Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVE.EXE


  • This topic is locked This topic is locked
21 replies to this topic

#1 jojo32

jojo32

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 March 2010 - 02:09 AM

So this program was running fake antivirus programs. I couldnt even get into windows anymore. It wouldnt start all the way up. I finally got into safemode with networking without it restarting. I had to hit escape when it boots up in safe mode on one file cause when it loads that file- no windows. Anyways in- fake antivirus kept coming up. Finally got source file deleted. Doesnt run anymore. EXEs would then not work. I was able to re add it as a file extension now that works. System isnt healed yet. I can only get in windows through safe mode. Im sure there are still issues.

This is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:52:08 PM, on 2010-03-24
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {a7ca873e-9ccd-41a7-b6e2-1d86a26fa9d8} - jepiliwu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [putowozapo] Rundll32.exe "simageme.dll",s
O4 - HKLM\..\Run: [Htevay] rundll32.exe "C:\WINDOWS\evuciviciduhak.dll",Startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Monica\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [COM+ Manager] "C:\Documents and Settings\Monica\.COMMgr\complmgr.exe"
O4 - HKUS\S-1-5-19\..\Run: [putowozapo] Rundll32.exe "simageme.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [putowozapo] Rundll32.exe "simageme.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: fghsmn.dll,yihuhote.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Windows MSI - Unknown owner - \\?\globalrootC:\WINDOWS\system32\msihost.exe (file missing)
O23 - Service: WinFtp Server Service (WinFTP Server Service) - Unknown owner - C:\Program Files\WinFtp Server\WFTPSRV.exe (file missing)

--
End of file - 9319 bytes

I attached dds.txt. but attach.txt says dont atach less asked to. GMER had some weird problems when I tried to use it. This enough info to get some help?

Attached Files

  • Attached File  DDS.txt   16.82KB   9 downloads

Edited by jojo32, 25 March 2010 - 02:11 AM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:06 PM

Posted 25 March 2010 - 06:54 AM

Hello Victim,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

3.
See if you can get into NORMAL mode now?


Things to include in your next reply:
Rkill log
Combofix.txt
Can you get into Normal mode now?
How is your machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 jojo32

jojo32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 March 2010 - 01:03 PM

ok so here is how that went:

RKill Log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Monica on 2010-03-25 at 10:07:34.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Monica\Application Data\SystemProc\lsass.exe
C:\Documents and Settings\Monica\Desktop\rkill.pif


Rkill completed on 2010-03-25 at 10:07:45.

Combofix Log:

ComboFix 10-03-24.03 - Monica 2010-03-25 10:24:46.4.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.652 [GMT -7:00]
Running from: c:\documents and settings\Monica\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\confin.sys
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\Monica\Application Data\.#
c:\documents and settings\Monica\Application Data\SystemProc
c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe
c:\documents and settings\Monica\Local Settings\Application Data\{F1906153-80DC-4C25-861C-1EB38E741760}
c:\documents and settings\Monica\Local Settings\Application Data\{F1906153-80DC-4C25-861C-1EB38E741760}\chrome.manifest
c:\documents and settings\Monica\Local Settings\Application Data\{F1906153-80DC-4C25-861C-1EB38E741760}\chrome\content\_cfg.js
c:\documents and settings\Monica\Local Settings\Application Data\{F1906153-80DC-4C25-861C-1EB38E741760}\chrome\content\overlay.xul
c:\documents and settings\Monica\Local Settings\Application Data\{F1906153-80DC-4C25-861C-1EB38E741760}\install.rdf
c:\documents and settings\Monica\Local Settings\Temporary Internet Files\5GfQJ6l5.jpg
c:\documents and settings\Monica\Local Settings\Temporary Internet Files\cLxd12XAt.jpg
c:\documents and settings\Monica\Local Settings\Temporary Internet Files\jBtjddOa5.jpg
c:\documents and settings\Monica\Local Settings\Temporary Internet Files\jr16hLu2.jpg
c:\documents and settings\Monica\My Documents\WgaTray.exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\windows\evuciviciduhak.dll
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\dumphive.exe
c:\windows\system32\gowoleti.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\jepiliwu.dll
c:\windows\system32\net.net
c:\windows\system32\ntnet.drv
c:\windows\system32\o4Patch.exe
c:\windows\system32\Packet.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadVC.dll
c:\windows\system32\rundll32 .exe
c:\windows\system32\simageme.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\vayuhowa.dll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\WS2Fix.exe
c:\windows\system32\yihuhote.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\trhasi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_WINDOWS_MSI
-------\Service_NPF
-------\Service_Windows MSI


((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-25 07:02 . 2010-03-25 07:02 1026 ----a-w- C:\autoexec.exe
2010-03-25 06:57 . 2010-03-25 06:57 42496 --sh--w- c:\windows\system32\jisaleyu.dll
2010-03-25 06:31 . 2010-03-25 06:31 -------- d-----w- C:\EmergencyUtils
2010-03-25 06:11 . 2010-03-25 06:11 20678 ----a-w- c:\windows\Gjumupijaferoc.dat
2010-03-25 06:08 . 2010-03-25 06:08 203776 --sha-w- c:\documents and settings\Monica\Local Settings\Application Data\128822158.dll
2010-03-25 05:48 . 2010-03-25 05:48 -------- d-----w- c:\windows\LastGood
2010-03-25 05:47 . 2010-03-25 05:47 27648 ----a-w- c:\windows\system32\alcxmntr.exe
2010-03-25 05:47 . 2010-03-25 05:47 -------- d-sh--w- c:\documents and settings\Monica\.COMMgr
2010-03-25 05:46 . 2010-03-25 05:46 167936 ----a-w- c:\windows\Bjovaa.exe
2010-03-25 05:45 . 2010-03-25 05:45 -------- d-----w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309
2010-03-13 17:38 . 2010-03-13 17:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 05:20 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 19:33 . 2010-03-06 19:33 -------- d-----w- c:\program files\Common Files\Java
2010-02-25 18:03 . 2010-03-14 00:03 -------- d-----w- C:\$AVG
2010-02-25 18:02 . 2010-02-27 05:26 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 05:47 . 2010-02-08 04:18 -------- d-----w- c:\program files\iTunes
2010-03-25 05:47 . 2009-10-05 01:05 -------- d-----w- c:\program files\QuickTime
2010-03-25 05:47 . 2008-12-17 18:36 27648 ----a-w- c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe
2010-03-25 05:47 . 2009-05-15 23:51 -------- d-----w- c:\documents and settings\Monica\Application Data\mjusbsp
2010-03-25 05:47 . 2009-02-09 06:31 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-25 05:45 . 2010-03-25 05:45 961024 ----a-w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe
2010-03-24 20:40 . 2008-11-11 23:39 -------- d-----w- c:\documents and settings\Monica\Application Data\.BitTornado
2010-03-13 17:38 . 2010-03-13 17:38 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-13 17:38 . 2010-03-13 17:38 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-13 17:38 . 2010-03-13 17:38 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-13 17:38 . 2008-11-04 08:24 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 17:38 . 2008-11-04 08:24 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 17:37 . 2008-11-04 08:24 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 09:32 . 2009-02-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 19:30 . 2010-03-06 19:30 503808 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcp71.dll
2010-03-06 19:30 . 2010-03-06 19:30 499712 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\jmc.dll
2010-03-06 19:30 . 2010-03-06 19:30 348160 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcr71.dll
2010-03-06 19:30 . 2010-03-06 19:30 61440 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-sse.dll
2010-03-06 19:30 . 2010-03-06 19:30 12800 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-d3d.dll
2010-03-06 19:30 . 2009-01-02 06:06 -------- d-----w- c:\program files\Java
2010-02-27 05:29 . 2010-02-27 05:29 1261336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-27 05:28 . 2010-02-27 05:29 3777816 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-25 18:02 . 2010-02-27 20:39 3499288 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avguires.dll
2010-02-25 18:02 . 2010-02-27 20:39 2422552 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avguiadv.dll
2010-02-25 18:02 . 2010-02-27 20:39 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-02-25 18:02 . 2010-02-27 20:39 1207064 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgabout.dll
2010-02-25 18:02 . 2010-02-27 20:39 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-02-25 18:02 . 2010-03-13 17:35 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-02-25 18:02 . 2010-03-13 17:35 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-02-25 18:02 . 2010-03-13 17:35 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-02-25 18:02 . 2010-03-13 17:35 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-02-25 18:02 . 2008-11-04 08:24 -------- d-----w- c:\program files\AVG
2010-02-08 04:18 . 2010-02-08 04:18 -------- d-----w- c:\program files\iPod
2010-02-08 04:18 . 2008-11-04 19:13 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 04:11 . 2010-02-08 04:11 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-06 22:44 . 2009-01-12 10:28 -------- d-----w- c:\program files\DivX
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\program files\XBMC
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\documents and settings\Monica\Application Data\XBMC
2010-02-06 04:47 . 2010-02-06 04:39 48449677 ----a-w- C:\xbmc.exe
2010-02-06 04:36 . 2010-02-06 04:36 328984 ----a-w- C:\xvidsetup.exe
2010-02-06 04:14 . 2008-11-04 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 04:12 . 2010-02-06 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-02-06 04:07 . 2010-02-06 04:07 -------- d-----w- c:\program files\Xenocode
2010-02-06 04:00 . 2009-01-14 11:04 -------- d-----w- c:\documents and settings\Monica\Application Data\DivX
2010-02-06 03:58 . 2010-01-31 02:30 -------- d-----w- c:\documents and settings\Monica\Application Data\vlc
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-31 18:37 . 2008-11-24 06:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-31 02:20 . 2010-01-31 02:20 18030130 ----a-w- C:\vlc-1.0.3-win32.exe
2010-01-23 00:58 . 2010-01-23 00:57 6572615 ----a-w- C:\Firefox Setup 3.6.exe
2010-01-15 00:50 . 2010-01-15 00:50 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-15 00:50 . 2010-01-15 00:50 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-15 00:50 . 2010-01-15 00:50 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-15 00:50 . 2010-01-15 00:49 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-15 00:49 . 2010-01-15 00:49 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-15 00:49 . 2010-01-15 00:49 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-15 00:49 . 2010-01-15 00:49 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-15 00:49 . 2010-01-15 00:49 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-15 00:49 . 2010-01-15 00:49 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-15 00:49 . 2010-01-15 00:49 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-15 00:49 . 2010-01-15 00:49 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-15 00:49 . 2010-01-15 00:49 525792 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\DIFxAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-15 00:49 . 2010-01-15 00:49 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-15 00:48 . 2010-01-15 00:48 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-15 00:48 . 2010-01-15 00:48 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-15 00:48 . 2010-01-15 00:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-15 00:48 . 2010-01-15 00:48 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-15 00:48 . 2010-01-15 00:48 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-15 00:48 . 2010-01-15 00:48 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-15 00:47 . 2010-01-15 00:47 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-15 00:47 . 2010-01-15 00:47 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-12-31 16:50 . 2006-08-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 02:37 . 2009-12-30 02:36 4938616 ----a-w- C:\Silverlight.exe
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\system32\kadofebi.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-25 27648]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2010-03-25 27648]
"cdloader"="c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe" [2010-03-25 27648]
"Google Update"="c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-25 27648]
"COM+ Manager"="c:\documents and settings\Monica\.COMMgr\complmgr.exe" [2010-03-25 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-25 27648]
"AlcxMonitor"="ALCXMNTR.EXE" [2010-03-25 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-25 27648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-03-25 27648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-03-25 27648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-25 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-25 27648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-25 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 27648]
"putowozapo"="simageme.dll" [N/A]
"Htevay"="c:\windows\evuciviciduhak.dll" [N/A]
"peyofoset"="c:\windows\system32\simejufa.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"="c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 17:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
c:\program files\FlashGet\FlashGet.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Monica\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-08-20 9:40 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-03-16 22536]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-04 1:24 AM 242696]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 7:49 AM 1029456]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-02-08 717296]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-04 1:24 AM 216200]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
S2 WinFTP Server Service;WinFtp Server Service;c:\program files\WinFtp Server\WFTPSRV.exe service --> c:\program files\WinFtp Server\WFTPSRV.exe service [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003Core.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 05:47]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003UA.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 05:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D292708D-E14F-4A6D-B087-DA491FF7F689} = 217.23.14.75,4.2.2.1,209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{4597b29b-987e-02f0-ccdf-20e8080820fd} - c:\windows\evuciviciduhak.dll
BHO-{a7ca873e-9ccd-41a7-b6e2-1d86a26fa9d8} - jepiliwu.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
SharedTaskScheduler-{3f428b1c-d89f-49e2-9472-895b3b7c5aa7} - c:\windows\system32\simejufa.dll
SSODL-pekobesep-{3f428b1c-d89f-49e2-9472-895b3b7c5aa7} - c:\windows\system32\simejufa.dll
AddRemove-123 Free Solitaire_is1 - c:\program files\123 Free Solitaire\unins000.exe
AddRemove-Bejeweled Twist 1.0 - c:\program files\PopCap Games\Bejeweled Twist\PopUninstall.exe
AddRemove-Chuzzle Deluxe_is1 - c:\program files\PopCap Games\Chuzzle Deluxe\unins000.exe
AddRemove-FolderLock6 - c:\program files\Folder Lock\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 10:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe??????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
COM+ Manager = "c:\documents and settings\Monica\.COMMgr\complmgr.exe"?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x866F0CA1]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf78a3f28
\Driver\ACPI -> ACPI.sys @ 0xf76cecb8
\Driver\atapi -> atapi.sys @ 0xf7660852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(532)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(268)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-03-25 10:53:33 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 17:53
ComboFix2.txt 2008-12-14 00:40
ComboFix3.txt 2008-12-14 00:08
ComboFix4.txt 2008-12-12 01:54

Pre-Run: 1,864,388,608 bytes free
Post-Run: 2,079,391,744 bytes free

- - End Of File - - 234E9D01B554D317A7BE14E0588AE7C8


Combofix needed to first restart because it said it found rootkits. It couldn't restart by itself into normal mode so i got itback into safe mode. It then deleted a bunch of files and folders. Restarted again- i had to aid it into safe mode as well. When it tries to boot in normal mode once it gets to the windows logo with a status bar it quickly flashes to a blue screen and restarts. When booting in safe mode with networking it says hit escape to cancel load of SPTD.SYS, and then i hit esc. Thats the only way i can get in. Everything seems very sluggish. Typing response is slow.

#4 jojo32

jojo32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 March 2010 - 01:07 PM

Update: typing was only sluggish in that post because it was so long. had soo much info. Typing is fine anywhere else.

Another symptom i am having is a search page re-direct. I search a simple thing as myspace- click the first link and it goes somewhere else. Seems to be major search engines (google, yahoo). I tried a small more unknown- dogpile- and it works.

Can get to most normal sites, but simple thing like gmail- IE says "There is a problem with this website's security certificate."
and firefox "You have asked Firefox to connect
securely to www.google.com, but we can't confirm that your connection is secure." also technical details say "www.google.com uses an invalid security certificate.

The certificate is not trusted because it is self-signed.
The certificate is only valid for localhost.localdomain
The certificate expired on 2009-12-16 3:38 PM.

(Error code: sec_error_expired_issuer_certificate)"

Edited by jojo32, 25 March 2010 - 01:54 PM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:06 PM

Posted 25 March 2010 - 03:37 PM

Hello jojo32,

Thanks for the logs. You where severely infected. There is a lot of leftovers we will try and deal with this round.

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case BitTornado). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

3.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Files:
c:\windows\Bjovaa.exe
c:\windows\system32\jisaleyu.dll
c:\windows\Gjumupijaferoc.dat
c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe
c:\windows\system32\kadofebi.dll
c:\documents and settings\Monica\.COMMgr\complmgr.exe
c:\windows\evuciviciduhak.dll
c:\windows\system32\simejufa.dll
c:\windows\system32\simageme.dll
c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe

Renv:
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask .exe

Registry:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COM+ Manager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"putowozapo"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Htevay"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"peyofoset"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Things to include in your next reply:
Combofix.txt
Can you boot into normal mode now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 jojo32

jojo32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 March 2010 - 04:42 PM

It was able to boot in normal mode by itself this time. Accompanied by a few errors that certain files couldnt run. I recognized them as files related to this virus/malware. I cant get AVG to not run- nor is it uninstalling properly. Here is combofix log:

ComboFix 10-03-24.03 - Monica 2010-03-25 14:22:35.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.471 [GMT -7:00]
Running from: c:\documents and settings\Monica\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Monica\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Monica\rundll32 .exe
c:\documents and settings\Monica\rundll32.exe
c:\program files\Adobe\acrotray .exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\app_dll.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-25 21:21 . 2010-03-25 21:21 27648 ----a-w- c:\documents and settings\Monica\alcxmntr.exe
2010-03-25 17:55 . 2010-03-25 17:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 17:55 . 2010-03-25 19:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 07:02 . 2010-03-25 07:02 1026 ----a-w- C:\autoexec.exe
2010-03-25 06:57 . 2010-03-25 06:57 42496 --sh--w- c:\windows\system32\jisaleyu.dll
2010-03-25 06:31 . 2010-03-25 06:31 -------- d-----w- C:\EmergencyUtils
2010-03-25 06:11 . 2010-03-25 06:11 20678 ----a-w- c:\windows\Gjumupijaferoc.dat
2010-03-25 06:08 . 2010-03-25 06:08 203776 --sha-w- c:\documents and settings\Monica\Local Settings\Application Data\128822158.dll
2010-03-25 05:47 . 2010-03-25 05:47 27648 ----a-w- c:\windows\system32\alcxmntr.exe
2010-03-25 05:47 . 2010-03-25 21:20 -------- d-sh--w- c:\documents and settings\Monica\.COMMgr
2010-03-25 05:46 . 2010-03-25 05:46 167936 ----a-w- c:\windows\Bjovaa.exe
2010-03-25 05:45 . 2010-03-25 05:45 -------- d-----w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309
2010-03-13 17:38 . 2010-03-13 17:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-11 05:20 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 19:33 . 2010-03-06 19:33 -------- d-----w- c:\program files\Common Files\Java
2010-02-25 18:03 . 2010-03-14 00:03 -------- d-----w- C:\$AVG
2010-02-25 18:02 . 2010-03-25 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 21:33 . 2010-03-25 21:33 27648 ----a-w- c:\documents and settings\Monica\rundll32.exe
2010-03-25 21:33 . 2010-03-25 21:33 27648 ----a-w- c:\documents and settings\Monica\rundll32 .exe
2010-03-25 21:33 . 2010-02-08 04:18 -------- d-----w- c:\program files\iTunes
2010-03-25 21:33 . 2009-10-05 01:05 -------- d-----w- c:\program files\QuickTime
2010-03-25 21:33 . 2009-05-15 23:51 -------- d-----w- c:\documents and settings\Monica\Application Data\mjusbsp
2010-03-25 21:33 . 2008-12-17 18:36 27648 ----a-w- c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe
2010-03-25 21:33 . 2009-02-09 06:31 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-25 21:21 . 2010-03-25 21:21 27648 ----a-w- c:\documents and settings\Monica\alcxmntr .exe
2010-03-25 20:23 . 2008-12-11 03:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 20:22 . 2009-01-12 01:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-25 05:45 . 2010-03-25 05:45 961024 ----a-w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe
2010-03-24 20:40 . 2008-11-11 23:39 -------- d-----w- c:\documents and settings\Monica\Application Data\.BitTornado
2010-03-13 17:38 . 2010-03-13 17:38 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-13 17:38 . 2010-03-13 17:38 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-13 17:38 . 2010-03-13 17:38 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-13 17:38 . 2008-11-04 08:24 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-13 17:38 . 2008-11-04 08:24 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-13 17:37 . 2008-11-04 08:24 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-11 09:32 . 2009-02-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 19:30 . 2010-03-06 19:30 503808 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcp71.dll
2010-03-06 19:30 . 2010-03-06 19:30 499712 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\jmc.dll
2010-03-06 19:30 . 2010-03-06 19:30 348160 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcr71.dll
2010-03-06 19:30 . 2010-03-06 19:30 61440 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-sse.dll
2010-03-06 19:30 . 2010-03-06 19:30 12800 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-d3d.dll
2010-03-06 19:30 . 2009-01-02 06:06 -------- d-----w- c:\program files\Java
2010-02-27 05:29 . 2010-02-27 05:29 1261336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-27 05:28 . 2010-02-27 05:29 3777816 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-25 18:02 . 2010-02-27 20:39 3499288 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avguires.dll
2010-02-25 18:02 . 2010-02-27 20:39 2422552 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avguiadv.dll
2010-02-25 18:02 . 2010-02-27 20:39 4043544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2010-02-25 18:02 . 2010-02-27 20:39 1207064 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgabout.dll
2010-02-25 18:02 . 2010-02-27 20:39 2033432 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2010-02-25 18:02 . 2010-03-13 17:35 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-02-25 18:02 . 2010-03-13 17:35 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-02-25 18:02 . 2010-03-13 17:35 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-02-25 18:02 . 2010-03-13 17:35 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-02-25 18:02 . 2008-11-04 08:24 -------- d-----w- c:\program files\AVG
2010-02-08 04:18 . 2010-02-08 04:18 -------- d-----w- c:\program files\iPod
2010-02-08 04:18 . 2008-11-04 19:13 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 04:11 . 2010-02-08 04:11 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-06 22:44 . 2009-01-12 10:28 -------- d-----w- c:\program files\DivX
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\program files\XBMC
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\documents and settings\Monica\Application Data\XBMC
2010-02-06 04:47 . 2010-02-06 04:39 48449677 ----a-w- C:\xbmc.exe
2010-02-06 04:36 . 2010-02-06 04:36 328984 ----a-w- C:\xvidsetup.exe
2010-02-06 04:14 . 2008-11-04 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 04:12 . 2010-02-06 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-02-06 04:07 . 2010-02-06 04:07 -------- d-----w- c:\program files\Xenocode
2010-02-06 04:00 . 2009-01-14 11:04 -------- d-----w- c:\documents and settings\Monica\Application Data\DivX
2010-02-06 03:58 . 2010-01-31 02:30 -------- d-----w- c:\documents and settings\Monica\Application Data\vlc
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-31 18:37 . 2008-11-24 06:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-31 02:20 . 2010-01-31 02:20 18030130 ----a-w- C:\vlc-1.0.3-win32.exe
2010-01-23 00:58 . 2010-01-23 00:57 6572615 ----a-w- C:\Firefox Setup 3.6.exe
2010-01-15 00:50 . 2010-01-15 00:50 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-15 00:50 . 2010-01-15 00:50 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-15 00:50 . 2010-01-15 00:50 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-15 00:50 . 2010-01-15 00:49 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-15 00:49 . 2010-01-15 00:49 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-15 00:49 . 2010-01-15 00:49 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-15 00:49 . 2010-01-15 00:49 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-15 00:49 . 2010-01-15 00:49 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-15 00:49 . 2010-01-15 00:49 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-15 00:49 . 2010-01-15 00:49 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-15 00:49 . 2010-01-15 00:49 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-15 00:49 . 2010-01-15 00:49 525792 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\DIFxAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-15 00:49 . 2010-01-15 00:49 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-15 00:48 . 2010-01-15 00:48 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-15 00:48 . 2010-01-15 00:48 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-15 00:48 . 2010-01-15 00:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-15 00:48 . 2010-01-15 00:48 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-15 00:48 . 2010-01-15 00:48 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-15 00:48 . 2010-01-15 00:48 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-15 00:47 . 2010-01-15 00:47 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-15 00:47 . 2010-01-15 00:47 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-07 23:07 . 2008-12-11 03:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2008-12-11 03:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2006-08-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 02:37 . 2009-12-30 02:36 4938616 ----a-w- C:\Silverlight.exe
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\system32\kadofebi.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-25 27648]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2010-03-25 27648]
"cdloader"="c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe" [2010-03-25 27648]
"Google Update"="c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-25 27648]
"COM+ Manager"="c:\documents and settings\Monica\.COMMgr\complmgr.exe" [2010-03-25 527360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-25 27648]
"AlcxMonitor"="ALCXMNTR.EXE" [2010-03-25 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-25 27648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-03-25 27648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-03-25 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-25 27648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-25 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 27648]
"putowozapo"="simageme.dll" [N/A]
"Htevay"="c:\windows\evuciviciduhak.dll" [N/A]
"peyofoset"="c:\windows\system32\simejufa.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"="c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 17:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
c:\program files\FlashGet\FlashGet.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Monica\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-08-20 9:40 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-03-16 22536]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-04 1:24 AM 216200]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-04 1:24 AM 242696]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 7:49 AM 1029456]
S2 WinFTP Server Service;WinFtp Server Service;c:\program files\WinFtp Server\WFTPSRV.exe service --> c:\program files\WinFtp Server\WFTPSRV.exe service [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-02-08 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-25 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 21:33]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003Core.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 21:33]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003UA.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 21:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D292708D-E14F-4A6D-B087-DA491FF7F689} = 217.23.14.75,4.2.2.1,209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 14:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe??????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
COM+ Manager = "c:\documents and settings\Monica\.COMMgr\complmgr.exe"?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3780)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ALCXMNTR.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-25 14:39:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 21:38
ComboFix2.txt 2010-03-25 17:53
ComboFix3.txt 2008-12-14 00:40
ComboFix4.txt 2008-12-14 00:08
ComboFix5.txt 2010-03-25 21:14

Pre-Run: 940,814,336 bytes free
Post-Run: 950,235,136 bytes free

- - End Of File - - BEF7BB351B7A6C09E9A08F13061CCF70


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:06 PM

Posted 25 March 2010 - 05:21 PM

Hello,

QUOTE
I cant get AVG to not run- nor is it uninstalling properly

If you want to uninstall AVG, I will give you a link to use an uninstaller. I also will include a couple of links to Free Antivirus's of which one of those I use. Please don't reinstall a Antivirus until after Combofix runs. How ever you may uninstall AVG first if you wish.

We things are looking better but it seems Combofix didn't work properly. I also see you have used Combofix before in 2008. We need to uninstall and reinstall Combofix and run a new script.

1.
Uninstall AVG 32 bit


You should be able to remove AVG Anti-Virus via Start > Control Panel > Add or Remove Programs.
If you need instructions on how to do so, please consult: How To Remove An Installed Program From Your Computer

The following instructions can be used to uninstall the program if the uninstall via Add/remove does not work:
  • Download the latest installation file of AVG from their website.
  • After downloading, run the file and choose the Uninstall Product option in the Select Setup Type dialogue.
  • Finish the uninstallation process and restart your computer.

If this fails as well, you can try to use AVGremover:
  • Download avgremover.exe and save it to your Desktop
  • Run the file avgremover.exe
  • Confirm that you want to uninstall.
  • Wait until the program confirms the removal.
  • Restart your computer.
AVG should now be removed from your PC.


Original instructions here:
http://www.avg.com/faq.num-1119#faq_1119

2.
  • Download and install an antivirus program, and make sure that you keep it updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Two good antivirus programs free for non-commercial home use are Avast! and Antivir
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.







3.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

2. Please try and run Combofix in Normal Mode.
This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Open notepad and copy/paste the text in the codebox below into it:

    CODE
    Killall:

    File:
    c:\windows\Bjovaa.exe
    c:\windows\system32\jisaleyu.dll
    c:\windows\Gjumupijaferoc.dat
    c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe
    c:\windows\system32\kadofebi.dll
    c:\documents and settings\Monica\.COMMgr\complmgr.exe
    c:\windows\evuciviciduhak.dll
    c:\windows\system32\simejufa.dll
    c:\windows\system32\simageme.dll
    c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe

    Renv:
    c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
    c:\program files\AVG\AVG9\avgtray .exe
    c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\DAEMON Tools Lite\daemon .exe
    c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
    c:\program files\HP\HP Software Update\hpwuschd2 .exe
    c:\program files\iTunes\ituneshelper .exe
    c:\program files\Microsoft Office\Office12\groovemonitor .exe
    c:\program files\QuickTime\qttask .exe

    Registry:
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "COM+ Manager"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcxMonitor"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "putowozapo"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Htevay"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "peyofoset"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "RTHDBPL"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "FirewallOverride"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-


    Save this as CFScript.txt, in the same location as ComboFix.exe




    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Things to include in your next reply:
Combofix.txt
How is your machine running now

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 jojo32

jojo32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 March 2010 - 06:12 PM

ok did that. computer is running pretty decent. couple things: a couple file couldnt load msgs pop up on windows start up but they also quickly went away. im sure they were files related to the virus. I believe in msconfig they are there too in startup. Also there is still search engine redirecting. and firefox as well is still having that certificate issue, same with just trying to go to gmail.com.

Heres new combofix log:

ComboFix 10-03-25.04 - Monica 2010-03-25 15:57:27.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.650 [GMT -7:00]
Running from: c:\documents and settings\Monica\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Monica\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Monica\alcxmntr .exe
c:\documents and settings\Monica\rundll32 .exe
c:\documents and settings\Monica\rundll32.exe
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe

.
((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-25 21:21 . 2010-03-25 21:49 27648 ----a-w- c:\documents and settings\Monica\alcxmntr.exe
2010-03-25 17:55 . 2010-03-25 17:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 17:55 . 2010-03-25 19:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 07:02 . 2010-03-25 07:02 1026 ----a-w- C:\autoexec.exe
2010-03-25 06:57 . 2010-03-25 06:57 42496 --sh--w- c:\windows\system32\jisaleyu.dll
2010-03-25 06:31 . 2010-03-25 06:31 -------- d-----w- C:\EmergencyUtils
2010-03-25 06:11 . 2010-03-25 06:11 20678 ----a-w- c:\windows\Gjumupijaferoc.dat
2010-03-25 06:08 . 2010-03-25 06:08 203776 --sha-w- c:\documents and settings\Monica\Local Settings\Application Data\128822158.dll
2010-03-25 05:47 . 2010-03-25 05:47 27648 ----a-w- c:\windows\system32\alcxmntr.exe
2010-03-25 05:47 . 2010-03-25 21:20 -------- d-sh--w- c:\documents and settings\Monica\.COMMgr
2010-03-25 05:46 . 2010-03-25 05:46 167936 ----a-w- c:\windows\Bjovaa.exe
2010-03-25 05:45 . 2010-03-25 05:45 961024 ----a-w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe
2010-03-25 05:45 . 2010-03-25 05:45 -------- d-----w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309
2010-03-11 05:20 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 06:14 . 2009-12-16 22:42 43008 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-07 06:14 . 2009-12-16 22:42 340480 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-07 06:14 . 2009-12-16 22:41 346624 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-07 06:14 . 2009-12-16 22:42 872960 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-06 19:33 . 2010-03-06 19:33 -------- d-----w- c:\program files\Common Files\Java
2010-03-06 19:30 . 2010-03-06 19:30 503808 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcp71.dll
2010-03-06 19:30 . 2010-03-06 19:30 499712 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\jmc.dll
2010-03-06 19:30 . 2010-03-06 19:30 348160 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcr71.dll
2010-03-06 19:30 . 2010-03-06 19:30 61440 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-sse.dll
2010-03-06 19:30 . 2010-03-06 19:30 12800 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 23:04 . 2010-03-25 23:04 27648 ----a-w- c:\documents and settings\Monica\rundll32.exe
2010-03-25 23:04 . 2010-03-25 23:04 27648 ----a-w- c:\documents and settings\Monica\rundll32 .exe
2010-03-25 23:04 . 2010-02-08 04:18 -------- d-----w- c:\program files\iTunes
2010-03-25 23:04 . 2009-10-05 01:05 -------- d-----w- c:\program files\QuickTime
2010-03-25 23:04 . 2009-05-15 23:51 -------- d-----w- c:\documents and settings\Monica\Application Data\mjusbsp
2010-03-25 23:04 . 2008-12-17 18:36 27648 ----a-w- c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe
2010-03-25 22:57 . 2009-02-09 06:31 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-25 21:49 . 2010-03-25 21:21 27648 ----a-w- c:\documents and settings\Monica\alcxmntr .exe
2010-03-25 20:23 . 2008-12-11 03:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 20:22 . 2009-01-12 01:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 20:40 . 2008-11-11 23:39 -------- d-----w- c:\documents and settings\Monica\Application Data\.BitTornado
2010-03-11 09:32 . 2009-02-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 19:30 . 2009-01-02 06:06 -------- d-----w- c:\program files\Java
2010-02-25 18:02 . 2008-11-04 08:24 -------- d-----w- c:\program files\AVG
2010-02-08 04:18 . 2010-02-08 04:18 -------- d-----w- c:\program files\iPod
2010-02-08 04:18 . 2008-11-04 19:13 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 04:11 . 2010-02-08 04:11 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-06 22:44 . 2009-01-12 10:28 -------- d-----w- c:\program files\DivX
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\program files\XBMC
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\documents and settings\Monica\Application Data\XBMC
2010-02-06 04:47 . 2010-02-06 04:39 48449677 ----a-w- C:\xbmc.exe
2010-02-06 04:36 . 2010-02-06 04:36 328984 ----a-w- C:\xvidsetup.exe
2010-02-06 04:14 . 2008-11-04 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 04:12 . 2010-02-06 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-02-06 04:07 . 2010-02-06 04:07 -------- d-----w- c:\program files\Xenocode
2010-02-06 04:00 . 2009-01-14 11:04 -------- d-----w- c:\documents and settings\Monica\Application Data\DivX
2010-02-06 03:58 . 2010-01-31 02:30 -------- d-----w- c:\documents and settings\Monica\Application Data\vlc
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-31 18:37 . 2008-11-24 06:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-31 02:20 . 2010-01-31 02:20 18030130 ----a-w- C:\vlc-1.0.3-win32.exe
2010-01-23 00:58 . 2010-01-23 00:57 6572615 ----a-w- C:\Firefox Setup 3.6.exe
2010-01-15 00:50 . 2010-01-15 00:50 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-15 00:50 . 2010-01-15 00:50 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-15 00:50 . 2010-01-15 00:50 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-15 00:50 . 2010-01-15 00:49 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-15 00:49 . 2010-01-15 00:49 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-15 00:49 . 2010-01-15 00:49 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-15 00:49 . 2010-01-15 00:49 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-15 00:49 . 2010-01-15 00:49 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-15 00:49 . 2010-01-15 00:49 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-15 00:49 . 2010-01-15 00:49 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-15 00:49 . 2010-01-15 00:49 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-15 00:49 . 2010-01-15 00:49 525792 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\DIFxAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-15 00:49 . 2010-01-15 00:49 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-15 00:48 . 2010-01-15 00:48 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-15 00:48 . 2010-01-15 00:48 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-15 00:48 . 2010-01-15 00:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-15 00:48 . 2010-01-15 00:48 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-15 00:48 . 2010-01-15 00:48 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-15 00:48 . 2010-01-15 00:48 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-15 00:47 . 2010-01-15 00:47 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-15 00:47 . 2010-01-15 00:47 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-07 23:07 . 2008-12-11 03:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2008-12-11 03:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2006-08-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 02:37 . 2009-12-30 02:36 4938616 ----a-w- C:\Silverlight.exe
1601-01-01 00:03 . 1601-01-01 00:03 48640 --sha-w- c:\windows\system32\kadofebi.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-25 27648]
"cdloader"="c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe" [2010-03-25 27648]
"Google Update"="c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-25 27648]
"COM+ Manager"="c:\documents and settings\Monica\.COMMgr\complmgr.exe" [2010-03-25 527360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-25 27648]
"AlcxMonitor"="ALCXMNTR.EXE" [2010-03-25 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-25 27648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-03-25 27648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-03-25 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-25 27648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-25 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-25 27648]
"putowozapo"="simageme.dll" [N/A]
"Htevay"="c:\windows\evuciviciduhak.dll" [N/A]
"peyofoset"="c:\windows\system32\simejufa.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"="c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
c:\program files\FlashGet\FlashGet.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Monica\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-08-20 9:40 PM 64160]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-03-16 22536]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 7:49 AM 1029456]
S2 WinFTP Server Service;WinFtp Server Service;c:\program files\WinFtp Server\WFTPSRV.exe service --> c:\program files\WinFtp Server\WFTPSRV.exe service [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-02-08 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-25 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-25 23:04]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003Core.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 23:04]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003UA.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 23:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D292708D-E14F-4A6D-B087-DA491FF7F689} = 217.23.14.75,4.2.2.1,209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 16:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RTHDBPL = c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe??????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
COM+ Manager = "c:\documents and settings\Monica\.COMMgr\complmgr.exe"?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2748)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ALCXMNTR.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-25 16:08:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 23:08
ComboFix2.txt 2010-03-25 21:39

Pre-Run: 3,723,169,792 bytes free
Post-Run: 3,707,826,176 bytes free

- - End Of File - - A53E39EC165469BEFE9A13ED7F0DB83D


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:06 PM

Posted 25 March 2010 - 06:48 PM

Hello,


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

AtJob::

File::
c:\windows\Bjovaa.exe
c:\windows\system32\jisaleyu.dll
c:\windows\Gjumupijaferoc.dat
c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe
c:\windows\system32\kadofebi.dll
c:\documents and settings\Monica\.COMMgr\complmgr.exe
c:\windows\evuciviciduhak.dll
c:\windows\system32\simejufa.dll
c:\windows\system32\simageme.dll
c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe
c:\documents and settings\Monica\Local Settings\Application Data\128822158.dll
c:\windows\system32\drivers\pxscan.sys
c:\program files\internet explorer\wmpscfgs.exe
c:\program files\WinFtp Server\WFTPSRV.exe service

Folder::
C:\EmergencyUtils
c:\Program Files\BitTornado
c:\program files\Prevx

Renv::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask .exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"COM+ Manager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"putowozapo"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Htevay"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"peyofoset"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"RTHDBPL"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-

Driver::
CSIScanner
pxscan
WinFTP Server Service


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


Things to inlcude in your next reply:
Combofix.txt
Gmer log
How is your machine running? Still getting redirected?



" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 jojo32

jojo32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 25 March 2010 - 09:21 PM

ok here is the latest. still search page redirects. still cant get on gmail (certificate problem)

Combofix log:

ComboFix 10-03-25.04 - Monica 2010-03-25 17:19:12.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.658 [GMT -7:00]
Running from: c:\documents and settings\Monica\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Monica\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\documents and settings\Monica\.COMMgr\complmgr.exe"
"c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe"
"c:\documents and settings\Monica\Application Data\SystemProc\lsass.exe"
"c:\documents and settings\Monica\Local Settings\Application Data\128822158.dll"
"c:\program files\internet explorer\wmpscfgs.exe"
"c:\program files\WinFtp Server\WFTPSRV.exe service"
"c:\windows\Bjovaa.exe"
"c:\windows\evuciviciduhak.dll"
"c:\windows\Gjumupijaferoc.dat"
"c:\windows\system32\drivers\pxscan.sys"
"c:\windows\system32\jisaleyu.dll"
"c:\windows\system32\kadofebi.dll"
"c:\windows\system32\simageme.dll"
"c:\windows\system32\simejufa.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Monica\.COMMgr\complmgr.exe
c:\documents and settings\Monica\alcxmntr .exe
c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309\dbf70700.exe
c:\documents and settings\Monica\Local Settings\Application Data\128822158.dll
c:\documents and settings\Monica\rundll32 .exe
c:\documents and settings\Monica\rundll32.exe
C:\EmergencyUtils
c:\emergencyutils\Copy_of_MSConfig.exe
c:\emergencyutils\Copy_of_Regedit.com
c:\emergencyutils\Copy_of_Taskmgr.exe
c:\program files\BitTornado
c:\program files\BitTornado\_controls_.pyd
c:\program files\BitTornado\_core_.pyd
c:\program files\BitTornado\_gdi_.pyd
c:\program files\BitTornado\_hashlib.pyd
c:\program files\BitTornado\_misc_.pyd
c:\program files\BitTornado\_socket.pyd
c:\program files\BitTornado\_ssl.pyd
c:\program files\BitTornado\_win32sysloader.pyd
c:\program files\BitTornado\_windows_.pyd
c:\program files\BitTornado\ARC4.pyd
c:\program files\BitTornado\btdownloadgui.exe
c:\program files\BitTornado\btdownloadgui.exe.log
c:\program files\BitTornado\bz2.pyd
c:\program files\BitTornado\library.zip
c:\program files\BitTornado\MSVCR71.dll
c:\program files\BitTornado\python25.dll
c:\program files\BitTornado\pythoncom25.dll
c:\program files\BitTornado\pywintypes25.dll
c:\program files\BitTornado\select.pyd
c:\program files\BitTornado\unicodedata.pyd
c:\program files\BitTornado\uninst.exe
c:\program files\BitTornado\w9xpopen.exe
c:\program files\BitTornado\win32api.pyd
c:\program files\BitTornado\win32ui.pyd
c:\program files\BitTornado\wxmsw26h_vc.dll
c:\program files\Internet Explorer\js.mui
c:\program files\internet explorer\wmpscfgs.exe
c:\windows\Bjovaa.exe
c:\windows\Gjumupijaferoc.dat
c:\windows\system32\drivers\pxscan.sys
c:\windows\system32\jisaleyu.dll
c:\windows\system32\kadofebi.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CSISCANNER
-------\Legacy_PXSCAN
-------\Legacy_WINFTP_SERVER_SERVICE
-------\Service_CSIScanner
-------\Service_pxscan
-------\Service_WinFTP Server Service


((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-25 21:21 . 2010-03-25 23:04 27648 ----a-w- c:\documents and settings\Monica\alcxmntr.exe
2010-03-25 17:55 . 2010-03-25 17:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 17:55 . 2010-03-25 19:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 07:02 . 2010-03-25 07:02 1026 ----a-w- C:\autoexec.exe
2010-03-25 05:47 . 2010-03-25 05:47 27648 ----a-w- c:\windows\system32\alcxmntr.exe
2010-03-25 05:47 . 2010-03-26 00:23 -------- d-sh--w- c:\documents and settings\Monica\.COMMgr
2010-03-25 05:45 . 2010-03-26 00:23 -------- d-----w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309
2010-03-11 05:20 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 06:14 . 2009-12-16 22:42 43008 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-07 06:14 . 2009-12-16 22:42 340480 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-07 06:14 . 2009-12-16 22:41 346624 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-07 06:14 . 2009-12-16 22:42 872960 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-06 19:33 . 2010-03-06 19:33 -------- d-----w- c:\program files\Common Files\Java
2010-03-06 19:30 . 2010-03-06 19:30 503808 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcp71.dll
2010-03-06 19:30 . 2010-03-06 19:30 499712 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\jmc.dll
2010-03-06 19:30 . 2010-03-06 19:30 348160 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcr71.dll
2010-03-06 19:30 . 2010-03-06 19:30 61440 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-sse.dll
2010-03-06 19:30 . 2010-03-06 19:30 12800 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 00:26 . 2008-12-17 18:36 27648 ----a-w- c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe
2010-03-26 00:19 . 2010-02-08 04:18 -------- d-----w- c:\program files\iTunes
2010-03-25 23:04 . 2009-10-05 01:05 -------- d-----w- c:\program files\QuickTime
2010-03-25 23:04 . 2009-05-15 23:51 -------- d-----w- c:\documents and settings\Monica\Application Data\mjusbsp
2010-03-25 22:57 . 2009-02-09 06:31 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-25 20:23 . 2008-12-11 03:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 20:22 . 2009-01-12 01:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 20:40 . 2008-11-11 23:39 -------- d-----w- c:\documents and settings\Monica\Application Data\.BitTornado
2010-03-11 09:32 . 2009-02-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 19:30 . 2009-01-02 06:06 -------- d-----w- c:\program files\Java
2010-02-25 18:02 . 2008-11-04 08:24 -------- d-----w- c:\program files\AVG
2010-02-08 04:18 . 2010-02-08 04:18 -------- d-----w- c:\program files\iPod
2010-02-08 04:18 . 2008-11-04 19:13 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 04:11 . 2010-02-08 04:11 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-06 22:44 . 2009-01-12 10:28 -------- d-----w- c:\program files\DivX
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\program files\XBMC
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\documents and settings\Monica\Application Data\XBMC
2010-02-06 04:47 . 2010-02-06 04:39 48449677 ----a-w- C:\xbmc.exe
2010-02-06 04:36 . 2010-02-06 04:36 328984 ----a-w- C:\xvidsetup.exe
2010-02-06 04:14 . 2008-11-04 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 04:12 . 2010-02-06 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-02-06 04:07 . 2010-02-06 04:07 -------- d-----w- c:\program files\Xenocode
2010-02-06 04:00 . 2009-01-14 11:04 -------- d-----w- c:\documents and settings\Monica\Application Data\DivX
2010-02-06 03:58 . 2010-01-31 02:30 -------- d-----w- c:\documents and settings\Monica\Application Data\vlc
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-31 18:37 . 2008-11-24 06:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-31 02:20 . 2010-01-31 02:20 18030130 ----a-w- C:\vlc-1.0.3-win32.exe
2010-01-23 00:58 . 2010-01-23 00:57 6572615 ----a-w- C:\Firefox Setup 3.6.exe
2010-01-15 00:50 . 2010-01-15 00:50 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-15 00:50 . 2010-01-15 00:50 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-15 00:50 . 2010-01-15 00:50 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-15 00:50 . 2010-01-15 00:49 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-15 00:49 . 2010-01-15 00:49 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-15 00:49 . 2010-01-15 00:49 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-15 00:49 . 2010-01-15 00:49 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-15 00:49 . 2010-01-15 00:49 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-15 00:49 . 2010-01-15 00:49 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-15 00:49 . 2010-01-15 00:49 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-15 00:49 . 2010-01-15 00:49 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-15 00:49 . 2010-01-15 00:49 525792 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\DIFxAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-15 00:49 . 2010-01-15 00:49 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-15 00:48 . 2010-01-15 00:48 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-15 00:48 . 2010-01-15 00:48 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-15 00:48 . 2010-01-15 00:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-15 00:48 . 2010-01-15 00:48 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-15 00:48 . 2010-01-15 00:48 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-15 00:48 . 2010-01-15 00:48 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-15 00:47 . 2010-01-15 00:47 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-15 00:47 . 2010-01-15 00:47 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-07 23:07 . 2008-12-11 03:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2008-12-11 03:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2006-08-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 02:37 . 2009-12-30 02:36 4938616 ----a-w- C:\Silverlight.exe
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-26 27648]
"cdloader"="c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe" [2010-03-26 27648]
"Google Update"="c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-26 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-26 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-26 27648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-03-26 27648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-03-26 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-26 27648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-26 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 27648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
c:\program files\FlashGet\FlashGet.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Monica\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-08-20 9:40 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 7:49 AM 1029456]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-02-08 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-26 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-26 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 00:27]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003Core.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 00:26]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003UA.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 00:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D292708D-E14F-4A6D-B087-DA491FF7F689} = 217.23.14.75,4.2.2.1,209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-BitTornado - c:\program files\BitTornado\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,32,4b,64,78,16,be,fb,4c,a4,f6,24,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3160)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\quicktime\qttask .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-25 17:29:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 00:29
ComboFix2.txt 2010-03-25 23:08
ComboFix3.txt 2010-03-25 21:39

Pre-Run: 3,673,116,672 bytes free
Post-Run: 3,578,011,648 bytes free

- - End Of File - - B36A8B3BAAD77649374E8F6266586BC5

GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-25 19:09:20
Windows 5.1.2600 Service Pack 3
Running: nv4qq1bk.exe; Driver: C:\DOCUME~1\Monica\LOCALS~1\Temp\kweyqfob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF789F87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF789FBFE]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCE 0xA7 0x99 0x72 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0x6F 0x24 0xAB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xED 0xA6 0x4C 0x2E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCE 0xA7 0x99 0x72 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0x6F 0x24 0xAB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xED 0xA6 0x4C 0x2E ...

---- EOF - GMER 1.0.15 ----


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:06 PM

Posted 25 March 2010 - 10:25 PM

Hello jojo32,

Yes finally we made a dent in the malware. whistling.gif We have much work left to do.


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
Killall::

Rootkit::
c:\program files\internet explorer\wmpscfgs.exe

AtJob::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=-

RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask      .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask  .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe


2.
  • Download the file TDSSKiller.zip and extract it into a folder on the infected computer.
  • Double-click the file TDSSKiller.exe.
  • Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
  • If nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

3.
Please download Malwarebytes Anti-Malware (v1.43) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply:
Combofix.txt
TDSS log
MABM log
Eset log
How is your machine running now?




" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 jojo32

jojo32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 26 March 2010 - 12:59 PM

Heres my latest logs. After combofixs restart there were was an HP thing that was trying to install and wanted some disk. Its called HPProductAssistant. Still trying to reinstall after latest reboot. So it wants me to insert disk and press ok. Also I can now get to gmail. seems the certificate issue is fixed. Firefox comes up fine now- and im not seeming to be redirected from google. Much improved.

EDIT: Left computer on. Theres 2 boxes that popped up that are "message from webpage" that say "attention!! your personal computer needs to install antivirus/antimalware software! Personal Security can perform fast and free scan of your computer. Has ok and cancel boxes. Also im hearing ads out of nowhere?

Combo Fix Log:

ComboFix 10-03-25.06 - Monica 2010-03-25 22:20:26.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.667 [GMT -7:00]
Running from: c:\documents and settings\Monica\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Monica\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2010-02-26 to 2010-03-26 )))))))))))))))))))))))))))))))
.

2010-03-25 21:21 . 2010-03-25 23:04 27648 ----a-w- c:\documents and settings\Monica\alcxmntr.exe
2010-03-25 17:55 . 2010-03-25 17:55 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 17:55 . 2010-03-25 19:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 07:02 . 2010-03-25 07:02 1026 ----a-w- C:\autoexec.exe
2010-03-25 05:47 . 2010-03-25 05:47 27648 ----a-w- c:\windows\system32\alcxmntr.exe
2010-03-25 05:47 . 2010-03-26 00:23 -------- d-sh--w- c:\documents and settings\Monica\.COMMgr
2010-03-25 05:45 . 2010-03-26 00:23 -------- d-----w- c:\documents and settings\Monica\Application Data\7FBF99470C06A834E36FD5CD2EF42309
2010-03-11 05:20 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 19:33 . 2010-03-06 19:33 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-26 05:28 . 2010-02-08 04:18 -------- d-----w- c:\program files\iTunes
2010-03-26 05:27 . 2009-05-15 23:51 -------- d-----w- c:\documents and settings\Monica\Application Data\mjusbsp
2010-03-26 05:27 . 2008-12-17 18:36 27648 ----a-w- c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe
2010-03-26 05:20 . 2009-10-05 01:05 -------- d-----w- c:\program files\QuickTime
2010-03-25 22:57 . 2009-02-09 06:31 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-03-25 20:23 . 2008-12-11 03:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-25 20:22 . 2009-01-12 01:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-24 20:40 . 2008-11-11 23:39 -------- d-----w- c:\documents and settings\Monica\Application Data\.BitTornado
2010-03-11 09:32 . 2009-02-22 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-06 19:30 . 2010-03-06 19:30 503808 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcp71.dll
2010-03-06 19:30 . 2010-03-06 19:30 499712 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\jmc.dll
2010-03-06 19:30 . 2010-03-06 19:30 348160 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37408b28-n\msvcr71.dll
2010-03-06 19:30 . 2010-03-06 19:30 61440 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-sse.dll
2010-03-06 19:30 . 2010-03-06 19:30 12800 ----a-w- c:\documents and settings\Monica\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-12eaa52e-n\decora-d3d.dll
2010-03-06 19:30 . 2009-01-02 06:06 -------- d-----w- c:\program files\Java
2010-02-25 18:02 . 2008-11-04 08:24 -------- d-----w- c:\program files\AVG
2010-02-08 04:18 . 2010-02-08 04:18 -------- d-----w- c:\program files\iPod
2010-02-08 04:18 . 2008-11-04 19:13 -------- d-----w- c:\program files\Common Files\Apple
2010-02-08 04:11 . 2010-02-08 04:11 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-06 22:44 . 2009-01-12 10:28 -------- d-----w- c:\program files\DivX
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\program files\XBMC
2010-02-06 04:55 . 2010-02-06 04:50 -------- d-----w- c:\documents and settings\Monica\Application Data\XBMC
2010-02-06 04:47 . 2010-02-06 04:39 48449677 ----a-w- C:\xbmc.exe
2010-02-06 04:36 . 2010-02-06 04:36 328984 ----a-w- C:\xvidsetup.exe
2010-02-06 04:14 . 2008-11-04 18:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 04:12 . 2010-02-06 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Deskshare
2010-02-06 04:07 . 2010-02-06 04:07 -------- d-----w- c:\program files\Xenocode
2010-02-06 04:00 . 2009-01-14 11:04 -------- d-----w- c:\documents and settings\Monica\Application Data\DivX
2010-02-06 03:58 . 2010-01-31 02:30 -------- d-----w- c:\documents and settings\Monica\Application Data\vlc
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-01-31 18:37 . 2008-11-24 06:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-31 02:20 . 2010-01-31 02:20 18030130 ----a-w- C:\vlc-1.0.3-win32.exe
2010-01-23 00:58 . 2010-01-23 00:57 6572615 ----a-w- C:\Firefox Setup 3.6.exe
2010-01-15 00:50 . 2010-01-15 00:50 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-01-15 00:50 . 2010-01-15 00:50 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2010-01-15 00:50 . 2010-01-15 00:50 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-01-15 00:50 . 2010-01-15 00:49 168800 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-01-15 00:49 . 2010-01-15 00:49 349008 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-01-15 00:49 . 2010-01-15 00:49 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\WSCUpdate.dll
2010-01-15 00:49 . 2010-01-15 00:49 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-01-15 00:49 . 2010-01-15 00:49 84320 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-01-15 00:49 . 2010-01-15 00:49 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-01-15 00:49 . 2010-01-15 00:49 246640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-01-15 00:49 . 2010-01-15 00:49 68640 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys
2010-01-15 00:49 . 2010-01-15 00:49 525792 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\DIFxAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 303976 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe
2010-01-15 00:49 . 2010-01-15 00:49 664936 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-01-15 00:49 . 2010-01-15 00:49 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-01-15 00:48 . 2010-01-15 00:48 562552 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-01-15 00:48 . 2010-01-15 00:48 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-01-15 00:48 . 2010-01-15 00:48 0 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-01-15 00:48 . 2010-01-15 00:48 640760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2010-01-15 00:48 . 2010-01-15 00:48 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-01-15 00:48 . 2010-01-15 00:48 1028432 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-01-15 00:47 . 2010-01-15 00:47 54 ----a-w- c:\windows\system32\rp_stats.dat
2010-01-15 00:47 . 2010-01-15 00:47 39 ----a-w- c:\windows\system32\rp_rules.dat
2010-01-07 23:07 . 2008-12-11 03:08 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 23:07 . 2008-12-11 03:08 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2006-08-14 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 02:37 . 2009-12-30 02:36 4938616 ----a-w- C:\Silverlight.exe
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask        .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-26 27648]
"cdloader"="c:\documents and settings\Monica\Application Data\mjusbsp\cdloader2.exe" [2010-03-26 27648]
"Google Update"="c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-26 27648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-26 27648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-03-26 27648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-03-26 27648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-03-26 27648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-26 27648]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-26 27648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 27648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
c:\program files\FlashGet\FlashGet.exe [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Monica\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Monica\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-08-20 9:40 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-07-03 7:49 AM 1029456]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2009-02-08 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-03-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2010-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-03-26 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-26 05:28]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003Core.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 02:13]

2010-03-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-920026266-725345543-1003UA.job
- c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-25 02:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D292708D-E14F-4A6D-B087-DA491FF7F689} = 217.23.14.75,4.2.2.1,209.18.47.61 209.18.47.62
FF - ProfilePath - c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\documents and settings\Monica\Application Data\Mozilla\Firefox\Profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\Monica\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Monica\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 22:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Monica\LOCALS~1\Temp\~DF32.tmp 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-03-25 22:32:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-26 05:32
ComboFix2.txt 2010-03-26 00:29
ComboFix3.txt 2010-03-25 23:08
ComboFix4.txt 2010-03-25 21:39

Pre-Run: 3,536,003,072 bytes free
Post-Run: 3,507,937,280 bytes free

- - End Of File - - 28EE0B5899AD37E7A2F2386EBED2843B

No TDSS Log. It Found Nothing.

Malwarebytes log:

Malwarebytes' Anti-Malware 1.44
Database version: 3915
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-03-25 10:43:03 PM
mbam-log-2010-03-25 (22-43-03).txt

Scan type: Quick Scan
Objects scanned: 133889
Time elapsed: 5 minute(s), 25 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Program Files\Common Files\Java\Java Update\jusched.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Program Files\iTunes\iTunesHelper.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hp software update (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\groovemonitor (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ituneshelper (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\google update (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Monica\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d292708d-e14f-4a6d-b087-da491ff7f689}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1,209.18.47.61 209.18.47.62 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Java\Java Update\jusched.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\iTunes\iTunesHelper.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Monica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\js.mui (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\xvidsetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\alcxmntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Monica\alcxmntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\autoexec.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

ESETScan:

C:\Qoobox\Quarantine\[4]-Submit_2010-03-25_17.18.53.zip multiple threats deleted - quarantined
C:\System Volume Information\_restore{990CEC95-E728-47D2-9487-2631A00E1501}\RP271\A0043790.dll a variant of Win32/Kryptik.DER trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{990CEC95-E728-47D2-9487-2631A00E1501}\RP271\A0043805.exe Win32/TrojanDownloader.FakeAlert.AQI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{990CEC95-E728-47D2-9487-2631A00E1501}\RP271\A0043808.dll a variant of Win32/Kryptik.DCE trojan cleaned by deleting - quarantined

Edited by jojo32, 26 March 2010 - 05:19 PM.


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:06 PM

Posted 26 March 2010 - 05:46 PM

Hello,

1.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

2.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.

Things to include in your next reply:
Gmer log
DDS.txt
Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 jojo32

jojo32
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 26 March 2010 - 09:04 PM

Im thinking we are getting close. In task manager there is like at all times 4 iexplore.exe's running. Before running GMER everyone once in awhile i would hear advertisements over my speakers. Im assuming thats what those are. Ill only know if thats still the case by waiting. Heres the latest:

Just got a random pop up out of nowhere too.
EDIT: Ads still sounding with no window even showing.

GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-26 19:00:18
Windows 5.1.2600 Service Pack 3
Running: x6xude89.exe; Driver: C:\DOCUME~1\Monica\LOCALS~1\Temp\kweyqfob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF789F87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF789FBFE]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2936] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2156E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AD5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD189 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED964 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2548CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E43AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E42E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E434C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E41B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED9C0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3600] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCE 0xA7 0x99 0x72 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0x6F 0x24 0xAB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xED 0xA6 0x4C 0x2E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCE 0xA7 0x99 0x72 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0x6F 0x24 0xAB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xED 0xA6 0x4C 0x2E ...

---- EOF - GMER 1.0.15 ----

DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Monica at 19:01:34.65 on 2010-03-26
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.582 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Monica\Desktop\x6xude89.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\adobe\acrotray .exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Monica\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [cdloader] "c:\documents and settings\monica\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\monica\applic~1\mozilla\firefox\profiles\tbkacndq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - component: c:\documents and settings\monica\application data\mozilla\firefox\profiles\tbkacndq.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\documents and settings\monica\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\documents and settings\monica\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\monica\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-8-20 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]

=============== Created Last 30 ================

2010-03-26 05:54:48 0 d-----w- c:\program files\ESET
2010-03-26 00:32:01 0 ----a-w- c:\documents and settings\monica\defogger_reenable
2010-03-25 22:56:19 98816 ----a-w- c:\windows\sed.exe
2010-03-25 22:56:19 77312 ----a-w- c:\windows\MBR.exe
2010-03-25 22:56:19 261632 ----a-w- c:\windows\PEV.exe
2010-03-25 22:56:19 161792 ----a-w- c:\windows\SWREG.exe
2010-03-25 17:55:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-03-25 17:55:47 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-25 05:47:07 0 d-sh--w- c:\documents and settings\monica\.COMMgr
2010-03-25 05:45:40 0 d-----w- c:\docume~1\monica\applic~1\7FBF99470C06A834E36FD5CD2EF42309
2010-03-11 05:20:41 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-02-06 04:47:20 48449677 ----a-w- C:\xbmc.exe
2010-01-31 02:20:55 18030130 ----a-w- C:\vlc-1.0.3-win32.exe
2010-01-23 00:58:03 6572615 ----a-w- C:\Firefox Setup 3.6.exe
2009-12-30 02:37:11 4938616 ----a-w- C:\Silverlight.exe
2009-08-23 17:16:23 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-08-23 20:12:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2009-08-21 04:24:11 49152 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082020090821\index.dat
2009-08-23 01:01:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082220090823\index.dat
2009-08-23 20:12:20 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009082320090824\index.dat
2009-08-23 20:12:20 32768 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 19:01:44.73 ===============

Edited by jojo32, 26 March 2010 - 09:10 PM.


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:06 PM

Posted 26 March 2010 - 11:36 PM

Hello,
  • Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below code box to the clipboard by highlighting it and then pressing Ctrl+C.
    [codebox]Files to delete:
    c:\program files\internet explorer\wmpscfgs.exe
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    Registry values to delete:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Adobe_Reader
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 | aux2[/codebox]
  • In the avenger window, click the Paste Script from Clipboard, button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Please post this log, along with a new HijackThis log in your next reply.

2.
Please update /Malwarebytes_Anti-Malware and do a Full Scan.

3.
Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

4.
  • Download the file TDSSKiller.zip and extract it into a folder on the infected computer.
  • Double-click the file TDSSKiller.exe.
  • Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
  • If nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

Things to include in your next reply:
Avenger log
MBAM log
Gooredfix log
TDSS log
A new DDS log
No need for Attach.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users