Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google links redirected


  • This topic is locked This topic is locked
41 replies to this topic

#1 RamPower

RamPower

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 23 December 2009 - 01:54 PM

I am running a dual boot with vista home and xp home editions. When in vista every thing seems fine but in xp my home page loads really slow and the google links are redirected to various sites. I have tried several various scans that don't seem to detect an infection. This problem seemed to have started when i tried to log in to my e-bay account and got redirected to a page that kept asking for personal info like credit card numbers social sec. number etc. I finally just put in bogus info and the page went away but them my google links started being redirected. Thanks for any help you can give me. This is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:20 PM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVIDIA nTune] "E:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [PopUpKiller] E:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://E:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://E:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://E:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://E:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - E:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - E:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - E:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - E:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - http://download.copysafe.net/plugins5/inst...rs/Copysafe.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - E:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7380 bytes

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:45 AM

Posted 04 January 2010 - 03:37 PM

Hello ,
And :( to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log
Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 RamPower

RamPower
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 07 January 2010 - 01:55 PM

Thanks for the help. I have since resolved the redirect problem by running combofix but I am not sure if my computer is completely clean. Please let me know what else I may need to do.

DDS.txt:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Ronnie at 22:17:38.79 on Wed 01/06/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1844 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
E:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ronnie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - e:\program files\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - e:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
mRun: [NVIDIA nTune] "e:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [PopUpKiller] e:\program files\popup killer\PopUpKiller.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: &ieSpell Options - e:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - e:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://e:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://e:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://e:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://e:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - e:\progra~1\spybot~1\SDHelper.dll
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ronnie\applic~1\mozilla\firefox\profiles\v4oqjgwm.default\
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\ronnie\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: e:\program files\adobe\acrobat 7.0\acrobat\browser\nppdf32.dll
FF - plugin: e:\program files\itunes\mozilla plugins\npitunes.dll
FF - plugin: e:\program files\netscape6\nppl3260.dll
FF - plugin: e:\program files\netscape6\nprjplug.dll
FF - plugin: e:\program files\netscape6\nprpjplug.dll
FF - plugin: e:\program files\opera\program\plugins\npdsplay.dll
FF - plugin: e:\program files\opera\program\plugins\npqtplugin.dll
FF - plugin: e:\program files\opera\program\plugins\npqtplugin2.dll
FF - plugin: e:\program files\opera\program\plugins\npqtplugin3.dll
FF - plugin: e:\program files\opera\program\plugins\npqtplugin4.dll
FF - plugin: e:\program files\opera\program\plugins\npqtplugin5.dll
FF - plugin: e:\program files\opera\program\plugins\npqtplugin6.dll
FF - plugin: e:\program files\opera\program\plugins\npqtplugin7.dll
FF - plugin: e:\program files\opera\program\plugins\NPSWF32.dll
FF - plugin: e:\program files\opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-10 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-4-28 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-4-28 28424]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-4-28 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-16 285392]
S1 SASDIFSV;SASDIFSV; [x]
S1 SASKUTIL;SASKUTIL; [x]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 samhid910;samhid910;c:\windows\system32\drivers\samhidb.sys [2008-12-4 22391]
S3 SASENUM;SASENUM; [x]
S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2008-6-4 192512]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1184912]

=============== Created Last 30 ================

2010-01-02 17:51:51 0 d-----w- C:\Games
2009-12-29 02:48:00 0 d-sh--w- C:\$RECYCLE.BIN
2009-12-28 23:48:43 0 d-sha-r- C:\cmdcons
2009-12-28 23:36:58 77312 ----a-w- c:\windows\MBR.exe
2009-12-28 23:36:58 261632 ----a-w- c:\windows\PEV.exe
2009-12-22 05:39:21 0 d-----w- C:\RECYCLER(2)
2009-12-22 02:34:51 0 d-----w- C:\ie-spyad_zo
2009-12-22 01:16:09 0 d-----w- c:\documents and settings\ronnie\IECompatCache
2009-12-22 01:14:20 0 d-----w- c:\documents and settings\ronnie\PrivacIE
2009-12-22 01:12:22 0 d-----w- c:\documents and settings\ronnie\IETldCache
2009-12-22 01:09:24 0 d-----w- c:\windows\ie8updates
2009-12-22 01:07:16 0 dc----w- c:\windows\ie8
2009-12-21 04:47:06 0 d-----w- c:\docume~1\ronnie\applic~1\Uniblue
2009-12-16 22:18:46 0 d-----w- c:\docume~1\ronnie\applic~1\NCH Software
2009-12-16 22:18:33 0 d-----w- c:\program files\NCH Software
2009-12-16 22:17:42 0 d-----w- c:\program files\NCH Swift Sound
2009-12-10 22:24:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-10 22:08:17 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-10 22:04:57 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-10 22:04:42 0 d-----w- c:\program files\Lavasoft
2009-12-10 08:36:09 0 d-----w- c:\docume~1\ronnie\applic~1\Malwarebytes
2009-12-10 08:36:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 08:36:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-10 08:36:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-08 07:22:19 0 d-----w- c:\docume~1\ronnie\applic~1\tidysongs15.27F6A35B76E5883BF9E6FEE514586561E60595CA.1

==================== Find3M ====================

2009-12-22 07:17:21 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2009-11-17 03:18:17 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 03:18:13 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-17 03:18:13 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 02:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet(3).dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\wininet.dll
2009-10-29 05:38:22 627712 ----a-w- c:\windows\system32\urlmon(3).dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

============= FINISH: 22:17:56.10 ===============


Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume4
Install Date: 4/22/2008 11:20:59 PM
System Uptime: 1/6/2010 6:47:34 PM (4 hours ago)

Motherboard: XFX | | XFX Nforce 680i LT
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | Socket 775 | 2399/267mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 93 GiB total, 70.957 GiB free.
D: is FIXED (NTFS) - 93 GiB total, 48.895 GiB free.
E: is FIXED (NTFS) - 47 GiB total, 23.318 GiB free.
F: is FIXED (NTFS) - 233 GiB total, 173.902 GiB free.
G: is CDROM ()
H: is CDROM (UDF)
I: is FIXED (NTFS) - 466 GiB total, 461.41 GiB free.
M: is FIXED (NTFS) - 29 GiB total, 18.644 GiB free.
N: is FIXED (NTFS) - 19 GiB total, 10.991 GiB free.
O: is FIXED (NTFS) - 186 GiB total, 130.688 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP633: 1/1/2010 2:46:21 PM - System Checkpoint
RP634: 1/1/2010 2:49:00 PM - Avg8 Update
RP635: 1/2/2010 3:44:12 PM - System Checkpoint
RP636: 1/6/2010 7:05:59 PM - System Checkpoint

==== Installed Programs ======================

PPA Calculator version 2.0.0.200
Ad-Aware
Ad-Aware SE Professional
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
AML Free Registry Cleaner 4.20
AoA DVD Copy
Apple Mobile Device Support
Apple Software Update
AudioConverter Studio 5.5
AudioConverter Studio 5.9
AVG Free 9.0
Bonjour
BufferChm
Calculator Powertoy for Windows XP
ClearType Tuning Control Panel Applet
Click'N Design 3D (V5)
CloneDVD 4.3.0.3
CopySafe Plugin
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Panorama1Config
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Data Lifeguard Tools
Dell Picture Studio - Dell Image Expert
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DocProc
DVD Shrink 3.2
eSupportQFolder
Exact Audio Copy 0.99pb4
Express Burn
Express Rip
FullDPAppQFolder
Garmin City Navigator North America NT 2010.10 Update
Garmin Communicator Plugin
Garmin USB Drivers
Google Earth
Google Update Helper
Grand Theft Auto IV
GTA San Andreas
GTASA-Ultimate Editor
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Scanjet 4370
HP Solution Center & Imaging Support Tools 5.3
HP Update
hpg4370
HPProductAssistant
IconEdit Pro V7.04
ieSpell
Image Resizer Powertoy for Windows XP
ImgBurn
InstantShareDevices
IrfanView (remove only)
IsoBuster 2.0
iTunes
Java™ 6 Update 4
Java™ 6 Update 5
LightScribe System Software 1.10.13.1
LimeWire PRO 4.18.8
MAGIX Ringtone Maker 2 silver (US)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft IntelliPoint 5.3
Microsoft IntelliType Pro 5.3
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Professional with FrontPage
Microsoft Plus! for Windows XP
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
Move Media Player
Mozilla Firefox (3.0.5)
MP3-Info extension V3.3.19
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB925673)
MUSICMATCH® Jukebox
Nero 7 Demo
NfoDiz 6.0 Setup
nLite 1.4.5
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA nTune
Opera 10.10
PanoStandAlone
Philips Wireless PC Controller
PhotoGallery
PictureGear 4.1Lite
PokerStars
PopUp Killer
Prism Video Converter
Quicken 2006
QuickTime
RandMap
RealPlayer
Realtek High Definition Audio Driver
Rockstar Games Social Club
Safari
Scan
ScannerCopy
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
SkinsHP1
SolutionCenter
Sonic_PrimoSDK
Sony Picture Utility
Sony USB Driver
Spybot - Search & Destroy
System Requirements Lab
TidySongs
TidySongs (remove only)
Tweak UI
Uniblue RegistryBooster 2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
VideoPad Video Editor
VistaBootPRO 3.3
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Envelopes
Visual Labels
WavePad Sound Editor
WebFldrs XP
WebReg
Windows Defender
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
WinZip
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

12/30/2009 3:46:24 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 00000002, parameter3 00000008, parameter4 00000000.
12/30/2009 3:46:21 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 8054b71c, parameter3 ac339ae8, parameter4 00000000.
12/30/2009 3:46:18 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000004, parameter2 00000002, parameter3 00000001, parameter4 ba5ed339.
12/30/2009 3:44:58 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 805b0f08, parameter3 aa60faf4, parameter4 00000000.
12/30/2009 3:43:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
1/2/2010 5:39:59 PM, error: Service Control Manager [7034] - The COM+ System Application service terminated unexpectedly. It has done this 4 time(s).
1/2/2010 5:39:54 PM, error: Service Control Manager [7034] - The COM+ System Application service terminated unexpectedly. It has done this 3 time(s).
1/2/2010 5:39:53 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
1/2/2010 5:39:53 PM, error: Service Control Manager [7031] - The COM+ System Application service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
1/1/2010 8:51:58 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {7A7FB085-6068-4898-8CCA-480A9187277C}
1/1/2010 5:15:22 PM, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
1/1/2010 5:15:17 PM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
1/1/2010 5:15:17 PM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
1/1/2010 5:15:10 PM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
1/1/2010 4:44:30 PM, error: nvgts [5] - A parity error was detected on \Device\Scsi\nvgts1.
1/1/2010 2:44:32 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'expopups.ini' on the volume 'HarddiskVolume6'. It has stopped monitoring the volume.

==== End Of File ===========================


gmer.log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-07 12:40:57
Windows 5.1.2600 Service Pack 3
Running: 7rohzzvv.exe; Driver: C:\DOCUME~1\Ronnie\LOCALS~1\Temp\kwldqpod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32273FFD-D8A2-7429-18DF-121A6AAD004D}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32273FFD-D8A2-7429-18DF-121A6AAD004D}@jagcifmbbmmjmndkeamn 0x6A 0x61 0x6A 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32273FFD-D8A2-7429-18DF-121A6AAD004D}@iaecpldckaagljabmg 0x6A 0x61 0x6A 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}@iackojnhedijnbfdjg 0x6A 0x61 0x62 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}@haelgpgeedgbeeff 0x6A 0x61 0x62 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}@hagjanedjkkeibeh 0x6B 0x61 0x62 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}@hagjanedojbmfomc 0x70 0x62 0x62 0x6A ...

---- EOF - GMER 1.0.15 ----

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:45 AM

Posted 07 January 2010 - 02:24 PM

Hello RamPower,

Can you please post me the log you will find at c:\combofix.txt

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 RamPower

RamPower
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 07 January 2010 - 02:56 PM

here is the combofix log

ComboFix 09-12-27.04 - Ronnie 12/28/2009 17:54:02.2.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2091 [GMT -6:00]
Running from: c:\documents and settings\Ronnie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2230241215-1025421865-2288497057-1000
c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk
c:\documents and settings\Ronnie\Application Data\inst.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-29 )))))))))))))))))))))))))))))))
.

2009-12-23 04:40 . 2009-12-12 20:01 4043032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-23 04:40 . 2009-12-12 20:01 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-23 04:40 . 2009-12-20 00:10 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-23 04:34 . 2009-12-23 04:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-22 05:39 . 2009-12-22 06:37 -------- d-----w- C:\RECYCLER(2)
2009-12-22 02:34 . 2009-12-22 02:34 -------- d-----w- C:\ie-spyad_zo
2009-12-22 01:33 . 2009-12-22 01:33 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-22 01:24 . 2009-12-22 04:41 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-12-22 01:16 . 2009-12-22 01:16 -------- d-----w- c:\documents and settings\Ronnie\IECompatCache
2009-12-22 01:14 . 2009-12-22 01:14 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-22 01:14 . 2009-12-22 01:14 -------- d-----w- c:\documents and settings\Ronnie\PrivacIE
2009-12-22 01:12 . 2009-12-22 01:12 -------- d-----w- c:\documents and settings\Ronnie\IETldCache
2009-12-22 01:09 . 2009-12-22 01:09 -------- d-----w- c:\windows\ie8updates
2009-12-22 01:07 . 2009-12-22 06:39 -------- dc----w- c:\windows\ie8
2009-12-21 04:47 . 2009-12-22 07:01 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Uniblue
2009-12-21 02:47 . 2009-12-21 02:47 -------- d-----w- c:\documents and settings\RamPower00\Application Data\Malwarebytes
2009-12-20 00:11 . 2009-12-12 20:01 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-16 22:42 . 2009-12-16 23:06 -------- d-----w- c:\documents and settings\Ronnie\Application Data\ImgBurn
2009-12-16 22:23 . 2009-12-16 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\documents and settings\Ronnie\Application Data\NCH Software
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\program files\NCH Software
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-16 22:17 . 2009-12-16 22:18 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-11 22:10 . 2009-12-11 22:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-10 22:24 . 2009-12-10 22:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-10 22:08 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-10 22:08 . 2009-12-10 22:08 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-10 22:08 . 2009-12-10 22:08 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-10 22:08 . 2009-12-10 22:08 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-10 22:08 . 2009-12-10 22:08 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-10 22:08 . 2009-12-10 22:08 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-10 22:07 . 2009-12-10 22:08 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-10 22:07 . 2009-12-10 22:07 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-10 22:07 . 2009-12-10 22:07 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-10 22:07 . 2009-12-10 22:07 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-10 22:07 . 2009-12-10 22:07 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-10 22:07 . 2009-12-10 22:07 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-10 22:07 . 2009-12-10 22:07 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-10 22:07 . 2009-12-10 22:07 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-10 22:06 . 2009-12-10 22:06 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-10 22:06 . 2009-12-10 22:06 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-10 22:06 . 2009-12-10 22:06 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-10 22:06 . 2009-12-10 22:06 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-10 22:06 . 2009-12-10 22:06 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-10 22:04 . 2009-12-16 18:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-10 22:04 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-10 22:04 . 2009-12-16 18:26 -------- d-----w- c:\program files\Lavasoft
2009-12-10 08:36 . 2009-12-10 08:36 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Malwarebytes
2009-12-10 08:36 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 08:36 . 2009-12-10 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-10 08:36 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 07:22 . 2009-12-08 07:22 -------- d-----w- c:\documents and settings\Ronnie\Application Data\tidysongs15.27F6A35B76E5883BF9E6FEE514586561E60595CA.1
2009-12-08 07:22 . 2009-12-08 07:21 38208 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-08 07:22 . 2009-12-08 07:21 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-08 07:22 . 2009-12-08 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-08 03:03 . 2009-12-08 07:00 -------- d-----w- C:\My Music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 22:28 . 2008-05-03 23:28 110328 ----a-w- c:\documents and settings\RamPower00\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 21:22 . 2008-04-26 02:02 110328 ----a-w- c:\documents and settings\Ronnie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 07:17 . 2008-04-26 04:50 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2009-12-22 06:39 . 2008-05-23 18:29 -------- d-----w- c:\program files\Google
2009-12-22 06:37 . 2009-04-21 16:21 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Move Networks
2009-12-22 03:46 . 2008-05-03 21:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-20 18:53 . 2008-05-02 22:45 -------- d-----w- c:\documents and settings\Ronnie\Application Data\SUPERAntiSpyware.com
2009-12-16 21:41 . 2009-04-30 04:37 9618 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-12-16 18:26 . 2008-04-23 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 18:26 . 2008-05-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-12 20:01 . 2009-11-23 23:00 3967256 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-30 03:42 . 2008-04-28 00:23 -------- d-----w- c:\documents and settings\Ronnie\Application Data\LimeWire
2009-11-17 03:18 . 2008-04-28 06:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 03:18 . 2008-04-28 06:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-17 03:18 . 2008-04-28 06:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-17 03:18 . 2008-04-28 06:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-17 03:18 . 2009-11-17 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-17 03:18 . 2008-04-28 06:01 -------- d-----w- c:\program files\AVG
2009-11-03 02:42 . 2009-10-04 16:55 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 01:31 . 2009-11-03 01:31 -------- d-----w- c:\documents and settings\RamPower00\Application Data\AdobeUM
2009-11-02 14:27 . 2008-05-05 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-29 05:38 . 2004-08-04 05:56 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38 . 2004-08-04 05:56 667136 ----a-w- c:\windows\system32\wininet(3).dll
2009-10-29 05:38 . 2004-08-04 05:56 627712 ----a-w- c:\windows\system32\urlmon(3).dll
2009-10-21 05:38 . 2004-08-04 05:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 05:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 05:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 05:56 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="e:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"PopUpKiller"="e:\program files\PopUp Killer\PopUpKiller.EXE" [2001-06-27 92160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-27 16875008]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-17 03:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^Deewoo.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^DW_Start.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Adapter 5.1.3214
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCKitchenRegistryCleaner
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\system tool

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- e:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 21:20 57344 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 21:42 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 21:25 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- e:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- e:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-06-26 23:04 53248 ----a-w- e:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-03 10:46 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 23:01 77824 ----a-w- c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 ------w- e:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-07 15:53 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"LightScribeService"=3 (0x3)
"MDM"=2 (0x2)
"WZCSVC"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"RasMan"=3 (0x3)
"CSHelper"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=3 (0x3)
"idsvc"=3 (0x3)
"gupdate"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\PPACalculator\\FB\\bin\\PokerServer-fb.exe"=
"e:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmjb.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"e:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"=
"e:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9431:TCP"= 9431:TCP:Services
"7552:TCP"= 7552:TCP:Services
"9677:TCP"= 9677:TCP:Services
"3866:TCP"= 3866:TCP:Services

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/10/2009 4:08 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2008 12:01 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2008 12:01 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/16/2009 9:18 PM 285392]
S1 SASDIFSV;SASDIFSV; [x]
S1 SASKUTIL;SASKUTIL; [x]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 samhid910;samhid910;c:\windows\system32\drivers\samhidb.sys [12/4/2008 1:43 PM 22391]
S3 SASENUM;SASENUM; [x]
S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [6/4/2008 8:30 PM 192512]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/20/2009 11:25 AM 133104]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - e:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - e:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://e:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://e:\program files\ieSpell\wikipedia.HTM
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
FF - ProfilePath - c:\documents and settings\Ronnie\Application Data\Mozilla\Firefox\Profiles\v4oqjgwm.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Ronnie\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: e:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Netscape6\nprpjplug.dll
FF - plugin: e:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: e:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: e:\program files\Opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-28 18:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89516130]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> 0x89516130
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Linksys NC100 Fast Ethernet Adapter -> SendCompleteHandler -> 0x8960f450
PacketIndicateHandler -> NDIS.sys @ 0xba5e0a21
SendHandler -> NDIS.sys @ 0xba5d5949
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x01D383773
malicious code @ sector 0x01D383776 !
PE file found in sector at 0x01D38378C !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32273FFD-D8A2-7429-18DF-121A6AAD004D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jagcifmbbmmjmndkeamn"=hex:6a,61,6a,68,61,66,6a,6f,6e,67,6f,64,6b,6a,65,62,62,
61,65,65,00,f2
"iaecpldckaagljabmg"=hex:6a,61,6a,68,61,66,6a,6f,6e,67,6f,64,6b,6a,65,62,62,61,
65,65,00,02

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iackojnhedijnbfdjg"=hex:6a,61,62,70,69,68,68,68,62,6f,68,69,61,6f,70,6a,6c,65,
6e,61,00,f1
"haelgpgeedgbeeff"=hex:6a,61,62,70,69,68,68,68,62,6f,68,69,61,6f,70,6a,6c,65,
6e,61,00,00
"hagjanedjkkeibeh"=hex:6b,61,62,6b,67,6f,6f,6e,70,6b,68,6d,6d,66,70,64,63,63,
61,6e,65,6f,00,00
"hagjanedojbmfomc"=hex:70,62,62,6a,64,65,6e,61,62,61,6e,63,63,70,61,6c,6b,67,
6a,62,69,70,6e,6c,6c,68,66,70,63,66,61,6f,6a,6e,6e,64,6b,63,66,63,6f,67,65,\

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:3d,68,5f,17,0e,80,17,5d,82,c8,f1,2c,f1,79,61,17,79,0d,f5,c9,32,
02,c0,fa,50,14,d1,a1,9e,b4,12,8b,69,ca,73,13,66,95,09,b8,f7,ed,ac,56,08,b7,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(848)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-28 18:04:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-29 00:04
ComboFix2.txt 2009-12-22 05:34
ComboFix3.txt 2008-05-05 17:43

Pre-Run: 70,792,830,976 bytes free
Post-Run: 71,023,034,368 bytes free

- - End Of File - - 7699023F91E44AD5CDA0F357160666D0

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:45 AM

Posted 07 January 2010 - 03:02 PM

You run Combofix twice, please post me also the log at c:\qoobox\combofix2.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 RamPower

RamPower
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 07 January 2010 - 03:04 PM

combofix2

ComboFix 09-12-21.02 - Ronnie 12/21/2009 23:10:11.3.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2050 [GMT -6:00]
Running from: f:\downloads\Security\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.

2009-12-22 02:34 . 2009-12-22 02:34 -------- d-----w- C:\ie-spyad_zo
2009-12-22 01:33 . 2009-12-22 01:33 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-22 01:24 . 2009-12-22 04:41 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-12-22 01:18 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2009-12-22 01:16 . 2009-12-22 01:16 -------- d-sh--w- c:\documents and settings\Ronnie\IECompatCache
2009-12-22 01:14 . 2009-12-22 01:14 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-22 01:14 . 2009-12-22 01:14 -------- d-sh--w- c:\documents and settings\Ronnie\PrivacIE
2009-12-22 01:12 . 2009-12-22 01:12 -------- d-sh--w- c:\documents and settings\Ronnie\IETldCache
2009-12-22 01:09 . 2009-12-22 01:09 -------- d-----w- c:\windows\ie8updates
2009-12-22 01:07 . 2009-12-22 01:07 -------- dc-h--w- c:\windows\ie8
2009-12-22 01:01 . 2009-10-29 07:45 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-22 01:01 . 2009-10-29 07:45 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-22 01:01 . 2009-10-29 07:45 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-22 01:01 . 2009-10-29 07:45 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-22 01:01 . 2009-10-29 07:45 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-12-22 01:01 . 2009-10-29 07:45 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-12-22 01:01 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-22 00:48 . 2009-12-22 00:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-21 04:47 . 2009-12-21 04:47 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Uniblue
2009-12-21 02:47 . 2009-12-21 02:47 -------- d-----w- c:\documents and settings\RamPower00\Application Data\Malwarebytes
2009-12-16 22:42 . 2009-12-16 23:06 -------- d-----w- c:\documents and settings\Ronnie\Application Data\ImgBurn
2009-12-16 22:23 . 2009-12-16 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\documents and settings\Ronnie\Application Data\NCH Software
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\program files\NCH Software
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-16 22:17 . 2009-12-16 22:18 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-11 22:10 . 2009-12-11 22:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-10 22:24 . 2009-12-10 22:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-10 22:08 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-10 22:04 . 2009-12-16 18:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-10 22:04 . 2009-12-16 18:26 -------- d-----w- c:\program files\Lavasoft
2009-12-10 08:36 . 2009-12-10 08:36 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Malwarebytes
2009-12-10 08:36 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 08:36 . 2009-12-10 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-10 08:36 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-08 07:22 . 2009-12-08 07:22 -------- d-----w- c:\documents and settings\Ronnie\Application Data\tidysongs15.27F6A35B76E5883BF9E6FEE514586561E60595CA.1
2009-12-08 07:22 . 2009-12-08 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-08 03:03 . 2009-12-08 07:00 -------- d-----w- C:\My Music

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 03:46 . 2008-05-03 21:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 00:51 . 2008-05-23 18:29 -------- d-----w- c:\program files\Google
2009-12-21 17:01 . 2008-04-26 02:02 110328 ----a-w- c:\documents and settings\Ronnie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 16:20 . 2008-05-03 23:28 110328 ----a-w- c:\documents and settings\RamPower00\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-20 18:53 . 2008-05-02 22:45 -------- d-----w- c:\documents and settings\Ronnie\Application Data\SUPERAntiSpyware.com
2009-12-17 17:15 . 2009-04-21 16:21 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Move Networks
2009-12-16 21:41 . 2009-04-30 04:37 9618 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-12-16 18:26 . 2008-04-23 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 18:26 . 2008-05-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-12 20:01 . 2009-12-20 00:11 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-11 19:59 . 2008-04-26 04:50 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2009-12-10 22:08 . 2009-12-10 22:08 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-10 22:08 . 2009-12-10 22:08 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-10 22:08 . 2009-12-10 22:08 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-10 22:08 . 2009-12-10 22:08 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-10 22:08 . 2009-12-10 22:08 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-10 22:08 . 2009-12-10 22:07 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-10 22:07 . 2009-12-10 22:07 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-10 22:07 . 2009-12-10 22:07 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-10 22:07 . 2009-12-10 22:07 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-10 22:07 . 2009-12-10 22:07 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-10 22:07 . 2009-12-10 22:07 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-10 22:07 . 2009-12-10 22:07 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-10 22:07 . 2009-12-10 22:07 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-10 22:06 . 2009-12-10 22:06 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-10 22:06 . 2009-12-10 22:06 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-10 22:06 . 2009-12-10 22:06 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-10 22:06 . 2009-12-10 22:06 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-10 22:06 . 2009-12-10 22:06 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-08 07:21 . 2009-12-08 07:22 38208 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-08 07:21 . 2009-12-08 07:22 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-30 03:42 . 2008-04-28 00:23 -------- d-----w- c:\documents and settings\Ronnie\Application Data\LimeWire
2009-11-23 23:00 . 2009-11-23 23:00 3963160 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-23 23:00 . 2009-11-23 23:00 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-11-23 23:00 . 2009-11-23 23:00 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-21 15:51 . 2004-08-04 05:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-17 03:18 . 2008-04-28 06:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 03:18 . 2008-04-28 06:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-17 03:18 . 2008-04-28 06:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-17 03:18 . 2008-04-28 06:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-17 03:18 . 2009-11-17 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-17 03:18 . 2008-04-28 06:01 -------- d-----w- c:\program files\AVG
2009-11-03 02:42 . 2009-10-04 16:55 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 01:31 . 2009-11-03 01:31 -------- d-----w- c:\documents and settings\RamPower00\Application Data\AdobeUM
2009-11-02 14:27 . 2008-05-05 06:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-29 07:45 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 05:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 05:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 05:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 05:56 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-03 08:15 . 2009-12-10 22:04 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="e:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"PopUpKiller"="e:\program files\PopUp Killer\PopUpKiller.EXE" [2001-06-27 92160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-27 16875008]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-12-12 2033432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-17 03:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^Deewoo.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^DW_Start.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Host Process

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Adapter 5.1.3214
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCKitchenRegistryCleaner
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\system tool

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- e:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 21:20 57344 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 21:42 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 21:25 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- e:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- e:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-06-26 23:04 53248 ----a-w- e:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-03 10:46 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 23:01 77824 ----a-w- c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 ------w- e:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-07 15:53 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"LightScribeService"=3 (0x3)
"MDM"=2 (0x2)
"WZCSVC"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"RasMan"=3 (0x3)
"CSHelper"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=3 (0x3)
"idsvc"=3 (0x3)
"gupdate"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\PPACalculator\\FB\\bin\\PokerServer-fb.exe"=
"e:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmjb.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"e:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"=
"e:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9431:TCP"= 9431:TCP:Services
"7788:TCP"= 7788:TCP:Services

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/10/2009 4:08 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2008 12:01 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2008 12:01 AM 360584]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Ronnie\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Ronnie\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Ronnie\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Ronnie\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]
S3 samhid910;samhid910;c:\windows\system32\drivers\samhidb.sys [12/4/2008 1:43 PM 22391]
S3 SASENUM;SASENUM; [x]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/16/2009 9:18 PM 285392]
S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [6/4/2008 8:30 PM 192512]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/20/2009 11:25 AM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - e:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - e:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://e:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://e:\program files\ieSpell\wikipedia.HTM
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
FF - ProfilePath - c:\documents and settings\Ronnie\Application Data\Mozilla\Firefox\Profiles\v4oqjgwm.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Ronnie\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: e:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Netscape6\nprpjplug.dll
FF - plugin: e:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: e:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: e:\program files\Opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-21 23:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8943E6F0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> 0x8943e6f0
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Linksys NC100 Fast Ethernet Adapter -> SendCompleteHandler -> 0x895cf450
PacketIndicateHandler -> NDIS.sys @ 0xba5e0a21
SendHandler -> NDIS.sys @ 0xba5d5949
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x01D383773
malicious code @ sector 0x01D383776 !
PE file found in sector at 0x01D38378C !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32273FFD-D8A2-7429-18DF-121A6AAD004D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jagcifmbbmmjmndkeamn"=hex:6a,61,6a,68,61,66,6a,6f,6e,67,6f,64,6b,6a,65,62,62,
61,65,65,00,f2
"iaecpldckaagljabmg"=hex:6a,61,6a,68,61,66,6a,6f,6e,67,6f,64,6b,6a,65,62,62,61,
65,65,00,02

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iackojnhedijnbfdjg"=hex:6a,61,62,70,69,68,68,68,62,6f,68,69,61,6f,70,6a,6c,65,
6e,61,00,f1
"haelgpgeedgbeeff"=hex:6a,61,62,70,69,68,68,68,62,6f,68,69,61,6f,70,6a,6c,65,
6e,61,00,00
"hagjanedjkkeibeh"=hex:6b,61,62,6b,67,6f,6f,6e,70,6b,68,6d,6d,66,70,64,63,63,
61,6e,65,6f,00,00
"hagjanedojbmfomc"=hex:70,62,62,6a,64,65,6e,61,62,61,6e,63,63,70,61,6c,6b,67,
6a,62,69,70,6e,6c,6c,68,66,70,63,66,61,6f,6a,6e,6e,64,6b,63,66,63,6f,67,65,\

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:3d,68,5f,17,0e,80,17,5d,82,c8,f1,2c,f1,79,61,17,79,0d,f5,c9,32,
02,c0,fa,50,14,d1,a1,9e,b4,12,8b,69,ca,73,13,66,95,09,b8,f7,ed,ac,56,08,b7,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(840)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(3296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
.
**************************************************************************
.
Completion time: 2009-12-21 23:34:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-22 05:34
ComboFix2.txt 2008-05-05 17:43

Pre-Run: 71,771,717,632 bytes free
Post-Run: 72,189,444,096 bytes free

- - End Of File - - C9402DCEB3F9706489927FD5619950A4

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:45 AM

Posted 07 January 2010 - 03:08 PM

Hello RamPower,

Please delete any old copy of combofix you might still have!

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 RamPower

RamPower
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 07 January 2010 - 03:51 PM

Everything ran fine

ComboFix 10-01-04.01 - Ronnie 01/07/2010 14:38:29.3.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.2096 [GMT -6:00]
Running from: c:\documents and settings\Ronnie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2230241215-1025421865-2288497057-1000

.
((((((((((((((((((((((((( Files Created from 2009-12-07 to 2010-01-07 )))))))))))))))))))))))))))))))
.

2010-01-02 17:51 . 2010-01-02 17:53 -------- d-----w- C:\Games
2010-01-01 20:49 . 2009-12-12 20:01 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-12-23 04:40 . 2009-12-23 04:40 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-12-23 04:40 . 2009-12-12 20:01 3776280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2009-12-23 04:40 . 2009-12-20 00:10 294656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglngx.dll
2009-12-23 04:34 . 2009-12-23 04:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-12-22 05:39 . 2009-12-22 06:37 -------- d-----w- C:\RECYCLER(2)
2009-12-22 02:34 . 2009-12-22 02:34 -------- d-----w- C:\ie-spyad_zo
2009-12-22 01:33 . 2009-12-22 01:33 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-12-22 01:24 . 2009-12-22 04:41 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-12-22 01:16 . 2009-12-22 01:16 -------- d-----w- c:\documents and settings\Ronnie\IECompatCache
2009-12-22 01:14 . 2009-12-22 01:14 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-12-22 01:14 . 2009-12-22 01:14 -------- d-----w- c:\documents and settings\Ronnie\PrivacIE
2009-12-22 01:12 . 2009-12-22 01:12 -------- d-----w- c:\documents and settings\Ronnie\IETldCache
2009-12-22 01:09 . 2009-12-22 01:09 -------- d-----w- c:\windows\ie8updates
2009-12-22 01:07 . 2009-12-22 06:39 -------- dc----w- c:\windows\ie8
2009-12-21 04:47 . 2009-12-22 07:01 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Uniblue
2009-12-21 02:47 . 2009-12-21 02:47 -------- d-----w- c:\documents and settings\RamPower00\Application Data\Malwarebytes
2009-12-20 00:11 . 2009-12-12 20:01 2352920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgresf.dll
2009-12-16 22:42 . 2009-12-16 23:06 -------- d-----w- c:\documents and settings\Ronnie\Application Data\ImgBurn
2009-12-16 22:23 . 2009-12-16 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\documents and settings\Ronnie\Application Data\NCH Software
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\program files\NCH Software
2009-12-16 22:18 . 2009-12-16 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-16 22:17 . 2009-12-16 22:18 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-11 22:10 . 2009-12-11 22:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-10 22:24 . 2009-12-10 22:08 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-12-10 22:08 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-10 22:08 . 2009-12-10 22:08 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-12-10 22:08 . 2009-12-10 22:08 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-12-10 22:08 . 2009-12-10 22:08 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-12-10 22:08 . 2009-12-10 22:08 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-12-10 22:08 . 2009-12-10 22:08 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-12-10 22:07 . 2009-12-10 22:08 370744 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-12-10 22:07 . 2009-12-10 22:07 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-12-10 22:07 . 2009-12-10 22:07 194104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2009-12-10 22:07 . 2009-12-10 22:07 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-12-10 22:07 . 2009-12-10 22:07 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-12-10 22:07 . 2009-12-10 22:07 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-12-10 22:07 . 2009-12-10 22:07 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-12-10 22:07 . 2009-12-10 22:07 641632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-12-10 22:06 . 2009-12-10 22:06 816272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-12-10 22:06 . 2009-12-10 22:06 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-12-10 22:06 . 2009-12-10 22:06 1638640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-12-10 22:06 . 2009-12-10 22:06 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-12-10 22:06 . 2009-12-10 22:06 1184912 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-12-10 22:04 . 2009-12-16 18:26 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-12-10 22:04 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-12-10 22:04 . 2009-12-16 18:26 -------- d-----w- c:\program files\Lavasoft
2009-12-10 08:36 . 2009-12-10 08:36 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Malwarebytes
2009-12-10 08:36 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-10 08:36 . 2009-12-10 08:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-10 08:36 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-25 22:28 . 2008-05-03 23:28 110328 ----a-w- c:\documents and settings\RamPower00\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 04:39 . 2009-11-23 23:00 3966744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-12-22 21:22 . 2008-04-26 02:02 110328 ----a-w- c:\documents and settings\Ronnie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-22 07:17 . 2008-04-26 04:50 28256 ----a-w- c:\windows\system32\drivers\MxlW2k.sys
2009-12-22 06:39 . 2008-05-23 18:29 -------- d-----w- c:\program files\Google
2009-12-22 06:37 . 2009-04-21 16:21 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Move Networks
2009-12-22 03:46 . 2008-05-03 21:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-20 18:53 . 2008-05-02 22:45 -------- d-----w- c:\documents and settings\Ronnie\Application Data\SUPERAntiSpyware.com
2009-12-16 21:41 . 2009-04-30 04:37 9618 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-12-16 18:26 . 2008-04-23 04:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 18:26 . 2008-05-03 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-12-08 07:22 . 2009-12-08 07:22 -------- d-----w- c:\documents and settings\Ronnie\Application Data\tidysongs15.27F6A35B76E5883BF9E6FEE514586561E60595CA.1
2009-12-08 07:22 . 2009-12-08 07:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-08 07:21 . 2009-12-08 07:22 38208 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-12-08 07:21 . 2009-12-08 07:22 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-30 03:42 . 2008-04-28 00:23 -------- d-----w- c:\documents and settings\Ronnie\Application Data\LimeWire
2009-11-17 03:18 . 2008-04-28 06:01 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-17 03:18 . 2008-04-28 06:01 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-17 03:18 . 2008-04-28 06:01 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-17 03:18 . 2008-04-28 06:01 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-17 03:18 . 2009-11-17 03:18 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-17 03:18 . 2008-04-28 06:01 -------- d-----w- c:\program files\AVG
2009-11-03 02:42 . 2009-10-04 16:55 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 05:38 . 2004-08-04 05:56 667136 ----a-w- c:\windows\system32\wininet(3).dll
2009-10-29 05:38 . 2004-08-04 05:56 667136 ------w- c:\windows\system32\wininet.dll
2009-10-29 05:38 . 2004-08-04 05:56 627712 ----a-w- c:\windows\system32\urlmon(3).dll
2009-10-21 05:38 . 2004-08-04 05:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 05:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 04:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-04 05:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 05:56 79872 ----a-w- c:\windows\system32\raschap.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-12-29_00.01.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-07 20:44 . 2010-01-07 20:44 16384 c:\windows\TEMP\Perflib_Perfdata_d88.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="e:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-01-22 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"PopUpKiller"="e:\program files\PopUp Killer\PopUpKiller.EXE" [2001-06-27 92160]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-27 16875008]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-01 2033432]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-07 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-17 03:18 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^Deewoo.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^DW_Start.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 07:08 483328 ----a-w- e:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 21:20 57344 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2008-06-19 21:42 2808832 ----a-w- c:\windows\alcwzrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 21:25 94208 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 21:24 54840 ----a-w- e:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 19:20 290088 ----a-w- e:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-06-26 23:04 53248 ----a-w- e:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-03 10:46 1630208 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 16:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2008-06-18 23:01 77824 ----a-w- c:\windows\SoundMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 ------w- e:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-02-22 09:25 144784 ----a-w- c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-07 15:53 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)
"LightScribeService"=3 (0x3)
"MDM"=2 (0x2)
"WZCSVC"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"RasMan"=3 (0x3)
"CSHelper"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=3 (0x3)
"idsvc"=3 (0x3)
"gupdate"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"e:\\Program Files\\PPACalculator\\FB\\bin\\PokerServer-fb.exe"=
"e:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"e:\\Program Files\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"e:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"e:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmjb.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"e:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_server.exe"=
"e:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"9431:TCP"= 9431:TCP:Services
"7552:TCP"= 7552:TCP:Services
"9677:TCP"= 9677:TCP:Services
"3866:TCP"= 3866:TCP:Services

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/10/2009 4:08 PM 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/28/2008 12:01 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/28/2008 12:01 AM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/16/2009 9:18 PM 285392]
S1 SASDIFSV;SASDIFSV; [x]
S1 SASKUTIL;SASKUTIL; [x]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 samhid910;samhid910;c:\windows\system32\drivers\samhidb.sys [12/4/2008 1:43 PM 22391]
S3 SASENUM;SASENUM; [x]
S4 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [6/4/2008 8:30 PM 192512]
S4 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1184912]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2009-12-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 22:06]

2009-12-16 c:\windows\Tasks\videopadSevenDaysInit.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2009-12-16 22:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - e:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - e:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF
IE: Convert link target to existing PDF
IE: Convert selected links to Adobe PDF
IE: Convert selected links to existing PDF
IE: Convert selection to Adobe PDF
IE: Convert selection to existing PDF
IE: Convert to Adobe PDF
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://e:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://e:\program files\ieSpell\wikipedia.HTM
LSP: %SYSTEMROOT%\system32\nvLsp.dll
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
FF - ProfilePath - c:\documents and settings\Ronnie\Application Data\Mozilla\Firefox\Profiles\v4oqjgwm.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Ronnie\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: e:\program files\Adobe\Acrobat 7.0\Acrobat\browser\nppdf32.dll
FF - plugin: e:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: e:\program files\Netscape6\nppl3260.dll
FF - plugin: e:\program files\Netscape6\nprjplug.dll
FF - plugin: e:\program files\Netscape6\nprpjplug.dll
FF - plugin: e:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: e:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: e:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: e:\program files\Opera\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-07 14:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A97F2B0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> 0x8a97f2b0
\Driver\atapi -> atapi.sys @ 0xba737852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Linksys NC100 Fast Ethernet Adapter -> SendCompleteHandler -> 0x89513450
PacketIndicateHandler -> NDIS.sys @ 0xba5e0a21
SendHandler -> NDIS.sys @ 0xba5d5949
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x01D383773
malicious code @ sector 0x01D383776 !
PE file found in sector at 0x01D38378C !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{32273FFD-D8A2-7429-18DF-121A6AAD004D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jagcifmbbmmjmndkeamn"=hex:6a,61,6a,68,61,66,6a,6f,6e,67,6f,64,6b,6a,65,62,62,
61,65,65,00,f2
"iaecpldckaagljabmg"=hex:6a,61,6a,68,61,66,6a,6f,6e,67,6f,64,6b,6a,65,62,62,61,
65,65,00,02

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72DDD9F0-A9E2-5238-B154-74DF93091C27}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iackojnhedijnbfdjg"=hex:6a,61,62,70,69,68,68,68,62,6f,68,69,61,6f,70,6a,6c,65,
6e,61,00,f1
"haelgpgeedgbeeff"=hex:6a,61,62,70,69,68,68,68,62,6f,68,69,61,6f,70,6a,6c,65,
6e,61,00,00
"hagjanedjkkeibeh"=hex:6b,61,62,6b,67,6f,6f,6e,70,6b,68,6d,6d,66,70,64,63,63,
61,6e,65,6f,00,00
"hagjanedojbmfomc"=hex:70,62,62,6a,64,65,6e,61,62,61,6e,63,63,70,61,6c,6b,67,
6a,62,69,70,6e,6c,6c,68,66,70,63,66,61,6f,6a,6e,6e,64,6b,63,66,63,6f,67,65,\

[HKEY_USERS\S-1-5-21-1390067357-329068152-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:3d,68,5f,17,0e,80,17,5d,82,c8,f1,2c,f1,79,61,17,79,0d,f5,c9,32,
02,c0,fa,50,14,d1,a1,9e,b4,12,8b,69,ca,73,13,66,95,09,b8,f7,ed,ac,56,08,b7,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\nvLsp.dll

- - - - - - - > 'explorer.exe'(3164)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-07 14:47:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-07 20:47
ComboFix2.txt 2009-12-29 00:04
ComboFix3.txt 2009-12-22 05:34
ComboFix4.txt 2008-05-05 17:43

Pre-Run: 76,171,796,480 bytes free
Post-Run: 76,148,117,504 bytes free

- - End Of File - - E2FE0FE4A2A297AD327A9082B75C9141

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:45 AM

Posted 07 January 2010 - 03:53 PM

To doublecheck, you did disable all CD mounting software first with Defogger?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 RamPower

RamPower
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 07 January 2010 - 03:57 PM

Yes and it it said they were disabled and not to re-enable until told to do so.

#12 RamPower

RamPower
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 07 January 2010 - 04:19 PM

Hey Elise I really appreciate your help. I am going to be away from the computer until late tonight or tomorrow morning. If there is anything else I need to do I will check back then.
Again thanks so much for the help.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:45 AM

Posted 08 January 2010 - 03:13 AM

Hello RamPower,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    atapi.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

In your next reply, please include the following:
  • SystemLook.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 RamPower

RamPower
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:45 AM

Posted 08 January 2010 - 12:17 PM

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:12 on 08/01/2010 by Ronnie (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [01:40 10/05/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\erdnt\cache\atapi.sys --a--- 96512 bytes [00:04 29/12/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [18:40 13/04/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [03:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys --a--- 95360 bytes [04:28 23/04/2008] [03:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,107 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:45 AM

Posted 08 January 2010 - 12:43 PM

Please download mbr.exe and save it to your desktop.

Run the file by doubleclicking on it (if you get a security warning click run).

A logfile (mbr.log) will be created on your desktop. Post its contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users