E4731E7}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{6B6057DE-F90C-4B84-869D-7A65F4557092}c:\\program files\\viewoncode\\viewonlog\\bin\\viewonlog.exe"= UDP:c:\program files\viewoncode\viewonlog\bin\viewonlog.exe:ViewonLog
"UDP Query User{0BED171F-6377-43F7-AA89-B30034E606C7}c:\\program files\\viewoncode\\viewonlog\\bin\\viewonlog.exe"= TCP:c:\program files\viewoncode\viewonlog\bin\viewonlog.exe:ViewonLog
"{39E79600-618E-4AEC-A301-1FF3550C98F0}"= UDP:c:\program files\BitTorrent_DNA\btdna.exe:DNA (TCP-In)
"{25A90BA2-C65F-4C0F-ACB4-4E4F70CC9618}"= TCP:c:\program files\BitTorrent_DNA\btdna.exe:DNA (UDP-In)
"{067C71D3-C483-499F-8999-6681FFBF59E0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8C796783-1A25-4077-A5F7-4A4B8EBA5603}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DefaultInboundAction"= 1 (0x1)
"DefaultOutboundAction"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R2 DbgSvc;Debug Diagnostic Service;"c:\program files\DebugDiag\DbgSvc.exe" [2007-01-16 316256]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-12-11 809296]
R2 Tmntsrv;Trend Micro Real-time Service;c:\program files\Trend Micro\Internet Security 14\Tmntsrv.exe [2006-09-25 345696]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-02-02 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security 14\tmproxy.exe [2006-09-25 566872]
R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\DRIVERS\WUSB54GCx86.sys [2008-05-16 256000]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security 14\TmPfw.exe [2006-09-25 923216]
S3 DCamUSBLTN;Kodak DVC325 Digital Video Camera;c:\windows\system32\DRIVERS\dvc325.sys [2007-05-15 112624]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-02-02 29744]
S3 mam4410c;mam4410c;c:\windows\system32\Drivers\mam4410c.sys [2008-05-16 24784]
S3 mam4410m;mam4410m;c:\windows\system32\Drivers\mam4410m.sys [2008-05-16 25044]
S3 mam4410u;mam4410u;c:\windows\system32\Drivers\mam4410u.sys [2008-05-16 52309]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\shell\AutoRun\command - l:\system\viewer\FlipVideoforPC.exe
\shell\Flip Video for PC\command - l:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a551f6e8-9165-11dc-980c-0019d119d43c}]
\shell\AutoRun\command - m:\wd_windows_tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7ccedf8-7130-11dd-8ce0-0019d119d43c}]
\shell\AutoRun\command - o:\system\viewer\FlipVideoforPC.exe
\shell\Flip Video for PC\command - o:\system\viewer\FlipVideoforPC.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\Uniblue SpyEraser Nag.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-10-26 02:01]

2008-12-13 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2008-10-26 02:01]

2008-12-13 c:\windows\Tasks\User_Feed_Synchronization-{30F3021C-AF3B-46B1-92E3-82F713D2EA64}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 04:45]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 13:29:03
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-12-13 13:35:26
ComboFix-quarantined-files.txt 2008-12-13 18:35:24

Pre-Run: 10,065,854,464 bytes free
Post-Run: 10,036,805,632 bytes free

269 --- E O F --- 2008-10-23 13:49:30

#14 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 19 November 2009 - 04:58 PM

Rebooted and all is well, as far as I can tell.

#15 bilham

bilham
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Location:rye ny
  • Local time:10:14 AM

Posted 19 November 2009 - 05:05 PM

spybot SD is asking me about a registry change for MSConfig. Should I care?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users