I was unable to remove imesh from the computer. I kept receiving a run.dll error when I went to add/remove programs.
Here is the combofix log. the DDS log is at the bottom
ComboFix 10-08-20.01 - Duzzi 08/21/2010 14:23:38.2.2 - x86 NETWORK
Running from: c:\documents and settings\Duzzi\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Duzzi\Application Data\AntiVirus Plus
c:\documents and settings\Duzzi\Application Data\avp.ico
c:\documents and settings\Duzzi\Application Data\WhereSphere
c:\documents and settings\Duzzi\Application Data\WhereSphere\config.cfg
c:\documents and settings\Duzzi\rundll32.exe
c:\program files\Internet Explorer\js.mui
c:\program files\iTunes\iTunesHelper.exe
c:\program files\quicktime\qttask .exe
c:\windows\run.log
c:\windows\system32\drivers\784150834.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\loseteni.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nuwuwufu.exe
c:\windows\system32\spool\prtprocs\w32x86\00004715.tmp
c:\windows\system32\warning.html
c:\windows\system32\WORK.DAT
c:\windows\system32\qmgr.dll . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AXPSHOOK11
((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
.
2010-08-21 18:32 . 2010-08-21 18:32 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 18:32 . 2008-02-11 22:35 -------- d-----w- c:\program files\LogMeIn
2010-08-21 18:28 . 2009-12-23 11:47 -------- d-----w- c:\program files\iTunes
2010-08-21 18:28 . 2006-07-13 03:19 -------- d-----w- c:\program files\QuickTime
2010-08-13 01:37 . 2007-06-12 04:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-08-13 00:21 . 2010-02-01 22:40 -------- d-----w- c:\documents and settings\Duzzi\Application Data\FrostWire
2010-08-13 00:21 . 2007-12-23 22:48 -------- d-----w- c:\documents and settings\Duzzi\Application Data\LimeWire
2010-08-13 00:19 . 2010-02-01 22:39 -------- d-----w- c:\program files\FrostWire
2010-02-18 00:32 . 2010-02-18 00:32 4 ----a-w- c:\program files\214640703.dat
2010-02-15 00:32 . 2010-02-15 00:32 4 ----a-w- c:\program files\2794453.dat
2010-02-15 00:29 . 2010-02-15 00:29 4 ----a-w- c:\program files\2583062.dat
2010-02-14 23:40 . 2010-02-14 23:40 4 ----a-w- c:\program files\13254546.dat
2007-08-09 18:08 . 2008-02-11 22:37 8784 ----a-w- c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2007-08-09 18:10 . 2008-02-11 22:37 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2005-06-02 01:44 . 2005-06-02 01:44 32 --sha-w- c:\windows\{3E1377A0-B888-429C-B002-0B5788A421C6}.dat
2005-06-02 01:43 . 2005-06-02 01:43 32 --sha-w- c:\windows\{8457F680-3CEA-4C91-9BB2-05F465A4E067}.dat
1601-01-01 00:03 . 1601-01-01 00:03 1 --sha-w- c:\windows\system32\bahezefi.dll
2010-02-14 19:52 . 2010-02-14 19:52 5933 --sh--w- c:\windows\system32\helogezo.dll
1601-01-01 00:03 . 1601-01-01 00:03 0 --sha-w- c:\windows\system32\jovijora.dll
1601-01-01 00:03 . 1601-01-01 00:03 1 --sha-w- c:\windows\system32\nevaluso.dll
2010-02-20 00:58 . 2010-02-20 00:58 0 --sh--w- c:\windows\system32\puvibimo.exe
1601-01-01 00:03 . 1601-01-01 00:03 1 --sha-w- c:\windows\system32\rutobuki.dll
2010-02-14 19:52 . 2010-02-14 19:52 5929 --sh--w- c:\windows\system32\sayijera.dll
2010-02-20 00:58 . 2010-02-20 00:58 0 --sh--w- c:\windows\system32\sosarure.dll
2010-02-20 00:58 . 2010-02-20 00:58 0 --sh--w- c:\windows\system32\tejonubo.dll
1601-01-01 00:03 . 1601-01-01 00:03 520 --sha-w- c:\windows\system32\vahewale.exe
1601-01-01 00:03 . 1601-01-01 00:03 512 --sha-w- c:\windows\system32\vejoroki.dll
1601-01-01 00:03 . 1601-01-01 00:03 520 --sha-w- c:\windows\system32\wiyoyova.exe
2005-06-02 01:43 . 2005-06-02 01:43 32 --sha-w- c:\windows\system32\{0C09A233-CC01-445B-BFB7-E48071AA55EE}.dat
2005-06-02 01:44 . 2005-06-02 01:44 32 --sha-w- c:\windows\system32\{FC80F740-4DF9-42AE-A6BC-2A61BAEF101C}.dat
.
CODE
<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\McAfee.com\Agent\mcupda~1 .exe
c:\program files\McAfee.com\VSO\mcvsshld .exe
c:\program files\MySpace\IM\myspaceim .exe
c:\program files\QuickTime\qttask .exe
c:\program files\QuickTime\qttask .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
</pre>
------- Sigcheck -------
[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wscntfy.exe
[-] 2002-12-31 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\wscntfy.exe
[-] 2002-12-31 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe
[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\xmlprov.dll
[-] 2002-12-31 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\xmlprov.dll
[-] 2002-12-31 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll
[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ip6fw.sys
[-] 2002-12-31 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\ERDNT\cache\ip6fw.sys
[-] 2002-12-31 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys
[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\d3d9.dll
[-] 2002-12-31 . D67BDBBDA86CC9AEEBBAF3217C1717D8 . 1689088 . . [5.03.2600.2180] . . c:\windows\system32\d3d9.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-18 1196936]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-18 1196936]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-09 39408]
"Remote System Protection"="c:\windows\system32\l8p5r.dll" [N/A]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2001-08-23 13312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"Logitech Utility"="Logi_MwX.Exe" [2010-02-18 0]
"Blozolayiz"="c:\windows\iqivahohil.dll" [N/A]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]
"vudawaduzu"="bilafivi.dll" [N/A]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Remote System Protection"="c:\windows\system32\l8p5r.dll" [N/A]
"smss32.exe"="c:\windows\system32\smss32.exe" [N/A]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2001-08-23 13312]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2001-08-23 40448]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-13 21:14 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-11-15 23:46 87352 ----a-w- c:\windows\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farstone]
NULL [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2001-08-23 12:00 13312 ----a-w- c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2007-01-19 16:54 5674352 ----a-w- c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
c:\program files\MySpace\IM\MySpaceIM.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\qttask.exe [N/A]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RestoreIT!]
2003-01-11 01:46 122880 ----a-w- c:\program files\FarStone\RestoreIT!\RestoreIT!_XP\vbptask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MP3Downloading\\bindata.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Common Files\\AOL\\1118796912\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1118796912\\EE\\aim6.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\McAfee.com\\VSO\\mcvsrte.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMAgent.exe"=
"c:\\WINDOWS\\system32\\sstext3d.scr"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2474:TCP"= 2474:TCP:jygxeau
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2009-12-13 906520]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 135664]
R2 phgqylwmhmrule;phgqylwmhmrule;c:\windows\system32\drivers\wybunpgctzpmx.sys [x]
R2 ptmud;Installer Manager;c:\windows\system32\svchost.exe [2001-08-23 12800]
R2 TabQuery Service;TabQuery Service;c:\documents and settings\All Users.WINDOWS\Application Data\TabQuery\tabquery119.exe [x]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2009-11-28 1205760]
R3 AIM_USBdriver;AIM USB Driver (v.10.01) VID=11CC;c:\windows\system32\Drivers\AIM_USBdrv10_01.sys [2004-10-01 24704]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-01-07 38224]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\DRIVERS\NaiFiltr.sys [2002-03-13 23296]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]
S0 VVBackd5;VVBackd5; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-12-13 333192]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-12-13 360584]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-12-13 285392]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2007-08-03 12992]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
.
Contents of the 'Scheduled Tasks' folder
2010-07-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 03:01]
2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 03:01]
2010-08-21 c:\windows\Tasks\McAfee.com Update Check (DANIELE-230C05A-Duzzi).job
- c:\progra~1\mcafee.com\agent\mcupda~1 .exe [2005-11-02 23:10]
2010-07-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
2009-04-06 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-04-05 23:53]
2010-07-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-11-18 23:40]
2005-06-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-19 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://thetubeholder.com/hardcore/xmovie.php?id=45120
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
Trusted Zone: ama-cycle.org\home
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} - hxxp://70.141.63.105:8080/SonySncMView.cab
FF - ProfilePath - c:\documents and settings\Duzzi\Application Data\Mozilla\Firefox\Profiles\3cb1yyv2.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=14196&l=dis
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Duzzi\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Duzzi\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {C56F5D28-EFD2-4FAC-AA50-86E2704D0FE8} - c:\documents and settings\Duzzi\Local Settings\Application Data\{C56F5D28-EFD2-4FAC-AA50-86E2704D0FE8}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-*{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-{23D2C4E6-2D8A-4C24-AA62-84D4F309E70D} - c:\windows\system32\c578.dll
WebBrowser-{23D2C4E6-2D8A-4C24-AA62-84D4F309E70D} - c:\windows\system32\c578.dll
AddRemove-360Share - c:\program files\360Share\bt-uninst.exe
AddRemove-TabQuery - c:\program files\TabQuery\uninstall.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-08-21 14:34
Windows 5.1.2600 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ptmud]
"ServiceDll"="c:\windows\system32\hoghv.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4A198D38-1B44-C07B-9EC195CD26A56314}\{73310DCC-C68F-341A-0D6AC2DC6E4B9C08}\{8FC8D867-026E-4653-C922EAC5C8EDCF7A}*]
"WHRUBFTNUT3JMXQXKMKSXOBADA1"=hex:01,00,01,00,00,00,00,00,7d,86,67,30,10,5d,1c,
b8,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
- - - - - - - > 'lsass.exe'(728)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\dssenh.dll
- - - - - - - > 'explorer.exe'(1132)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\System32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\System32\WgaTray.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Executive Software\DiskeeperLite\DKService.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\progra~1\mcafee.com\vso\mcvsrte.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\mgabg.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
.
**************************************************************************
.
Completion time: 2010-08-21 14:43:11 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-21 18:43
Pre-Run: 5,654,282,240 bytes free
Post-Run: 5,529,231,360 bytes free
Current=3 Default=3 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - CA7683050E17404EE5ABA6D7090D7847
Here is the DDS log
DDS (Ver_10-03-17.01) - NTFSx86
Run by Duzzi at 14:59:41.86 on Sat 08/21/2010
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_03
============== Running Processes ===============
============== Pseudo HJT Report ===============
uStart Page = hxxp://thetubeholder.com/hardcore/xmovie.php?id=45120
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Remote System Protection] "rundll32.exe" c:\windows\system32\l8p5r.dll, HUI_proc
mRun: [Logitech Utility] "Logi_MwX.Exe"
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\MCUPDA~1.EXE
mRun: [Blozolayiz] "rundll32.exe" "c:\windows\iqivahohil.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
mRun: [vudawaduzu] "Rundll32.exe" "bilafivi.dll",s
dRun: [Remote System Protection] rundll32.exe c:\windows\system32\l8p5r.dll, HUI_proc
dRun: [smss32.exe] c:\windows\system32\smss32.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
Trusted Zone: ama-cycle.org\home
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://heva.solidworks.com/htdocs/pdownload/edrawings/e2008sp01/cab/eModelsStandard.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxps://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168033877007
DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} - hxxp://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {8D7AFAB7-42D6-4671-A53E-CD355673F026} - hxxp://70.141.63.105:8080/SonySncMView.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxps://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\duzzi\applic~1\mozilla\firefox\profiles\3cb1yyv2.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com?o=14196&l=dis
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\documents and settings\duzzi\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\duzzi\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {C56F5D28-EFD2-4FAC-AA50-86E2704D0FE8} - c:\documents and settings\duzzi\local settings\application data\{C56F5D28-EFD2-4FAC-AA50-86E2704D0FE8}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
============== File Associations ===============
.scr=AutoCADScriptFile
=============== Created Last 30 ================
2010-08-13 00:22:50 0 ----a-w- c:\documents and settings\duzzi\defogger_reenable
==================== Find3M ====================
2010-02-18 00:32:05 4 ----a-w- c:\program files\214640703.dat
2010-02-15 00:32:51 4 ----a-w- c:\program files\2794453.dat
2010-02-15 00:29:20 4 ----a-w- c:\program files\2583062.dat
2010-02-14 23:40:23 4 ----a-w- c:\program files\13254546.dat
2005-06-02 01:44:04 32 --sha-w- c:\windows\{3E1377A0-B888-429C-B002-0B5788A421C6}.dat
2005-06-02 01:43:12 32 --sha-w- c:\windows\{8457F680-3CEA-4C91-9BB2-05F465A4E067}.dat
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\bahezefi.dll
2010-02-14 19:52:57 5933 --sh--w- c:\windows\system32\helogezo.dll
1601-01-01 00:03:28 0 --sha-w- c:\windows\system32\jovijora.dll
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\nevaluso.dll
2010-02-20 00:58:36 0 --sh--w- c:\windows\system32\puvibimo.exe
1601-01-01 00:03:28 1 --sha-w- c:\windows\system32\rutobuki.dll
2010-02-14 19:52:56 5929 --sh--w- c:\windows\system32\sayijera.dll
2010-02-20 00:58:36 0 --sh--w- c:\windows\system32\sosarure.dll
2010-02-20 00:58:36 0 --sh--w- c:\windows\system32\tejonubo.dll
1601-01-01 00:03:28 520 --sha-w- c:\windows\system32\vahewale.exe
1601-01-01 00:03:28 512 --sha-w- c:\windows\system32\vejoroki.dll
1601-01-01 00:03:28 520 --sha-w- c:\windows\system32\wiyoyova.exe
2005-06-02 01:43:12 32 --sha-w- c:\windows\system32\{0C09A233-CC01-445B-BFB7-E48071AA55EE}.dat
2005-06-02 01:44:04 32 --sha-w- c:\windows\system32\{FC80F740-4DF9-42AE-A6BC-2A61BAEF101C}.dat
2008-10-29 22:46:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102920081030\index.dat
============= FINISH: 14:59:57.27 ===============