Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AXWIN Frame Window: svchost.exe - Application Error


  • This topic is locked This topic is locked
11 replies to this topic

#1 Layman Dave

Layman Dave

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Atlanta, Georgia
  • Local time:12:50 PM

Posted 23 January 2010 - 02:54 PM

First may I say thank you, to all of you for what you do. I think this is honorable and speaks volumes of your personal character for you to take your personal time to help individuals like myself.

I received a pop-up stating that I had all types of infections on my laptop. I immediately used my MALWAREbytes Antimaleware (free version) program to run a scan. Nothing detected. Then I ram my AVG (free version) Anti-Virus program and it also detected nothing. Then I ran the Spybot Search & Destroy (free version) and it also detected nothing.

After seeing the pop-up of the ISO2010 repeatedly, I went to google to search for a removal method and noticed that I was being redirected. I would get the opportunity to see the appropriate links, but once I clicked on those links, I was taken to a similar site sometimes, and other times I was taken to a completely different site. However, I noticed that if I clicked on the link within google's search engine, usually about the 3rd or 4th time on the same link, I would be then connected to the appropriate site. One site did share with me how to remove the ISO2010 program by going into the files section and just deleting that file and 3-4 other files named ISO2010.

That all worked fine until a day or two later I received this svchost.exe - Application Error. This error will stay on the desktop until I click on the only two options it provides you, but no matter which one you click on, it starts an automatic shut down/restart of my laptop.

I purchased the RegCure Program to clean and fix my registry files, but that did nothing to help as far as I can tell.

I am operating with a Dell inspiron E1505 Laptop. I use an wireless router within my home. My OS is a Microsoft Windows XP Professional Version 5.1.2600 Sevice Pack 3 Build 2600

Please help me remove that application error issue. And if possible, help me with the google redirect problem.


DDS (Ver_09-12-01.01) - NTFSx86
Run by David Barton at 13:22:07.92 on Sat 01/23/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.147 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RegCure\RegCure.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Barton\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.gamls.com/
mWindow Title = Windows Internet Explorer provided by Comcast
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: Comcast Toolbar: {4e7bd74f-2b8d-469e-93be-be2df4d9ae29} - c:\progra~1\comcas~1\COMCAS~1.DLL
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~2.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)" -"http://www.cartoonnetwork.com/games/eds/clashoftheidiots/index.html"
mRun: [LXBSCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBStime.dll,_RunDLLEntry@16
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: rexplorer.net
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4D054067-DE3A-48F9-B19B-BCD229B9AE8D} - hxxp://www.samsungdp.com/printerhelp/ActiveX/DrPrinter.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://support.rexplorer.net/iftw_install//iftwclix.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://gamls.crsdata.com/realestate/maps/downloads/mgaxctrlv65.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168714012718
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171077380453
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\davidb~1\applic~1\mozilla\firefox\profiles\8keghgdc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.gamls.com
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-17 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-17 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-17 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-1-17 285392]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [2007-11-3 44256]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-1-2 38224]

=============== Created Last 30 ================

2010-01-23 16:57:00 0 d-----w- c:\program files\ieSpell
2010-01-22 14:52:48 0 d-----w- c:\docume~1\davidb~1\applic~1\ParetoLogic
2010-01-22 14:52:36 0 d-----w- c:\program files\ParetoLogic
2010-01-22 13:49:51 0 d-----w- c:\program files\common files\ParetoLogic
2010-01-22 13:49:51 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-01-22 13:49:46 0 d-----w- c:\docume~1\alluse~1\applic~1\XoftSpySE
2010-01-22 13:22:06 0 d-----w- c:\program files\TrendMicro
2010-01-22 12:16:24 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-01-17 21:32:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-17 21:32:29 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-17 21:32:23 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-17 21:32:16 0 d-----w- c:\windows\system32\drivers\Avg
2010-01-17 21:32:11 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-01-16 19:40:52 0 d--h--w- C:\$AVG
2010-01-16 19:39:20 0 d-----w- c:\program files\AVG
2010-01-16 19:39:11 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-01-10 02:35:24 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-10 02:20:01 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-03 00:02:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 00:02:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-03 00:02:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-02 23:05:33 0 ----a-w- c:\windows\system32\19169.exe
2010-01-02 22:45:33 0 ----a-w- c:\windows\system32\26500.exe
2010-01-02 22:25:32 0 ----a-w- c:\windows\system32\6334.exe
2010-01-02 21:38:55 0 d-----w- c:\docume~1\davidb~1\applic~1\MSA

==================== Find3M ====================

2010-01-22 15:49:09 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-22 15:49:09 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2007-03-04 19:44:04 88 --sh--r- c:\windows\system32\0EC28DE0C8.sys
2007-03-04 19:46:13 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:24:07.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:50 PM

Posted 27 January 2010 - 02:51 PM

Hello and welcome to Bleeping Computer! welcome.gif

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Layman Dave

Layman Dave
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Atlanta, Georgia
  • Local time:12:50 PM

Posted 27 January 2010 - 03:27 PM

I believe I have completed these tasks correctly. Please advise if not. I still have the AXWIN pop-up issue.

Thank you.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 28 January 2010 - 01:19 PM

Hello.

Please run a GMER rootkit scan for me as well. The previous ARK from RootRepeal shows you have a rootkit driver.

Backdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you wish to continue, please follow the instructions below please...


Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Edited by extremeboy, 28 January 2010 - 01:20 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Layman Dave

Layman Dave
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Atlanta, Georgia
  • Local time:12:50 PM

Posted 28 January 2010 - 04:43 PM

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-28 16:33:23
Windows 5.1.2600 Service Pack 3
Running: m643dxmd.exe; Driver: C:\DOCUME~1\DAVIDB~1\LOCALS~1\Temp\fwtoapow.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[1548] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\YbSkin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86EAE841

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\hjgruitoibarnn.sys (*** hidden *** ) [SYSTEM] hjgruixyxubrqh <-- ROOTKIT !!!

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 28 January 2010 - 07:23 PM

Hello.

That's 2 major infections there.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Layman Dave

Layman Dave
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Atlanta, Georgia
  • Local time:12:50 PM

Posted 28 January 2010 - 09:32 PM

ComboFix 10-01-28.04 - David Barton 01/28/2010 21:06:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.583 [GMT -5:00]
Running from: c:\documents and settings\David Barton\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Acr674E.tmp
C:\Acr674F.tmp
C:\Acr6750.tmp
C:\Acr6751.tmp
C:\Acr6752.tmp
C:\Acr6753.tmp
C:\Acr6754.tmp
C:\Acr6755.tmp
C:\Acr6756.tmp
C:\Acr6757.tmp
C:\Acr6758.tmp
C:\Acr6759.tmp
C:\Acr675A.tmp
C:\Acr675B.tmp
C:\Acr675C.tmp
C:\Acr675D.tmp
C:\Acr675E.tmp
C:\Acr675F.tmp
C:\Acr6760.tmp
C:\Acr6761.tmp
C:\Acr6762.tmp
C:\Acr6763.tmp
C:\Acr6764.tmp
C:\Acr6765.tmp
C:\Acr6766.tmp
C:\Acr6767.tmp
C:\Acr6768.tmp
C:\Acr6769.tmp
C:\Acr676A.tmp
C:\Acr676B.tmp
C:\Acr676C.tmp
C:\Acr676D.tmp
C:\Acr676E.tmp
C:\Acr676F.tmp
C:\Acr6770.tmp
C:\Acr6771.tmp
C:\Acr6772.tmp
C:\Acr6773.tmp
C:\Acr6774.tmp
C:\Acr6775.tmp
C:\Acr6776.tmp
C:\Acr6777.tmp
C:\Acr6778.tmp
C:\Acr6779.tmp
C:\Acr677A.tmp
C:\Acr677B.tmp
C:\Acr677C.tmp
C:\Acr677D.tmp
C:\Acr677E.tmp
C:\Acr677F.tmp
C:\Acr6780.tmp
C:\Acr6781.tmp
C:\Acr6782.tmp
C:\Acr6783.tmp
C:\Acr6784.tmp
C:\Acr6785.tmp
C:\Acr6786.tmp
C:\Acr6787.tmp
C:\Acr6788.tmp
C:\Acr6789.tmp
C:\Acr678A.tmp
C:\Acr678B.tmp
C:\Acr678C.tmp
C:\Acr678D.tmp
C:\Acr678E.tmp
C:\Acr678F.tmp
C:\Acr6790.tmp
C:\Acr6791.tmp
C:\Acr6792.tmp
C:\Acr6793.tmp
C:\Acr6794.tmp
C:\Acr6795.tmp
C:\Acr6796.tmp
C:\Acr6797.tmp
C:\Acr6798.tmp
C:\Acr6799.tmp
C:\Acr679A.tmp
C:\Acr679B.tmp
C:\Acr679C.tmp
C:\Acr679D.tmp
C:\Acr679E.tmp
C:\Acr679F.tmp
C:\Acr67A0.tmp
C:\Acr67A1.tmp
C:\Acr67A2.tmp
C:\Acr67A3.tmp
C:\Acr67A4.tmp
C:\Acr67A5.tmp
C:\Acr67A6.tmp
C:\Acr67A7.tmp
C:\Acr67A8.tmp
C:\Acr67A9.tmp
C:\Acr67AA.tmp
C:\Acr67AB.tmp
C:\Acr67AC.tmp
C:\Acr67AD.tmp
C:\Acr67AE.tmp
C:\Acr67AF.tmp
C:\Acr67B0.tmp
C:\Acr67B1.tmp
C:\Acr67B2.tmp
C:\Acr67B3.tmp
C:\Acr67B4.tmp
C:\Acr67B5.tmp
C:\Acr67B6.tmp
C:\Acr67B7.tmp
C:\Acr67B8.tmp
C:\Acr67B9.tmp
C:\Acr67BA.tmp
C:\Acr67BB.tmp
C:\Acr67BC.tmp
C:\Acr67BD.tmp
C:\Acr67BE.tmp
C:\Acr67BF.tmp
C:\Acr67C0.tmp
C:\Acr67C1.tmp
C:\Acr67C2.tmp
C:\Acr67C3.tmp
C:\Acr67C4.tmp
C:\Acr67C5.tmp
C:\Acr67C6.tmp
C:\Acr67C7.tmp
C:\Acr67C8.tmp
C:\Acr67C9.tmp
C:\Acr67CA.tmp
C:\Acr67CB.tmp
C:\Acr67CC.tmp
C:\Acr67CD.tmp
C:\Acr67CE.tmp
C:\Acr67CF.tmp
C:\Acr67D0.tmp
C:\Acr67D1.tmp
C:\Acr67D2.tmp
C:\Acr67D3.tmp
C:\Acr67D4.tmp
C:\Acr67D5.tmp
C:\Acr67D6.tmp
C:\Acr67D7.tmp
C:\Acr67D8.tmp
C:\Acr67D9.tmp
C:\Acr67DA.tmp
C:\Acr67DB.tmp
C:\Acr67DC.tmp
C:\Acr67DD.tmp
C:\Acr67DE.tmp
C:\Acr67DF.tmp
C:\Acr67E0.tmp
C:\Acr67E1.tmp
C:\Acr67E2.tmp
C:\Acr67E3.tmp
C:\Acr67E4.tmp
C:\Acr67E5.tmp
C:\Acr67E6.tmp
C:\Acr67E7.tmp
C:\Acr67E8.tmp
C:\Acr67E9.tmp
C:\Acr67EA.tmp
C:\Acr67EB.tmp
C:\Acr67EC.tmp
C:\Acr67ED.tmp
C:\Acr67EE.tmp
C:\Acr67EF.tmp
C:\Acr67F0.tmp
C:\Acr67F1.tmp
C:\Acr67F2.tmp
C:\Acr67F3.tmp
C:\Acr67F4.tmp
C:\Acr67F5.tmp
C:\Acr67F6.tmp
C:\Acr67F7.tmp
C:\Acr67F8.tmp
C:\Acr67F9.tmp
C:\Acr67FA.tmp
C:\Acr67FB.tmp
C:\Acr67FC.tmp
C:\Acr67FD.tmp
C:\Acr67FE.tmp
C:\Acr67FF.tmp
C:\Acr6800.tmp
C:\Acr6801.tmp
C:\Acr6802.tmp
C:\Acr6803.tmp
C:\Acr6804.tmp
C:\Acr6805.tmp
C:\Acr6806.tmp
C:\Acr6807.tmp
C:\Acr6808.tmp
C:\Acr6809.tmp
C:\Acr680A.tmp
C:\Acr680B.tmp
C:\Acr680C.tmp
C:\Acr680D.tmp
C:\Acr680E.tmp
C:\Acr680F.tmp
C:\Acr6810.tmp
C:\Acr6811.tmp
C:\Acr6812.tmp
C:\Acr6813.tmp
C:\Acr6814.tmp
C:\Acr6815.tmp
C:\Acr6816.tmp
C:\Acr6817.tmp
C:\Acr6818.tmp
C:\Acr6819.tmp
C:\Acr681A.tmp
C:\Acr681B.tmp
C:\Acr681C.tmp
C:\Acr681D.tmp
C:\Acr681E.tmp
C:\Acr681F.tmp
C:\Acr6820.tmp
C:\Acr6821.tmp
C:\Acr6822.tmp
C:\Acr6823.tmp
C:\Acr6824.tmp
C:\Acr6825.tmp
C:\Acr6826.tmp
C:\Acr6827.tmp
C:\Acr6828.tmp
C:\Acr6829.tmp
C:\Acr682A.tmp
C:\Acr682B.tmp
C:\Acr682C.tmp
C:\Acr682D.tmp
C:\Acr682E.tmp
C:\Acr682F.tmp
C:\Acr6830.tmp
C:\Acr6831.tmp
C:\Acr6832.tmp
C:\Acr6833.tmp
C:\Acr6834.tmp
C:\Acr6835.tmp
C:\Acr6836.tmp
C:\Acr6837.tmp
C:\Acr6838.tmp
C:\Acr6839.tmp
C:\Acr683A.tmp
C:\Acr683B.tmp
C:\Acr683C.tmp
C:\Acr683D.tmp
C:\Acr683E.tmp
C:\Acr683F.tmp
C:\Acr6840.tmp
C:\Acr6841.tmp
C:\Acr6842.tmp
C:\Acr6843.tmp
C:\Acr6844.tmp
C:\Acr6845.tmp
C:\Acr6846.tmp
C:\Acr6847.tmp
C:\Acr6848.tmp
C:\Acr6849.tmp
C:\Acr684A.tmp
C:\Acr684B.tmp
C:\Acr684C.tmp
c:\documents and settings\David Barton\Application Data\MSA\download.list
c:\windows\kb913800.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\6334.exe
c:\windows\system32\drivers\hjgruitoibarnn.sys
c:\windows\system32\hjgruifldtqvns.dat
c:\windows\system32\hjgruijrckjoba.dat
c:\windows\unins000.dat
c:\windows\unins000.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hjgruixyxubrqh
-------\Service_hjgruixyxubrqh


((((((((((((((((((((((((( Files Created from 2009-12-28 to 2010-01-29 )))))))))))))))))))))))))))))))
.

2010-01-23 16:57 . 2010-01-23 16:57 -------- d-----w- c:\program files\ieSpell
2010-01-22 14:52 . 2010-01-22 14:52 -------- d-----w- c:\documents and settings\David Barton\Application Data\ParetoLogic
2010-01-22 14:52 . 2010-01-22 14:52 -------- d-----w- c:\program files\ParetoLogic
2010-01-22 13:49 . 2010-01-22 14:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-01-22 13:49 . 2010-01-22 13:49 -------- d-----w- c:\program files\Common Files\ParetoLogic
2010-01-22 13:49 . 2010-01-22 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2010-01-22 13:22 . 2010-01-22 13:22 -------- d-----w- c:\program files\TrendMicro
2010-01-22 12:16 . 2010-01-22 12:20 -------- d-----w- c:\program files\RegCure
2010-01-22 12:16 . 2010-01-22 12:16 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-01-17 21:32 . 2010-01-17 21:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-17 21:32 . 2010-01-17 21:32 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-17 21:32 . 2010-01-17 21:32 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-17 21:32 . 2010-01-17 21:32 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-17 21:32 . 2010-01-28 20:01 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-17 21:32 . 2010-01-17 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-16 19:40 . 2010-01-18 01:38 -------- d-----w- C:\$AVG
2010-01-16 19:39 . 2010-01-16 19:39 -------- d-----w- c:\program files\AVG
2010-01-16 19:39 . 2010-01-27 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-10 02:35 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2010-01-10 02:32 . 2010-01-10 02:32 -------- d-----w- c:\program files\Windows Defender
2010-01-10 02:20 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-01-03 00:02 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-03 00:02 . 2010-01-10 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-03 00:02 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-02 21:38 . 2010-01-29 02:12 -------- d-----w- c:\documents and settings\David Barton\Application Data\MSA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 17:46 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-22 14:55 . 2007-01-05 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-01-22 13:22 . 2010-01-22 13:22 388096 ----a-r- c:\documents and settings\David Barton\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-18 01:35 . 2008-05-26 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-17 21:32 . 2010-01-27 14:18 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-16 19:40 . 2010-01-27 14:18 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-16 19:09 . 2007-01-16 21:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-16 19:09 . 2007-01-16 21:03 -------- d-----w- c:\program files\Symantec
2010-01-16 19:09 . 2007-01-16 21:03 -------- d-----w- c:\program files\Symantec Client Security
2010-01-16 19:09 . 2007-01-16 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-15 23:21 . 2007-01-18 15:32 -------- d-----w- c:\program files\Lx_cats
2010-01-10 02:22 . 2007-01-05 17:59 -------- d-----w- c:\program files\Google
2010-01-10 02:11 . 2007-01-05 17:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-10 01:40 . 2010-01-10 01:40 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-03 00:33 . 2008-05-26 20:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-21 19:14 . 2005-08-16 10:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-01 12:58 . 2007-10-30 19:18 -------- d-----w- c:\program files\CCleaner
2009-11-25 18:01 . 2010-01-17 21:34 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-21 15:51 . 2005-08-16 10:18 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-02-01 05:24 . 2007-07-17 16:08 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-02-01 05:24 . 2007-07-17 16:08 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-01 05:24 . 2007-07-17 16:08 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-02-01 05:24 . 2007-07-17 16:08 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-02-01 05:24 . 2007-07-17 16:08 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-04 19:44 . 2007-01-17 16:49 88 --sh--r- c:\windows\system32\0EC28DE0C8.sys
2007-03-04 19:46 . 2007-01-17 16:49 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBSCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 65536]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-08-18 507904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-01-05 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-17 2033432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-17 21:32 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2006-11-23 06:35 1392640 ----a-w- c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2007-04-19 18:21 198184 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 20:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ELBERT_S2P]
2006-08-18 05:22 241664 ----a-w- c:\program files\SAMSUNG\Samsung SCX-5x30 Series\SPanel\PSU\Scan2pc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1173718778\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-14 05:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-14 05:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-14 05:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2005-06-10 09:21 217088 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 22:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 22:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-01-05 17:57 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
2006-08-18 10:15 507904 ----a-w- c:\windows\Samsung\PanelMgr\SSMMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-03-25 05:30 282624 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-09 00:48 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"WANMiniportService"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"SymSecurePort"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"sprtsvc_ddoctorv2"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"SNDSrvc"=2 (0x2)
"SavRoam"=2 (0x2)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)
"MDM"=2 (0x2)
"LxrJD31s"=2 (0x2)
"lxbs_device"=3 (0x3)
"LiveUpdate"=3 (0x3)
"ISSVC"=2 (0x2)
"GoToAssist"=3 (0x3)
"GoogleDesktopManager"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1173718778\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/17/2010 4:32 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/17/2010 4:32 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/17/2010 4:31 PM 285392]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [11/3/2007 11:57 AM 44256]
.
Contents of the 'Scheduled Tasks' folder

2010-01-22 c:\windows\Tasks\ParetoLogic Privacy Controls_{C88ABD92-0765-11DF-A3DB-00038A000015}.job
- c:\program files\ParetoLogic\Privacy Controls\Pareto_PC.exe [2009-12-02 00:46]

2010-01-28 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]

2010-01-22 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]

2010-01-28 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-29 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]

2010-01-22 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-12-11 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gamls.com/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: rexplorer.net
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\David Barton\Application Data\Mozilla\Firefox\Profiles\8keghgdc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.gamls.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-pccguide - (no file)
AddRemove-Spybot - Search & Destroy_is1 - c:\windows\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-28 21:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBSCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3076)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\locator.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2010-01-28 21:25:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-29 02:25
ComboFix2.txt 2008-05-08 13:26
ComboFix3.txt 2008-05-08 13:21

Pre-Run: 33,570,013,184 bytes free
Post-Run: 33,424,035,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 8DA6942CAD356FD654432F9F09354D60


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 28 January 2010 - 09:52 PM

Hello.

Looks a lot better.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Layman Dave

Layman Dave
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Atlanta, Georgia
  • Local time:12:50 PM

Posted 28 January 2010 - 10:55 PM

I was running the Kapersky scan and it seemed to have effected my screen. The screen went black and the fonts were highlighted in weird neon colors. I was able to "x" out and restart the laptop. All seems normal and I no longer have received the pop-up that initially started this whole thread.

I will monitor and post within the next 24 hours if anything odd occurs.

Thank you so much. You have helped me and my family and we are all appreciative. Again, Thank you!!

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 29 January 2010 - 01:34 PM

You're welcome. smile.gif

Glad I could help out. Let me know how it goes for and if you have any updates to let me know feel free to do so.

~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 01 February 2010 - 12:33 PM

How's everything coming along?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:50 PM

Posted 03 February 2010 - 03:41 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users