Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, Big Time... Green Desktop with "Your System is Infected" Message


  • Please log in to reply
9 replies to this topic

#1 baggydub

baggydub

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 25 December 2009 - 04:12 AM

So at first I had the "Internet Security 2010" bug, but I think I fixed that with rkill. But now I got the green desktop with the "system is infected" message. I have heard of people who have this problem trying to restart only to find their system totally screwed, so I'm scared to turn off/restart. I have run DDS and Root Repeal. I know its Christmas, but please help!!!


DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael at 3:25:14.42 on Fri 12/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.44 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {4d25f926-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
mWinlogon: Shell=Explorer.exe logon.exe
mWinlogon: Userinit=c:\windows\system32\winlogon86.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\deSrcAs.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\michael\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [<NO NAME>]
uRun: [ATI Remote Control] c:\program files\ati multimedia\remctrl\ATIRW.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
mRun: [powazidip] Rundll32.exe "c:\windows\system32\dohofusa.dll",a
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\michael\startm~1\programs\startup\thinkr~1.lnk - c:\program files\moss bay software\think right now 1.7\ThinkRightNow.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: voluguhe.dll c:\windows\system32\dohofusa.dll
SSODL: nupakifip - {4e897a91-46ca-4314-a6ab-df4f95dd22fc} - c:\windows\system32\dohofusa.dll
STS: kupuhivus: {4e897a91-46ca-4314-a6ab-df4f95dd22fc} - c:\windows\system32\dohofusa.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli lupeyoyu.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-10 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-10 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-10 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-10 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-21 12672]

=============== Created Last 30 ================

2009-12-25 08:03:12 0 d-----w- c:\program files\Sun
2009-12-25 07:08:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 07:08:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-25 07:08:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 07:08:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 07:06:40 0 ----a-w- c:\windows\system32\6334.exe
2009-12-25 06:46:39 0 ----a-w- c:\windows\system32\18467.exe
2009-12-25 06:26:46 0 d-----w- c:\program files\InternetSecurity2010
2009-12-25 06:26:38 0 ----a-w- c:\windows\system32\41.exe
2009-12-25 06:26:21 16896 ----a-w- c:\windows\system32\winhelper86.dll
2009-12-25 06:26:04 2854 ----a-w- c:\windows\system32\critical_warning.html
2009-12-25 06:25:56 22016 ----a-w- c:\windows\system32\winupdate86.exe
2009-12-25 06:25:56 22016 ----a-w- c:\windows\system32\winlogon86.exe
2009-12-23 05:47:57 90112 ----a-w- c:\windows\system32\ccrpTmr6.dll
2009-12-23 05:47:57 0 d-----w- c:\program files\Cool Timer
2009-12-22 19:23:52 0 d-----w- c:\program files\Uniblue
2009-12-20 20:06:33 0 d-----w- C:\CCHAMP
2009-12-08 21:58:01 0 d-----w- c:\docume~1\alluse~1\applic~1\X10 Settings
2009-12-08 21:56:52 0 d-----w- c:\docume~1\alluse~1\applic~1\ATI MMC
2009-12-08 21:51:16 9091 ----a-w- c:\windows\system32\drivers\atirwrf.sys
2009-12-08 21:51:15 257872 ----a-w- c:\windows\system32\drivers\atirwvd.sys
2009-12-08 21:50:42 0 d-----w- c:\program files\common files\ATI
2009-12-08 21:50:41 0 d-----w- c:\program files\ATI Multimedia
2009-12-08 21:49:22 0 d-----w- C:\ATI
2009-12-07 15:18:29 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-07 04:44:25 0 d-----w- c:\program files\Xilisoft
2009-12-06 21:12:29 0 d-----w- c:\windows\system32\scripting
2009-12-06 21:12:28 0 d-----w- c:\windows\l2schemas
2009-12-06 21:12:26 0 d-----w- c:\windows\system32\en
2009-12-06 21:12:26 0 d-----w- c:\windows\system32\bits
2009-12-06 20:59:02 0 d-----w- c:\windows\network diagnostic
2009-12-05 20:49:57 0 d-----w- c:\windows\system32\LogFiles
2009-12-05 16:42:58 0 d-----w- c:\windows\ServicePackFiles
2009-12-05 02:09:05 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-05 02:05:07 128512 ------w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-05 01:57:00 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-05 01:50:20 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-02 23:27:01 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 23:27:01 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-02 23:27:01 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-12-13 22:48:08 60420 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 06:29:44 93696 --sha-w- c:\windows\system32\dohofusa.dll
2009-09-25 06:29:44 39424 --sha-w- c:\windows\system32\hatutiza.dll
2009-09-25 06:24:06 53248 --sha-w- c:\windows\system32\lupeyoyu.dll
2009-09-25 06:24:06 53248 --sha-w- c:\windows\system32\nukihiko.dll
2009-09-25 06:24:06 53248 --sha-w- c:\windows\system32\voluguhe.dll

============= FINISH: 3:27:05.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 26 December 2009 - 01:13 AM

Visit below website. Understand on how to use ComboFix >> download and run the program >> post the log here :(

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 baggydub

baggydub
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 26 December 2009 - 11:54 PM

Thanks!!! Ran Combofix, and here's my log:

ComboFix 09-12-26.02 - Michael 12/26/2009 23:30:40.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.343 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
c:\windows\kb913800.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\bszip.dll
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\critical_warning.html
c:\windows\system32\dajagitu.dll
c:\windows\system32\dohofusa.dll
c:\windows\system32\sesipiwa.dll
c:\windows\system32\winhelper86.dll
c:\windows\system32\winlogon86.exe
c:\windows\system32\winupdate86.exe
c:\windows\system32\wojunoki.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-25 08:03 . 2009-12-25 08:03 -------- d-----w- c:\program files\Sun
2009-12-25 07:08 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 07:08 . 2009-12-25 07:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-25 07:08 . 2009-12-25 07:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 07:08 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 06:44 . 2009-12-25 06:44 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-23 05:47 . 2009-12-23 05:47 -------- d-----w- c:\program files\Cool Timer
2009-12-22 19:23 . 2009-12-22 19:23 -------- d-----w- c:\program files\Uniblue
2009-12-20 20:06 . 2009-12-20 20:10 -------- d-----w- C:\CCHAMP
2009-12-12 15:59 . 2009-12-12 15:56 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-10 04:10 . 2009-12-10 04:10 -------- d-----w- c:\documents and settings\Michael\Application Data\Yahoo!
2009-12-08 21:58 . 2009-12-08 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\X10 Settings
2009-12-08 21:56 . 2009-12-08 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2009-12-08 21:51 . 2003-07-24 18:18 9091 ----a-w- c:\windows\system32\drivers\atirwrf.sys
2009-12-08 21:51 . 2003-12-15 19:28 257872 ----a-w- c:\windows\system32\drivers\atirwvd.sys
2009-12-08 21:50 . 2009-12-08 21:50 -------- d-----w- c:\program files\Common Files\ATI
2009-12-08 21:50 . 2009-12-08 21:50 -------- d-----w- c:\program files\ATI Multimedia
2009-12-08 21:49 . 2009-12-08 21:49 -------- d-----w- C:\ATI
2009-12-07 15:18 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-07 04:44 . 2009-12-07 04:44 -------- d-----w- c:\program files\Xilisoft
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\scripting
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\l2schemas
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\en
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\bits
2009-12-05 20:49 . 2009-12-05 20:49 -------- d-----w- c:\windows\system32\LogFiles
2009-12-05 18:01 . 2009-12-05 18:01 152576 ----a-w- c:\documents and settings\Michael\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-05 16:42 . 2009-12-06 21:04 -------- d-----w- c:\windows\ServicePackFiles
2009-12-05 02:09 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-05 01:57 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-05 01:50 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-02 23:27 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 23:27 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-27 22:48 . 2009-12-05 17:48 79488 ----a-w- c:\documents and settings\Michael\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 04:23 . 2009-05-15 00:33 75848 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 07:50 . 2005-11-22 17:38 -------- d-----w- c:\program files\Java
2009-12-25 06:50 . 2009-08-24 01:33 -------- d-----w- c:\documents and settings\Michael\Application Data\vlc
2009-12-24 22:50 . 2009-05-10 20:59 -------- d-----w- c:\documents and settings\Michael\Application Data\uTorrent
2009-12-22 19:34 . 2005-11-22 17:48 -------- d-----w- c:\program files\MUSICMATCH
2009-12-13 22:48 . 2009-10-02 22:13 60420 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-09 15:10 . 2009-05-10 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-06 21:18 . 2005-08-16 10:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-06 18:13 . 2009-05-10 22:30 -------- d-----w- c:\program files\Microsoft Works
2009-12-06 17:31 . 2005-11-22 17:54 -------- d-----w- c:\program files\McAfee.com
2009-12-06 17:24 . 2005-11-22 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-10-29 05:38 . 2005-08-16 10:18 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-05-23 04:56 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-25 06:29 . 2009-09-25 06:29 39424 --sha-w- c:\windows\system32\hatutiza.dll
2009-09-27 04:17 . 2009-09-27 04:17 39424 --sha-w- c:\windows\system32\jozaname.dll
2009-09-27 04:17 . 2009-09-27 04:17 52224 --sha-w- c:\windows\system32\lumodako.dll
2009-09-27 04:17 . 2009-09-27 04:17 51712 --sha-w- c:\windows\system32\teketefe.dll
2009-09-27 04:18 . 2009-09-27 04:18 51712 --sha-w- c:\windows\system32\yebehoka.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a27cbf96-01c1-45cc-8e0d-84ef8a1ed250}]
2009-09-27 04:18 51712 --sha-w- c:\windows\system32\yebehoka.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-10 133104]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-06 1622016]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-22 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
ThinkRightNow.lnk - c:\program files\Moss Bay Software\Think Right Now 1.7\ThinkRightNow.exe [2001-7-17 217192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-22 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13543:TCP"= 13543:TCP:port

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/20/2009 8:21 PM 721904]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/10/2009 10:38 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/10/2009 10:38 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/10/2009 10:37 AM 297752]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/21/2009 2:45 PM 12672]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
HKLM-Run-powazidip - c:\windows\system32\dohofusa.dll
HKLM-Run-fakititusu - dajagitu.dll
SharedTaskScheduler-{4e897a91-46ca-4314-a6ab-df4f95dd22fc} - c:\windows\system32\dohofusa.dll
SSODL-nupakifip-{4e897a91-46ca-4314-a6ab-df4f95dd22fc} - c:\windows\system32\dohofusa.dll
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 23:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spbl.sys hal.dll >>UNKNOWN [0x82B91938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84fef28
\Driver\ACPI -> ACPI.sys @ 0xf8278cb8
\Driver\atapi -> atapi.sys @ 0xf81efb40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022
NDIS: Intel® PRO/Wireless 2915ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf80e3bb0
PacketIndicateHandler -> NDIS.sys @ 0xf80d2a0d
SendHandler -> NDIS.sys @ 0xf80e6b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\msiexec.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-26 23:47:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 04:47

Pre-Run: 5,383,585,792 bytes free
Post-Run: 5,293,027,328 bytes free

- - End Of File - - EDC99BA6C6F06326657AAD60C39DF735

I'm installing the recovery console now. What after that?

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 27 December 2009 - 12:09 AM

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers.
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.




1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\hatutiza.dll
c:\windows\system32\jozaname.dll
c:\windows\system32\lumodako.dll
c:\windows\system32\teketefe.dll
c:\windows\system32\yebehoka.dll
c:\windows\system32\yebehoka.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a27cbf96-01c1-45cc-8e0d-84ef8a1ed250}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"13543:TCP"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.



Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 baggydub

baggydub
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 27 December 2009 - 01:47 AM

New Combofix log:

ComboFix 09-12-26.02 - Michael 12/27/2009 1:26.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.286 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\hatutiza.dll"
"c:\windows\system32\jozaname.dll"
"c:\windows\system32\lumodako.dll"
"c:\windows\system32\teketefe.dll"
"c:\windows\system32\yebehoka.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\windows\system32\hatutiza.dll
c:\windows\system32\hihosove.dll
c:\windows\system32\jozaname.dll
c:\windows\system32\lumodako.dll
c:\windows\system32\sebajuyo.dll
c:\windows\system32\teketefe.dll
c:\windows\system32\yebehoka.dll
c:\windows\Tasks\bxtamebw.job

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-27 06:19 . 2009-12-27 06:19 61952 --sh--w- c:\windows\system32\tumazuba.dll
2009-12-25 08:03 . 2009-12-25 08:03 -------- d-----w- c:\program files\Sun
2009-12-25 07:08 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 07:08 . 2009-12-25 07:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-25 07:08 . 2009-12-25 07:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 07:08 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 06:44 . 2009-12-25 06:44 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-23 05:47 . 2009-12-23 05:47 -------- d-----w- c:\program files\Cool Timer
2009-12-22 19:23 . 2009-12-22 19:23 -------- d-----w- c:\program files\Uniblue
2009-12-20 20:06 . 2009-12-20 20:10 -------- d-----w- C:\CCHAMP
2009-12-10 04:10 . 2009-12-10 04:10 -------- d-----w- c:\documents and settings\Michael\Application Data\Yahoo!
2009-12-08 21:58 . 2009-12-08 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\X10 Settings
2009-12-08 21:56 . 2009-12-08 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2009-12-08 21:51 . 2003-07-24 18:18 9091 ----a-w- c:\windows\system32\drivers\atirwrf.sys
2009-12-08 21:51 . 2003-12-15 19:28 257872 ----a-w- c:\windows\system32\drivers\atirwvd.sys
2009-12-08 21:50 . 2009-12-08 21:50 -------- d-----w- c:\program files\Common Files\ATI
2009-12-08 21:50 . 2009-12-08 21:50 -------- d-----w- c:\program files\ATI Multimedia
2009-12-08 21:49 . 2009-12-08 21:49 -------- d-----w- C:\ATI
2009-12-07 15:18 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-07 04:44 . 2009-12-07 04:44 -------- d-----w- c:\program files\Xilisoft
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\scripting
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\l2schemas
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\en
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\bits
2009-12-05 20:49 . 2009-12-05 20:49 -------- d-----w- c:\windows\system32\LogFiles
2009-12-05 16:42 . 2009-12-06 21:04 -------- d-----w- c:\windows\ServicePackFiles
2009-12-05 02:09 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-05 01:57 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-05 01:50 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-02 23:27 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 23:27 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- c:\windows\LastGood.Tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 04:23 . 2009-05-15 00:33 75848 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 07:50 . 2005-11-22 17:38 -------- d-----w- c:\program files\Java
2009-12-25 06:50 . 2009-08-24 01:33 -------- d-----w- c:\documents and settings\Michael\Application Data\vlc
2009-12-24 22:50 . 2009-05-10 20:59 -------- d-----w- c:\documents and settings\Michael\Application Data\uTorrent
2009-12-22 19:34 . 2005-11-22 17:48 -------- d-----w- c:\program files\MUSICMATCH
2009-12-13 22:48 . 2009-10-02 22:13 60420 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-12 15:56 . 2009-12-12 15:59 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-09 15:10 . 2009-05-10 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-06 21:18 . 2005-08-16 10:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-06 18:13 . 2009-05-10 22:30 -------- d-----w- c:\program files\Microsoft Works
2009-12-06 17:31 . 2005-11-22 17:54 -------- d-----w- c:\program files\McAfee.com
2009-12-06 17:24 . 2005-11-22 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-12-05 18:01 . 2009-12-05 18:01 152576 ----a-w- c:\documents and settings\Michael\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-05 17:48 . 2009-11-27 22:48 79488 ----a-w- c:\documents and settings\Michael\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-29 05:38 . 2005-08-16 10:18 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-05-23 04:56 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-10 133104]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-06 1622016]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-22 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"powazidip"="c:\windows\system32\sebajuyo.dll" [BU]
"fakititusu"="dajagitu.dll" [BU]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
ThinkRightNow.lnk - c:\program files\Moss Bay Software\Think Right Now 1.7\ThinkRightNow.exe [2001-7-17 217192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-22 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/10/2009 10:38 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/10/2009 10:38 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/10/2009 10:37 AM 297752]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/21/2009 2:45 PM 12672]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/20/2009 8:21 PM 721904]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{bee0080b-e012-49e1-8989-243e8792ed81} - c:\windows\system32\sebajuyo.dll
SSODL-guwohikag-{bee0080b-e012-49e1-8989-243e8792ed81} - c:\windows\system32\sebajuyo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 01:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(3228)
c:\program files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-12-27 01:42:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 06:42
ComboFix2.txt 2009-12-27 05:18
ComboFix3.txt 2009-12-27 04:47

Pre-Run: 5,214,015,488 bytes free
Post-Run: 5,183,807,488 bytes free

- - End Of File - - 0D17E8F460E70EED003137E762F65B7C

New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:02 AM, on 12/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [powazidip] Rundll32.exe "c:\windows\system32\sebajuyo.dll",a
O4 - HKLM\..\Run: [fakititusu] Rundll32.exe "dajagitu.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - Startup: ThinkRightNow.lnk = C:\Program Files\Moss Bay Software\Think Right Now 1.7\ThinkRightNow.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9374 bytes

and last but not least, TDSSkiller log:

01:44:47:312 0132 TDSSKiller 2.1.1 Dec 20 2009 02:40:02
01:44:47:312 0132 ================================================================================
01:44:47:312 0132 SystemInfo:

01:44:47:312 0132 OS Version: 5.1.2600 ServicePack: 3.0
01:44:47:312 0132 Product type: Workstation
01:44:47:312 0132 ComputerName: LAPTOP
01:44:47:312 0132 UserName: Michael
01:44:47:312 0132 Windows directory: C:\WINDOWS
01:44:47:312 0132 Processor architecture: Intel x86
01:44:47:312 0132 Number of processors: 1
01:44:47:312 0132 Page size: 0x1000
01:44:47:312 0132 Boot type: Normal boot
01:44:47:312 0132 ================================================================================
01:44:47:312 0132 ForceUnloadDriver: NtUnloadDriver error 2
01:44:47:390 0132 ForceUnloadDriver: NtUnloadDriver error 2
01:44:47:390 0132 ForceUnloadDriver: NtUnloadDriver error 2
01:44:47:390 0132 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0
01:44:47:390 0132 main: Driver KLMD successfully dropped
01:44:47:437 0132 main: Driver KLMD successfully loaded
01:44:47:437 0132
Scanning Registry ...
01:44:47:453 0132 ScanServices: Searching service UACd.sys
01:44:47:453 0132 ScanServices: Open/Create key error 2
01:44:47:453 0132 ScanServices: Searching service TDSSserv.sys
01:44:47:453 0132 ScanServices: Open/Create key error 2
01:44:47:453 0132 ScanServices: Searching service gaopdxserv.sys
01:44:47:453 0132 ScanServices: Open/Create key error 2
01:44:47:453 0132 ScanServices: Searching service gxvxcserv.sys
01:44:47:453 0132 ScanServices: Open/Create key error 2
01:44:47:453 0132 ScanServices: Searching service MSIVXserv.sys
01:44:47:468 0132 ScanServices: Open/Create key error 2
01:44:47:468 0132 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
01:44:47:484 0132 UnhookRegistry: Kernel local addr: A40000
01:44:47:484 0132 UnhookRegistry: KeServiceDescriptorTable addr: ABC020
01:44:48:281 0132 UnhookRegistry: KiServiceTable addr: A6AB9C
01:44:48:281 0132 UnhookRegistry: NtEnumerateKey service number (local): 47
01:44:48:281 0132 UnhookRegistry: NtEnumerateKey local addr: B83B72
01:44:48:296 0132 KLMD_OpenDevice: Trying to open KLMD device
01:44:48:296 0132 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
01:44:48:296 0132 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
01:44:48:296 0132 KLMD_ReadMem: Trying to ReadMemory 0x804FE335[0x4]
01:44:48:296 0132 UnhookRegistry: NtEnumerateKey service number (kernel): 47
01:44:48:296 0132 KLMD_ReadMem: Trying to ReadMemory 0x80501CB8[0x4]
01:44:48:296 0132 UnhookRegistry: NtEnumerateKey real addr: 8061AB72
01:44:48:296 0132 UnhookRegistry: NtEnumerateKey calc addr: 8061AB72
01:44:48:296 0132 UnhookRegistry: No SDT hooks found on NtEnumerateKey
01:44:48:296 0132 KLMD_ReadMem: Trying to ReadMemory 0x8061AB72[0xA]
01:44:48:296 0132 UnhookRegistry: No splicing found on NtEnumerateKey
01:44:48:312 0132
Scanning Kernel memory ...
01:44:48:312 0132 KLMD_OpenDevice: Trying to open KLMD device
01:44:48:312 0132 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
01:44:48:312 0132 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
01:44:48:312 0132 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82B092E0
01:44:48:312 0132 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
01:44:48:312 0132 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 82B92C68
01:44:48:312 0132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B92C68
01:44:48:312 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B92C68[0x38]
01:44:48:312 0132 DetectCureTDL3: DRIVER_OBJECT addr: 82B092E0
01:44:48:312 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B092E0[0xA8]
01:44:48:312 0132 KLMD_ReadMem: Trying to ReadMemory 0xE18644E8[0x208]
01:44:48:312 0132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:44:48:312 0132 DetectCureTDL3: IrpHandler (0) addr: F8500BB0
01:44:48:312 0132 DetectCureTDL3: IrpHandler (1) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (2) addr: F8500BB0
01:44:48:312 0132 DetectCureTDL3: IrpHandler (3) addr: F84FAD1F
01:44:48:312 0132 DetectCureTDL3: IrpHandler (4) addr: F84FAD1F
01:44:48:312 0132 DetectCureTDL3: IrpHandler (5) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (6) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (7) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (8) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (9) addr: F84FB2E2
01:44:48:312 0132 DetectCureTDL3: IrpHandler (10) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (11) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (12) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (13) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (14) addr: F84FB3BB
01:44:48:312 0132 DetectCureTDL3: IrpHandler (15) addr: F84FEF28
01:44:48:312 0132 DetectCureTDL3: IrpHandler (16) addr: F84FB2E2
01:44:48:312 0132 DetectCureTDL3: IrpHandler (17) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (18) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (19) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (20) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (21) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (22) addr: F84FCC82
01:44:48:312 0132 DetectCureTDL3: IrpHandler (23) addr: F850199E
01:44:48:312 0132 DetectCureTDL3: IrpHandler (24) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (25) addr: 804F355A
01:44:48:312 0132 DetectCureTDL3: IrpHandler (26) addr: 804F355A
01:44:48:312 0132 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
01:44:48:312 0132 KLMD_ReadMem: DeviceIoControl error 1
01:44:48:312 0132 TDL3_StartIoHookDetect: Unable to get StartIo handler code
01:44:48:312 0132 TDL3_FileDetect: Processing driver: Disk
01:44:48:312 0132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
01:44:48:312 0132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
01:44:48:312 0132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
01:44:48:375 0132 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 82B45C68
01:44:48:375 0132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B45C68
01:44:48:375 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B45C68[0x38]
01:44:48:375 0132 DetectCureTDL3: DRIVER_OBJECT addr: 82B092E0
01:44:48:375 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B092E0[0xA8]
01:44:48:375 0132 KLMD_ReadMem: Trying to ReadMemory 0xE18644E8[0x208]
01:44:48:375 0132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:44:48:375 0132 DetectCureTDL3: IrpHandler (0) addr: F8500BB0
01:44:48:375 0132 DetectCureTDL3: IrpHandler (1) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (2) addr: F8500BB0
01:44:48:375 0132 DetectCureTDL3: IrpHandler (3) addr: F84FAD1F
01:44:48:375 0132 DetectCureTDL3: IrpHandler (4) addr: F84FAD1F
01:44:48:375 0132 DetectCureTDL3: IrpHandler (5) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (6) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (7) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (8) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (9) addr: F84FB2E2
01:44:48:375 0132 DetectCureTDL3: IrpHandler (10) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (11) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (12) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (13) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (14) addr: F84FB3BB
01:44:48:375 0132 DetectCureTDL3: IrpHandler (15) addr: F84FEF28
01:44:48:375 0132 DetectCureTDL3: IrpHandler (16) addr: F84FB2E2
01:44:48:375 0132 DetectCureTDL3: IrpHandler (17) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (18) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (19) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (20) addr: 804F355A
01:44:48:375 0132 DetectCureTDL3: IrpHandler (21) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (22) addr: F84FCC82
01:44:48:390 0132 DetectCureTDL3: IrpHandler (23) addr: F850199E
01:44:48:390 0132 DetectCureTDL3: IrpHandler (24) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (25) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (26) addr: 804F355A
01:44:48:390 0132 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
01:44:48:390 0132 KLMD_ReadMem: DeviceIoControl error 1
01:44:48:390 0132 TDL3_StartIoHookDetect: Unable to get StartIo handler code
01:44:48:390 0132 TDL3_FileDetect: Processing driver: Disk
01:44:48:390 0132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
01:44:48:390 0132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
01:44:48:390 0132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
01:44:48:390 0132 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 82B749F0
01:44:48:390 0132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B749F0
01:44:48:390 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B749F0[0x38]
01:44:48:390 0132 DetectCureTDL3: DRIVER_OBJECT addr: 82B092E0
01:44:48:390 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B092E0[0xA8]
01:44:48:390 0132 KLMD_ReadMem: Trying to ReadMemory 0xE18644E8[0x208]
01:44:48:390 0132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
01:44:48:390 0132 DetectCureTDL3: IrpHandler (0) addr: F8500BB0
01:44:48:390 0132 DetectCureTDL3: IrpHandler (1) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (2) addr: F8500BB0
01:44:48:390 0132 DetectCureTDL3: IrpHandler (3) addr: F84FAD1F
01:44:48:390 0132 DetectCureTDL3: IrpHandler (4) addr: F84FAD1F
01:44:48:390 0132 DetectCureTDL3: IrpHandler (5) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (6) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (7) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (8) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (9) addr: F84FB2E2
01:44:48:390 0132 DetectCureTDL3: IrpHandler (10) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (11) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (12) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (13) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (14) addr: F84FB3BB
01:44:48:390 0132 DetectCureTDL3: IrpHandler (15) addr: F84FEF28
01:44:48:390 0132 DetectCureTDL3: IrpHandler (16) addr: F84FB2E2
01:44:48:390 0132 DetectCureTDL3: IrpHandler (17) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (18) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (19) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (20) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (21) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (22) addr: F84FCC82
01:44:48:390 0132 DetectCureTDL3: IrpHandler (23) addr: F850199E
01:44:48:390 0132 DetectCureTDL3: IrpHandler (24) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (25) addr: 804F355A
01:44:48:390 0132 DetectCureTDL3: IrpHandler (26) addr: 804F355A
01:44:48:390 0132 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
01:44:48:390 0132 KLMD_ReadMem: DeviceIoControl error 1
01:44:48:390 0132 TDL3_StartIoHookDetect: Unable to get StartIo handler code
01:44:48:390 0132 TDL3_FileDetect: Processing driver: Disk
01:44:48:390 0132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk
01:44:48:390 0132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys
01:44:48:390 0132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys
01:44:48:406 0132 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 82B95AB8
01:44:48:406 0132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B95AB8
01:44:48:406 0132 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 82B05D98
01:44:48:406 0132 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B05D98
01:44:48:406 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B05D98[0x38]
01:44:48:406 0132 DetectCureTDL3: DRIVER_OBJECT addr: 82B5A788
01:44:48:406 0132 KLMD_ReadMem: Trying to ReadMemory 0x82B5A788[0xA8]
01:44:48:406 0132 KLMD_ReadMem: Trying to ReadMemory 0xE100DF50[0x208]
01:44:48:406 0132 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
01:44:48:406 0132 DetectCureTDL3: IrpHandler (0) addr: F83096F2
01:44:48:406 0132 DetectCureTDL3: IrpHandler (1) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (2) addr: F83096F2
01:44:48:406 0132 DetectCureTDL3: IrpHandler (3) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (4) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (5) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (6) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (7) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (8) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (9) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (10) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (11) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (12) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (13) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (14) addr: F8309712
01:44:48:406 0132 DetectCureTDL3: IrpHandler (15) addr: F8305852
01:44:48:406 0132 DetectCureTDL3: IrpHandler (16) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (17) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (18) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (19) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (20) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (21) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (22) addr: F830973C
01:44:48:406 0132 DetectCureTDL3: IrpHandler (23) addr: F8310336
01:44:48:406 0132 DetectCureTDL3: IrpHandler (24) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (25) addr: 804F355A
01:44:48:406 0132 DetectCureTDL3: IrpHandler (26) addr: 804F355A
01:44:48:406 0132 KLMD_ReadMem: Trying to ReadMemory 0xF8306864[0x400]
01:44:48:406 0132 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0
01:44:48:406 0132 TDL3_FileDetect: Processing driver: atapi
01:44:48:406 0132 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk
01:44:48:406 0132 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
01:44:48:406 0132 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
01:44:48:437 0132
Completed

Results:
01:44:48:437 0132 Infected objects in memory: 0
01:44:48:437 0132 Cured objects in memory: 0
01:44:48:437 0132 Infected objects on disk: 0
01:44:48:437 0132 Objects on disk cured on reboot: 0
01:44:48:437 0132 Objects on disk deleted on reboot: 0
01:44:48:437 0132 Registry nodes deleted on reboot: 0
01:44:48:437 0132

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 27 December 2009 - 01:55 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\tumazuba.dll
c:\windows\system32\sebajuyo.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"powazidip"=-
"fakititusu"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe/KittyFix.exe as depicted in the animation below. This will start ComboFix/KittyFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 baggydub

baggydub
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 27 December 2009 - 02:43 AM

Latest Combofix log:

ComboFix 09-12-26.02 - Michael 12/27/2009 2:24.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.200 [GMT -5:00]
Running from: c:\documents and settings\Michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Michael\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\sebajuyo.dll"
"c:\windows\system32\tumazuba.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tumazuba.dll

.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-25 08:03 . 2009-12-25 08:03 -------- d-----w- c:\program files\Sun
2009-12-25 07:08 . 2009-12-03 21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-25 07:08 . 2009-12-25 07:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-25 07:08 . 2009-12-25 07:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-25 07:08 . 2009-12-03 21:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-25 06:44 . 2009-12-25 06:44 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-23 05:47 . 2009-12-23 05:47 -------- d-----w- c:\program files\Cool Timer
2009-12-22 19:23 . 2009-12-22 19:23 -------- d-----w- c:\program files\Uniblue
2009-12-20 20:06 . 2009-12-20 20:10 -------- d-----w- C:\CCHAMP
2009-12-10 04:10 . 2009-12-10 04:10 -------- d-----w- c:\documents and settings\Michael\Application Data\Yahoo!
2009-12-08 21:58 . 2009-12-08 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\X10 Settings
2009-12-08 21:56 . 2009-12-08 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI MMC
2009-12-08 21:51 . 2003-07-24 18:18 9091 ----a-w- c:\windows\system32\drivers\atirwrf.sys
2009-12-08 21:51 . 2003-12-15 19:28 257872 ----a-w- c:\windows\system32\drivers\atirwvd.sys
2009-12-08 21:50 . 2009-12-08 21:50 -------- d-----w- c:\program files\Common Files\ATI
2009-12-08 21:50 . 2009-12-08 21:50 -------- d-----w- c:\program files\ATI Multimedia
2009-12-08 21:49 . 2009-12-08 21:49 -------- d-----w- C:\ATI
2009-12-07 15:18 . 2009-08-13 15:16 512000 ------w- c:\windows\system32\dllcache\jscript.dll
2009-12-07 04:44 . 2009-12-07 04:44 -------- d-----w- c:\program files\Xilisoft
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\scripting
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\l2schemas
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\en
2009-12-06 21:12 . 2009-12-06 21:12 -------- d-----w- c:\windows\system32\bits
2009-12-05 20:49 . 2009-12-05 20:49 -------- d-----w- c:\windows\system32\LogFiles
2009-12-05 16:42 . 2009-12-06 21:04 -------- d-----w- c:\windows\ServicePackFiles
2009-12-05 02:09 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-12-05 01:57 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-12-05 01:50 . 2009-06-10 14:19 2066432 ------w- c:\windows\system32\dllcache\mstscax.dll
2009-12-02 23:27 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 23:27 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 04:23 . 2009-05-15 00:33 75848 ----a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 07:50 . 2005-11-22 17:38 -------- d-----w- c:\program files\Java
2009-12-25 06:50 . 2009-08-24 01:33 -------- d-----w- c:\documents and settings\Michael\Application Data\vlc
2009-12-24 22:50 . 2009-05-10 20:59 -------- d-----w- c:\documents and settings\Michael\Application Data\uTorrent
2009-12-22 19:34 . 2005-11-22 17:48 -------- d-----w- c:\program files\MUSICMATCH
2009-12-13 22:48 . 2009-10-02 22:13 60420 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-12 15:56 . 2009-12-12 15:59 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-09 15:10 . 2009-05-10 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-06 21:18 . 2005-08-16 10:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-12-06 18:13 . 2009-05-10 22:30 -------- d-----w- c:\program files\Microsoft Works
2009-12-06 17:31 . 2005-11-22 17:54 -------- d-----w- c:\program files\McAfee.com
2009-12-06 17:24 . 2005-11-22 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2009-12-05 18:01 . 2009-12-05 18:01 152576 ----a-w- c:\documents and settings\Michael\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-05 17:48 . 2009-11-27 22:48 79488 ----a-w- c:\documents and settings\Michael\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-10-29 05:38 . 2005-08-16 10:18 667136 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-08-16 10:18 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-08-16 10:18 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-08-16 10:18 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-08-16 10:18 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-08-16 10:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-05-23 04:56 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-10 133104]
"ATI Remote Control"="c:\program files\ATI Multimedia\RemCtrl\ATIRW.exe" [2006-04-06 1622016]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-11-22 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

c:\documents and settings\Michael\Start Menu\Programs\Startup\
ThinkRightNow.lnk - c:\program files\Moss Bay Software\Think Right Now 1.7\ThinkRightNow.exe [2001-7-17 217192]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2004-12-22 45056]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-11-22 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/10/2009 10:38 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/10/2009 10:38 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/10/2009 10:37 AM 297752]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [6/21/2009 2:45 PM 12672]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/20/2009 8:21 PM 721904]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 02:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\msiexec.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\documents and settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\windows\system32\rundll32.exe
c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-12-27 02:38:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-27 07:38
ComboFix2.txt 2009-12-27 06:42
ComboFix3.txt 2009-12-27 05:18
ComboFix4.txt 2009-12-27 04:47

Pre-Run: 5,203,341,312 bytes free
Post-Run: 5,170,266,112 bytes free

- - End Of File - - 77F864C745901AB0F94F1609F43B4184

Latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:42:08 AM, on 12/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michael\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Michael\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - Startup: ThinkRightNow.lnk = C:\Program Files\Moss Bay Software\Think Right Now 1.7\ThinkRightNow.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9456 bytes

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 27 December 2009 - 02:49 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :(

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 baggydub

baggydub
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 27 December 2009 - 05:59 PM

Everything seems to be working just fine now!!! I ran Eset, it found 7 infections but said that it cleaned them all successfully. However, it did not put a log file in the directory you suggested. Does that matter?

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 28 December 2009 - 06:43 AM

It says it cleaned them all right? Don't worry about that :(


Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :(



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users