Solved Ebay login malware

jform · 2010/03/20

[Resolved] Ebay login malware

Brand new user of the forum and a complete beginner.

Issue 1: The Ebay login maleware requesting personal information

I followed instructons posted by broni (February) and I'm having issues running the GMER.net exe

Currently on my computer: Spybot - S&D, AVG Anti-virus free ediion, and Malewarebytes Anti-Maleware. These are recent additions after I received the Blue Screen of Death and enough **** to supply most of North America.

Issue 2: Th computer is now extremey s l o w...painfully slow.

What do I do???

PeteC · 2010/03/20

Welcome to WindowsBBS

Please read this as indicated at the head of the forum and post the logs requested in this thread.

jform · 2010/03/20

I got the gmer.exe to run. Here is the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-20 09:45:00
Windows 5.1.2600 Service Pack 3
Running: 2txy2ofb[1].exe; Driver: C:\DOCUME~1\John\LOCALS~1\Temp\pgtoapod.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

Here is the DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 9:49:20.00 on Sat 03/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.270 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\0BKN6DP4\2txy2ofb[1].exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEPlugin Class: {11222041-111b-46e3-bd29-efb2449479b1} - c:\progra~1\arcsoft\mediac~1\intern~1\ARCURL~1.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe "
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150600.exe -Update -1150600 - "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" - "http://pbskids.org/arthur/games/artstudio/paint.html "
mRun: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe "
mRun: [tuoactho] c:\documents and settings\john\local settings\application data\jmkolb\ituwsftav.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\gogear vibe device manager\GoGear_Vibe_DeviceManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&6&04.00.09.13&premium&unknown&http://automobiles.honda.com/models...ediaDimensions=454x240::454x107&noreloadredir
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://quickplace02.geextranet.com/qp2.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} - hxxps://www.select2perform.com/cabs/QOLCheck.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155340497015
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://gianteagle.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} - hxxps://disney.go.com/downloads/gamemanager/DIGGameManager.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Filter: text/html - {b62f322a-fe12-4d49-b1c1-e2f8924e2786} -
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-9 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-9 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-9 242696]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2007-8-15 110304]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-13 308064]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-3-2 583640]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-12-26 18560]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-11-30 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-11-30 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-11-30 23680]

=============== Created Last 30 ================

==================== Find3M ====================

2010-03-16 20:15:58 70520 ----a-w- c:\docume~1\john\applic~1\GDIPFONTCACHEV1.DAT
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2005-12-05 23:28:30 3673932 ------w- c:\program files\Dec2005_MDX1_x86_Archive.cab
2005-12-05 23:28:04 1358864 ------w- c:\program files\Dec2005_d3dx9_28_x64.cab
2005-12-05 23:28:02 86925 ------w- c:\program files\Oct2005_xinput_x64.cab
2005-12-05 23:28:02 46247 ------w- c:\program files\Oct2005_xinput_x86.cab
2005-12-05 23:28:02 41888 ------w- c:\program files\dxdllreg_x86.cab
2005-12-05 23:28:00 916806 ------w- c:\program files\Dec2005_MDX1_x86.cab
2005-12-05 23:27:58 1080344 ------w- c:\program files\Dec2005_d3dx9_28_x86.cab

============= FINISH: 9:50:29.90 ===============

broni · 2010/03/20

Second part of DDS log is missing...

jform · 2010/03/20

That's all that on the log. Are you talking abut the Attach?

broni · 2010/03/20

Yes....

jform · 2010/03/20

I'm not sure how to attach the zip....???

broni · 2010/03/20

Paste the content into your next reply.

jform · 2010/03/20

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/19/2005 12:22:22 PM
System Uptime: 3/20/2010 8:44:01 AM (1 hours ago)

Motherboard: Intel Corporation | | D845PT
Processor: Intel(R) Pentium(R) 4 CPU 1.60GHz | J1E1 | 1594/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 38.454 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Linksys Wireless-G PCI Adapter
Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_00551737&REV_00\4&1351887D&0&60F0
Manufacturer: Linksys, A Division of Cisco Systems, Inc.
Name: Linksys Wireless-G PCI Adapter
PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_00551737&REV_00\4&1351887D&0&60F0
Service: RT61

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Port Mouse (IntelliPoint)
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Port Mouse (IntelliPoint)
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt

==== System Restore Points ===================

RP1545: 12/21/2009 12:33:24 AM - System Checkpoint
RP1546: 12/22/2009 12:47:59 AM - System Checkpoint
RP1547: 12/23/2009 1:18:12 AM - System Checkpoint
RP1548: 12/24/2009 2:31:15 AM - System Checkpoint
RP1549: 12/25/2009 3:08:20 AM - System Checkpoint
RP1550: 12/26/2009 3:42:43 AM - System Checkpoint
RP1551: 12/27/2009 3:47:06 AM - System Checkpoint
RP1552: 12/28/2009 4:47:05 AM - System Checkpoint
RP1553: 12/29/2009 5:47:04 AM - System Checkpoint
RP1554: 12/30/2009 6:46:51 AM - System Checkpoint
RP1555: 12/31/2009 7:46:56 AM - System Checkpoint
RP1556: 1/1/2010 8:46:51 AM - System Checkpoint
RP1557: 1/2/2010 9:47:56 AM - System Checkpoint
RP1558: 1/3/2010 10:13:21 AM - System Checkpoint
RP1559: 1/4/2010 10:21:50 AM - System Checkpoint
RP1560: 1/5/2010 11:57:50 AM - System Checkpoint
RP1561: 1/6/2010 12:09:44 PM - System Checkpoint
RP1562: 1/7/2010 12:20:06 PM - System Checkpoint
RP1563: 1/8/2010 12:37:07 PM - System Checkpoint
RP1564: 1/9/2010 1:19:01 PM - System Checkpoint
RP1565: 1/10/2010 2:31:34 PM - System Checkpoint
RP1566: 1/11/2010 2:41:14 PM - System Checkpoint
RP1567: 1/12/2010 4:10:48 PM - System Checkpoint
RP1568: 1/13/2010 3:00:21 AM - Software Distribution Service 3.0
RP1569: 1/14/2010 3:25:57 AM - System Checkpoint
RP1570: 1/15/2010 3:38:28 AM - System Checkpoint
RP1571: 1/16/2010 3:51:00 AM - System Checkpoint
RP1572: 1/17/2010 3:56:25 AM - System Checkpoint
RP1573: 1/18/2010 4:56:24 AM - System Checkpoint
RP1574: 1/19/2010 5:11:00 AM - System Checkpoint
RP1575: 1/19/2010 9:15:28 PM - Software Distribution Service 3.0
RP1576: 1/20/2010 10:12:45 PM - System Checkpoint
RP1577: 1/21/2010 11:12:45 PM - System Checkpoint
RP1578: 1/23/2010 12:12:45 AM - System Checkpoint
RP1579: 1/23/2010 3:00:19 AM - Software Distribution Service 3.0
RP1580: 1/24/2010 3:23:11 AM - System Checkpoint
RP1581: 1/25/2010 4:23:10 AM - System Checkpoint
RP1582: 1/26/2010 5:23:16 AM - System Checkpoint
RP1583: 1/27/2010 6:09:04 AM - System Checkpoint
RP1584: 1/28/2010 7:46:47 AM - System Checkpoint
RP1585: 1/29/2010 11:31:25 AM - System Checkpoint
RP1586: 1/30/2010 11:51:47 AM - System Checkpoint
RP1587: 1/31/2010 3:08:40 PM - System Checkpoint
RP1588: 2/1/2010 5:53:14 PM - System Checkpoint
RP1589: 2/2/2010 3:00:20 AM - Software Distribution Service 3.0
RP1590: 2/3/2010 3:00:21 AM - Software Distribution Service 3.0
RP1591: 2/4/2010 3:16:09 AM - System Checkpoint
RP1592: 2/5/2010 4:16:06 AM - System Checkpoint
RP1593: 2/6/2010 5:16:06 AM - System Checkpoint
RP1594: 2/7/2010 6:16:09 AM - System Checkpoint
RP1595: 2/8/2010 6:48:00 AM - System Checkpoint
RP1596: 2/9/2010 9:35:47 AM - System Checkpoint
RP1597: 2/10/2010 6:56:28 AM - Software Distribution Service 3.0
RP1598: 2/11/2010 12:17:36 PM - System Checkpoint
RP1599: 2/12/2010 2:08:11 PM - System Checkpoint
RP1600: 2/13/2010 4:16:26 PM - System Checkpoint
RP1601: 2/14/2010 5:11:30 PM - System Checkpoint
RP1602: 2/16/2010 1:28:23 AM - System Checkpoint
RP1603: 2/17/2010 1:44:23 AM - System Checkpoint
RP1604: 2/18/2010 2:44:23 AM - System Checkpoint
RP1605: 2/19/2010 3:44:23 AM - System Checkpoint
RP1606: 2/20/2010 4:14:16 AM - System Checkpoint
RP1607: 2/21/2010 4:55:49 AM - System Checkpoint
RP1608: 2/22/2010 5:04:07 AM - System Checkpoint
RP1609: 2/23/2010 5:55:49 AM - System Checkpoint
RP1610: 2/24/2010 3:00:21 AM - Software Distribution Service 3.0
RP1611: 2/25/2010 3:55:39 AM - System Checkpoint
RP1612: 2/26/2010 4:55:37 AM - System Checkpoint
RP1613: 2/27/2010 5:55:37 AM - System Checkpoint
RP1614: 2/28/2010 7:55:19 AM - System Checkpoint
RP1615: 3/8/2010 7:07:46 PM - System Checkpoint
RP1616: 3/8/2010 11:28:04 PM - Installed AVG Free 9.0
RP1617: 3/9/2010 5:54:32 PM - Avg8 Update
RP1618: 3/10/2010 9:43:21 PM - System Checkpoint
RP1619: 3/11/2010 3:00:30 AM - Software Distribution Service 3.0
RP1620: 3/12/2010 3:12:40 AM - System Checkpoint
RP1621: 3/13/2010 3:57:06 AM - System Checkpoint
RP1622: 3/13/2010 8:30:27 AM - Avg8 Update
RP1623: 3/13/2010 8:36:07 AM - Avg Update
RP1624: 3/13/2010 2:35:40 PM - Removed TurboTax ItsDeductible 2006
RP1625: 3/14/2010 4:04:50 PM - System Checkpoint
RP1626: 3/15/2010 4:36:35 PM - System Checkpoint
RP1627: 3/16/2010 5:13:13 PM - System Checkpoint
RP1628: 3/17/2010 8:29:07 AM - Avg Update
RP1629: 3/18/2010 9:04:22 AM - System Checkpoint
RP1630: 3/19/2010 10:55:42 AM - System Checkpoint

==== Installed Programs ======================

3ivx MPEG-4 5.0.3 (remove only)
5500
5500_Help
5500Tour
5500Trb
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.9
Adobe Shockwave Player 11.5
Adobe SVG Viewer 3.0
AiO_Scan
AIOMinimal
AiOSoftware
AnswerWorks 4.0 Runtime - English
Armada Tanks
AVG Free 9.0
Backup Dell-Installed Programs
BUM
CCleaner
Construction Zone
Copy
CreativeProjects
Debugging Tools for Windows (x86)
Diagnostic Tool for the Microsoft VM
Director
DocProc
Dora Saves the Crystal Kingdom!
Facebook Plug-In
Fax
FlipShare
Garmin City Navigator North America NT 2010.40
Garmin WebUpdater
GdiplusUpgrade
getPlus(R) for Adobe
GoGear VIBE Device Manager
Google Earth
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
hpmdtab
HPSystemDiagnostics
InstantShare
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
KODAK EASYSHARE Gallery Easy Upload, v2.0
KODAK EASYSHARE Gallery Upload ActiveX Control
KODAK Picture CD Volume 3 Issue 2
LeapFrog Connect
LeapFrog Tag Plugin
LG USB Modem driver
Linksys EasyLink Advisor 1.5 (1010)
Linksys Wireless-G PCI Adapter
Macromedia Flash Player
Malwarebytes' Anti-Malware
Media Converter for Philips
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.2
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Small Business
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
MSN Music Assistant
MSXML 6 Service Pack 2 (KB954459)
muvee Plugin 1.0
Overland
PhotoGallery
PrintScreen
QFolder
QuickProjects
QuickTime
Readme
RealPlayer
Registry Mechanic 9.0
Scan
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB975561)
SkinsHP1
SkinsHP2
Sony USB Driver
Spybot - Search & Destroy
TrayApp
Unity Web Player
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
WebFldrs XP
WebReg
Windows Driver Package - LeapFrog (FlyUsb) USB (11/05/2008 1.1.1.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
Works Suite OS Pack
Works Synchronization

==== Event Viewer Messages From Past Week ========

3/13/2010 8:24:54 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000016, parameter2 00000002, parameter3 00000000, parameter4 804dbda3.
3/13/2010 2:36:03 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

broni · 2010/03/20

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
by clicking on Installer under Version 2.0.2
[DO NOT download version 2.0.3 (beta)]
Install, and run it.
Post HijackTHis log.
Do NOT attempt to fix anything!

NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator

jform · 2010/03/20

Also....I just ran Malwarebytes, full scan. It detected 3 trogans that I removed.

broni · 2010/03/20

In that case, please post Malwarebytes log as well.

jform · 2010/03/20

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:12 PM, on 3/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEPlugin Class - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\PROGRA~1\ArcSoft\MEDIAC~1\INTERN~1\ARCURL~1.DLL
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe "
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150600.exe -Update -1150600 - "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" - "http://pbskids.org/arthur/games/artstudio/paint.html "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Philips GoGear VIBE Device Manager.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...ediaDimensions=454x240::454x107&noreloadredir
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace02.geextranet.com/qp2.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155340497015
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} (Image Uploader Control) - http://gianteagle.lifepics.com/net/Uploader/LPUploader45.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/downloads/gamemanager/DIGGameManager.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 11796 bytes

jform · 2010/03/20

ComboFix 10-03-19.08 - John 03/20/2010 15:32:54.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.399 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Shared
c:\windows\xobglu16.dll

.
original MBR restored successfully !
.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-13 13:36 . 2010-03-13 13:36 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-13 13:36 . 2010-03-13 13:36 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-13 13:36 . 2010-03-13 13:36 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-13 13:35 . 2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 13:30 . 2010-03-09 04:28 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-13 13:30 . 2010-03-09 04:28 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-13 13:30 . 2010-03-09 04:28 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-13 13:30 . 2010-03-09 04:28 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-11 02:22 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 22:54 . 2010-03-09 04:28 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-03-09 22:54 . 2010-03-09 04:28 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-03-09 22:44 . 2010-03-10 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-09 22:44 . 2010-03-10 01:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-09 22:34 . 2010-03-09 22:34 -------- d-----w- c:\program files\CCleaner
2010-03-09 22:32 . 2010-03-09 22:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-09 04:29 . 2010-03-09 22:51 -------- d-----w- C:\$AVG
2010-03-09 04:28 . 2010-03-13 13:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-09 04:28 . 2010-03-13 13:32 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 04:28 . 2010-03-13 13:35 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-09 04:28 . 2010-03-20 13:10 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-09 04:28 . 2010-03-09 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\program files\AVG
2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-02 20:57 . 2010-03-02 20:57 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-02 17:31 . 2010-03-02 17:31 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2010-03-02 17:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 17:15 . 2010-03-02 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 17:15 . 2010-03-02 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 17:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-03-01 02:06 . 2010-03-01 02:06 -------- d-----w- c:\documents and settings\HelpAssistant\LocalLow
2010-03-01 01:42 . 2010-03-01 01:42 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-03-01 01:42 . 2010-03-01 01:42 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-03-01 01:42 . 2008-12-13 17:37 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-02-28 13:27 . 2010-03-09 22:52 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\jmkolb
2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\program files\Garmin
2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2010-02-24 17:10 . 2010-02-24 17:50 -------- d-----w- c:\documents and settings\John\Application Data\Download Manager
2010-02-24 15:15 . 2010-02-24 18:13 -------- d-----w- c:\documents and settings\John\Application Data\GARMIN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-13 19:37 . 2005-10-27 18:49 -------- d-----w- c:\program files\Yahoo!
2010-03-13 19:32 . 2009-11-13 12:52 -------- d-----w- c:\program files\Microsoft
2010-03-13 19:29 . 2007-09-16 22:07 -------- d-----w- c:\program files\LEGO Company
2010-03-03 00:38 . 2009-03-12 16:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-02 17:50 . 2008-10-30 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-27 12:02 . 2009-03-12 21:08 -------- d-----w- c:\documents and settings\John\Application Data\PlayFirst
2010-02-22 19:35 . 2006-10-08 19:52 -------- d-----w- c:\documents and settings\John\Application Data\U3
2010-02-06 13:52 . 2010-02-06 13:52 50354 ----a-w- c:\documents and settings\John\Application Data\Facebook\uninstall.exe
2010-02-06 13:52 . 2010-02-06 13:52 -------- d-----w- c:\documents and settings\John\Application Data\Facebook
2010-02-05 21:36 . 2010-02-05 21:36 -------- d-----w- c:\program files\Nick Jr. Arcade
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-20 05:08 . 2008-08-24 11:57 -------- d-----w- c:\program files\Microsoft Silverlight
2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 16:12 . 2009-12-26 16:12 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-26 16:12 . 2009-12-26 16:12 6106960 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
2009-12-21 19:14 . 2004-01-08 20:23 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 13:48 . 2009-12-21 13:48 118272 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\53\6061d535-489cb3ac-n\WinVideo.dll
2009-12-21 13:48 . 2009-12-21 13:48 90624 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-31c1ddb7-n\JINECELP.dll
2009-12-21 13:48 . 2009-12-21 13:48 68096 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-31c1ddb7-n\JIWAudio.dll
2009-12-21 13:48 . 2009-12-21 13:48 64000 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-31c1ddb7-n\JIWMixer.dll
2009-12-21 13:48 . 2009-12-21 13:48 61440 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-562c8928-n\WinPlatform.dll
2005-12-05 23:28 . 2005-12-05 23:28 3673932 ------w- c:\program files\Dec2005_MDX1_x86_Archive.cab
2005-12-05 23:28 . 2005-12-05 23:28 1358864 ------w- c:\program files\Dec2005_d3dx9_28_x64.cab
2005-12-05 23:28 . 2005-12-05 23:28 86925 ------w- c:\program files\Oct2005_xinput_x64.cab
2005-12-05 23:28 . 2005-12-05 23:28 46247 ------w- c:\program files\Oct2005_xinput_x86.cab
2005-12-05 23:28 . 2005-12-05 23:28 41888 ------w- c:\program files\dxdllreg_x86.cab
2005-12-05 23:28 . 2005-12-05 23:28 916806 ------w- c:\program files\Dec2005_MDX1_x86.cab
2005-12-05 23:27 . 2005-12-05 23:27 1080344 ------w- c:\program files\Dec2005_d3dx9_28_x86.cab
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2001-09-04 19:31 . 2001-09-04 19:31 655360 c:\program files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

2001-08-17 04:41 . 2001-08-17 04:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

2006-01-01 14:40 . 2006-01-01 14:40 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2007-07-17 00:43 . 2007-07-17 00:43 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2005-02-17 03:11 . 2005-02-17 03:11 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

2005-01-12 18:54 . 2005-01-12 18:54 241664 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe

2007-10-16 00:31 . 2007-09-25 05:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2007-10-20 12:55 . 2006-04-03 00:07 389120 c:\program files\Linksys EasyLink Advisor\bak\LinksysAgent.exe

2001-10-06 00:34 . 2001-10-06 00:34 24576 c:\program files\Microsoft Works\bak\wkfud.exe

2001-08-23 21:52 . 2001-08-23 21:52 331830 c:\program files\Microsoft Works\bak\WksSb.exe

2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\program files\QuickTime\bak\qttask.exe

2005-10-19 22:24 . 2004-01-05 07:27 176128 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" [N/A]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"EasyLinkAdvisor "= "c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [N/A]
"DW6 "= "c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [N/A]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater "= "c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QBCD Autorun "= "D:\autorun.exe" [N/A]
"ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Monitor "= "c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
Philips GoGear VIBE Device Manager.lnk - c:\program files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe [2009-9-10 1611152]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\mshta.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3246:TCP "= 3246:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop
"3964:TCP "= 3964:TCP:Services
"2003:TCP "= 2003:TCP:Services

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/9/2010 12:28 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/9/2010 12:28 AM 242696]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [8/15/2007 10:41 AM 110304]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:34 AM 308064]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [3/2/2010 4:57 PM 583640]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/26/2009 12:14 PM 18560]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/30/2008 5:25 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/30/2008 5:25 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/30/2008 5:25 PM 23680]
.
Contents of the 'Scheduled Tasks' folder

2008-09-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-Construction Zone - c:\program files\Mattel Media\Matchbox\Caterpillar Construction Zone\Construction Zone\Data\UninstallCat.isu
AddRemove-UnityWebPlayer - c:\documents and settings\John\Local Settings\Application Data\Unity\WebPlayer\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 15:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x872D7B20]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75b3f28
\Driver\ACPI -> 0x872d7b20
\Driver\atapi -> atapi.sys @ 0xf74de852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4) #2 -> SendCompleteHandler -> 0x86d6f690
PacketIndicateHandler -> NDIS.sys @ 0xf73e4a21
SendHandler -> NDIS.sys @ 0xf73d9949
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
Completion time: 2010-03-20 15:55:32
ComboFix-quarantined-files.txt 2010-03-20 19:55

Pre-Run: 41,374,679,040 bytes free
Post-Run: 42,229,350,400 bytes free

- - End Of File - - E5C73968606F4B99A0DB83554BFF24C1

jform · 2010/03/20

Malwarebytes' Anti-Malware 1.44
Database version: 3888
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/20/2010 2:44:56 PM
mbam-log-2010-03-20 (14-44-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 289161
Time elapsed: 1 hour(s), 36 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuoactho (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

broni · 2010/03/20

Please, always follow all instructions.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
Click to expand...

Combofix log reports:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
Click to expand...

Make sure, when you run Combofix again, recovery console will get installed.

==================================================================

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

jform · 2010/03/21

Running Combofix as I type (I'm on my laptop now). Recovery console installed successfully. Will download the TDSS Killer and post shortly.

jform · 2010/03/21

09:19:31:281 4028 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
09:19:31:281 4028 ================================================================================
09:19:31:281 4028 SystemInfo:

09:19:31:281 4028 OS Version: 5.1.2600 ServicePack: 3.0
09:19:31:281 4028 Product type: Workstation
09:19:31:281 4028 ComputerName: JOHN-ZQWF1GS96T
09:19:31:281 4028 UserName: John
09:19:31:281 4028 Windows directory: C:\WINDOWS
09:19:31:281 4028 Processor architecture: Intel x86
09:19:31:281 4028 Number of processors: 1
09:19:31:281 4028 Page size: 0x1000
09:19:31:281 4028 Boot type: Normal boot
09:19:31:281 4028 ================================================================================
09:19:31:281 4028 UnloadDriverW: NtUnloadDriver error 2
09:19:31:296 4028 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
09:19:31:375 4028 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
09:19:31:640 4028 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:19:31:640 4028 wfopen_ex: Trying to KLMD file open
09:19:31:640 4028 wfopen_ex: File opened ok (Flags 2)
09:19:31:640 4028 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
09:19:31:656 4028 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
09:19:31:656 4028 wfopen_ex: Trying to KLMD file open
09:19:31:656 4028 wfopen_ex: File opened ok (Flags 2)
09:19:31:656 4028 Initialize success
09:19:31:656 4028
09:19:31:656 4028 Scanning Services ...
09:19:32:109 4028 GetAdvancedServicesInfo: Raw services enum returned 365 services
09:19:32:125 4028
09:19:32:125 4028 Scanning Kernel memory ...
09:19:32:125 4028 Devices to scan: 2
09:19:32:125 4028
09:19:32:125 4028 Driver Name: Disk
09:19:32:125 4028 IRP_MJ_CREATE : F75B5BB0
09:19:32:125 4028 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
09:19:32:125 4028 IRP_MJ_CLOSE : F75B5BB0
09:19:32:125 4028 IRP_MJ_READ : F75AFD1F
09:19:32:125 4028 IRP_MJ_WRITE : F75AFD1F
09:19:32:125 4028 IRP_MJ_QUERY_INFORMATION : 804FA88E
09:19:32:125 4028 IRP_MJ_SET_INFORMATION : 804FA88E
09:19:32:125 4028 IRP_MJ_QUERY_EA : 804FA88E
09:19:32:125 4028 IRP_MJ_SET_EA : 804FA88E
09:19:32:125 4028 IRP_MJ_FLUSH_BUFFERS : F75B02E2
09:19:32:125 4028 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
09:19:32:125 4028 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
09:19:32:125 4028 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
09:19:32:125 4028 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
09:19:32:125 4028 IRP_MJ_DEVICE_CONTROL : F75B03BB
09:19:32:125 4028 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75B3F28
09:19:32:125 4028 IRP_MJ_SHUTDOWN : F75B02E2
09:19:32:125 4028 IRP_MJ_LOCK_CONTROL : 804FA88E
09:19:32:125 4028 IRP_MJ_CLEANUP : 804FA88E
09:19:32:125 4028 IRP_MJ_CREATE_MAILSLOT : 804FA88E
09:19:32:125 4028 IRP_MJ_QUERY_SECURITY : 804FA88E
09:19:32:125 4028 IRP_MJ_SET_SECURITY : 804FA88E
09:19:32:125 4028 IRP_MJ_POWER : F75B1C82
09:19:32:125 4028 IRP_MJ_SYSTEM_CONTROL : F75B699E
09:19:32:125 4028 IRP_MJ_DEVICE_CHANGE : 804FA88E
09:19:32:125 4028 IRP_MJ_QUERY_QUOTA : 804FA88E
09:19:32:125 4028 IRP_MJ_SET_QUOTA : 804FA88E
09:19:32:140 4028 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
09:19:32:140 4028
09:19:32:140 4028 Driver Name: atapi
09:19:32:140 4028 IRP_MJ_CREATE : F74E26F2
09:19:32:140 4028 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
09:19:32:140 4028 IRP_MJ_CLOSE : F74E26F2
09:19:32:140 4028 IRP_MJ_READ : 804FA88E
09:19:32:140 4028 IRP_MJ_WRITE : 804FA88E
09:19:32:140 4028 IRP_MJ_QUERY_INFORMATION : 804FA88E
09:19:32:140 4028 IRP_MJ_SET_INFORMATION : 804FA88E
09:19:32:140 4028 IRP_MJ_QUERY_EA : 804FA88E
09:19:32:140 4028 IRP_MJ_SET_EA : 804FA88E
09:19:32:140 4028 IRP_MJ_FLUSH_BUFFERS : 804FA88E
09:19:32:140 4028 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
09:19:32:140 4028 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
09:19:32:140 4028 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
09:19:32:140 4028 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
09:19:32:140 4028 IRP_MJ_DEVICE_CONTROL : F74E2712
09:19:32:140 4028 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74DE852
09:19:32:140 4028 IRP_MJ_SHUTDOWN : 804FA88E
09:19:32:140 4028 IRP_MJ_LOCK_CONTROL : 804FA88E
09:19:32:140 4028 IRP_MJ_CLEANUP : 804FA88E
09:19:32:140 4028 IRP_MJ_CREATE_MAILSLOT : 804FA88E
09:19:32:140 4028 IRP_MJ_QUERY_SECURITY : 804FA88E
09:19:32:140 4028 IRP_MJ_SET_SECURITY : 804FA88E
09:19:32:140 4028 IRP_MJ_POWER : F74E273C
09:19:32:140 4028 IRP_MJ_SYSTEM_CONTROL : F74E9336
09:19:32:140 4028 IRP_MJ_DEVICE_CHANGE : 804FA88E
09:19:32:140 4028 IRP_MJ_QUERY_QUOTA : 804FA88E
09:19:32:140 4028 IRP_MJ_SET_QUOTA : 804FA88E
09:19:32:171 4028 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
09:19:32:171 4028
09:19:32:171 4028 Completed
09:19:32:171 4028
09:19:32:171 4028 Results:
09:19:32:171 4028 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
09:19:32:171 4028 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:19:32:171 4028 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:19:32:171 4028
09:19:32:171 4028 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
09:19:32:171 4028 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
09:19:32:171 4028 KLMD(ARK) unloaded successfully

jform · 2010/03/21

ComboFix 10-03-20.04 - John 03/21/2010 8:56.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.565 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))
.

2010-03-20 20:04 . 2010-03-20 20:04 -------- d-----w- c:\program files\Trend Micro
2010-03-13 13:36 . 2010-03-13 13:36 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-03-13 13:36 . 2010-03-13 13:36 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-03-13 13:36 . 2010-03-13 13:36 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys
2010-03-13 13:35 . 2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-03-13 13:30 . 2010-03-09 04:28 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-03-13 13:30 . 2010-03-09 04:28 1007896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-03-13 13:30 . 2010-03-09 04:28 800536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-03-13 13:30 . 2010-03-09 04:28 613656 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-03-11 02:22 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-09 22:54 . 2010-03-09 04:28 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-03-09 22:54 . 2010-03-09 04:28 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-03-09 22:44 . 2010-03-10 03:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-09 22:44 . 2010-03-10 01:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-09 22:34 . 2010-03-09 22:34 -------- d-----w- c:\program files\CCleaner
2010-03-09 22:32 . 2010-03-09 22:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-09 04:29 . 2010-03-09 22:51 -------- d-----w- C:\$AVG
2010-03-09 04:28 . 2010-03-13 13:35 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-03-09 04:28 . 2010-03-13 13:32 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-03-09 04:28 . 2010-03-13 13:35 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-03-09 04:28 . 2010-03-20 22:55 -------- d-----w- c:\windows\system32\drivers\Avg
2010-03-09 04:28 . 2010-03-09 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\program files\AVG
2010-03-09 04:28 . 2010-03-09 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-03-02 20:57 . 2010-03-02 20:57 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-02 17:31 . 2010-03-02 17:31 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2010-03-02 17:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-02 17:15 . 2010-03-02 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-02 17:15 . 2010-03-02 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-02 17:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\Shared
2010-03-01 02:55 . 2010-03-01 02:55 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-03-01 02:06 . 2010-03-01 02:06 -------- d-----w- c:\documents and settings\HelpAssistant\LocalLow
2010-03-01 01:42 . 2010-03-01 01:42 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-03-01 01:42 . 2010-03-01 01:42 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-03-01 01:42 . 2008-12-13 17:37 61224 ----a-w- c:\documents and settings\HelpAssistant\GoToAssistDownloadHelper.exe
2010-02-28 13:27 . 2010-03-09 22:52 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\jmkolb
2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\program files\Garmin
2010-02-24 18:14 . 2010-02-24 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\GARMIN
2010-02-24 17:10 . 2010-02-24 17:50 -------- d-----w- c:\documents and settings\John\Application Data\Download Manager
2010-02-24 15:15 . 2010-02-24 18:13 -------- d-----w- c:\documents and settings\John\Application Data\GARMIN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-13 19:37 . 2005-10-27 18:49 -------- d-----w- c:\program files\Yahoo!
2010-03-13 19:32 . 2009-11-13 12:52 -------- d-----w- c:\program files\Microsoft
2010-03-13 19:29 . 2007-09-16 22:07 -------- d-----w- c:\program files\LEGO Company
2010-03-03 00:38 . 2009-03-12 16:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-03-02 20:33 . 2005-10-19 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-03-02 17:50 . 2008-10-30 13:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-27 12:02 . 2009-03-12 21:08 -------- d-----w- c:\documents and settings\John\Application Data\PlayFirst
2010-02-22 19:35 . 2006-10-08 19:52 -------- d-----w- c:\documents and settings\John\Application Data\U3
2010-02-06 13:52 . 2010-02-06 13:52 50354 ----a-w- c:\documents and settings\John\Application Data\Facebook\uninstall.exe
2010-02-06 13:52 . 2010-02-06 13:52 -------- d-----w- c:\documents and settings\John\Application Data\Facebook
2010-02-05 21:36 . 2010-02-05 21:36 -------- d-----w- c:\program files\Nick Jr. Arcade
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John\Application Data\Facebook\npfbplugin_1_0_1.dll
2009-12-31 16:50 . 2001-08-18 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-26 16:12 . 2009-12-26 16:12 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-26 16:12 . 2009-12-26 16:12 6106960 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe
2009-12-21 19:14 . 2004-01-08 20:23 916480 ------w- c:\windows\system32\wininet.dll
2009-12-21 13:48 . 2009-12-21 13:48 118272 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\53\6061d535-489cb3ac-n\WinVideo.dll
2009-12-21 13:48 . 2009-12-21 13:48 90624 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-31c1ddb7-n\JINECELP.dll
2009-12-21 13:48 . 2009-12-21 13:48 68096 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-31c1ddb7-n\JIWAudio.dll
2009-12-21 13:48 . 2009-12-21 13:48 64000 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-31c1ddb7-n\JIWMixer.dll
2009-12-21 13:48 . 2009-12-21 13:48 61440 ----a-w- c:\documents and settings\John\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-562c8928-n\WinPlatform.dll
2005-12-05 23:28 . 2005-12-05 23:28 3673932 ------w- c:\program files\Dec2005_MDX1_x86_Archive.cab
2005-12-05 23:28 . 2005-12-05 23:28 1358864 ------w- c:\program files\Dec2005_d3dx9_28_x64.cab
2005-12-05 23:28 . 2005-12-05 23:28 86925 ------w- c:\program files\Oct2005_xinput_x64.cab
2005-12-05 23:28 . 2005-12-05 23:28 46247 ------w- c:\program files\Oct2005_xinput_x86.cab
2005-12-05 23:28 . 2005-12-05 23:28 41888 ------w- c:\program files\dxdllreg_x86.cab
2005-12-05 23:28 . 2005-12-05 23:28 916806 ------w- c:\program files\Dec2005_MDX1_x86.cab
2005-12-05 23:27 . 2005-12-05 23:27 1080344 ------w- c:\program files\Dec2005_d3dx9_28_x86.cab
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2001-09-04 19:31 . 2001-09-04 19:31 655360 c:\program files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

2001-08-17 04:41 . 2001-08-17 04:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

2006-01-01 14:40 . 2006-01-01 14:40 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

2007-07-17 00:43 . 2007-07-17 00:43 68856 c:\program files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

2005-02-17 03:11 . 2005-02-17 03:11 49152 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

2005-01-12 18:54 . 2005-01-12 18:54 241664 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

2007-03-14 23:05 . 2007-03-14 23:05 257088 c:\program files\iTunes\bak\iTunesHelper.exe

2007-10-16 00:31 . 2007-09-25 05:11 132496 c:\program files\Java\jre1.6.0_03\bin\bak\jusched.exe

2007-10-20 12:55 . 2006-04-03 00:07 389120 c:\program files\Linksys EasyLink Advisor\bak\LinksysAgent.exe

2001-10-06 00:34 . 2001-10-06 00:34 24576 c:\program files\Microsoft Works\bak\wkfud.exe

2001-08-23 21:52 . 2001-08-23 21:52 331830 c:\program files\Microsoft Works\bak\WksSb.exe

2007-02-16 14:54 . 2007-02-16 14:54 282624 c:\program files\QuickTime\bak\qttask.exe

2005-10-19 22:24 . 2004-01-05 07:27 176128 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb09.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" [N/A]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"EasyLinkAdvisor "= "c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [N/A]
"DW6 "= "c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [N/A]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater "= "c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150600.exe" [2009-06-05 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QBCD Autorun "= "D:\autorun.exe" [N/A]
"ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"Monitor "= "c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
Philips GoGear VIBE Device Manager.lnk - c:\program files\Philips\GoGear VIBE Device Manager\GoGear_Vibe_DeviceManager.exe [2009-9-10 1611152]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-03-13 13:35 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
c:\program files\Common Files\Real\Update_OB\realsched.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\mshta.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"2479:TCP "= 2479:TCP:Services
"3246:TCP "= 3246:TCP:Services
"3389:TCP "= 3389:TCP:Remote Desktop
"3964:TCP "= 3964:TCP:Services
"2003:TCP "= 2003:TCP:Services

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/9/2010 12:28 AM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/9/2010 12:28 AM 242696]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [8/15/2007 10:41 AM 110304]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 9:34 AM 308064]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [3/2/2010 4:57 PM 583640]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/26/2009 12:14 PM 18560]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/30/2008 5:25 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/30/2008 5:25 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [11/30/2008 5:25 PM 23680]
.
Contents of the 'Scheduled Tasks' folder

2008-09-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-08-31 19:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mWindow Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.1.0/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-03-21 09:11:53
ComboFix-quarantined-files.txt 2010-03-21 13:11
ComboFix2.txt 2010-03-20 19:55

Pre-Run: 42,301,210,624 bytes free
Post-Run: 42,259,296,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 288BE93133A366EED31B09B224E4F569

broni · 2010/03/21

Download and save HelpAsst_mebroot_fix.exe to your desktop.

Close all open programs.

Double click HelpAsst_mebroot_fix.exe to run it.

Pay attention to the running tool.

If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.

After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

Click Start>Run and copy and paste the following command, then hit Enter:

mbr -f

Repeat the above step one more time

Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.

Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.

helpasst -mbrt

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Log in or Sign up

Solved Ebay login malware

jform Inactive Thread Starter

PeteC SuperGeek Staff

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

jform Inactive Thread Starter

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

jform Inactive Thread Starter

jform Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Ebay login malware

jform Inactive Thread Starter

PeteC SuperGeek Staff

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

jform Inactive Thread Starter

jform Inactive Thread Starter

broni Moderator Malware Analyst

jform Inactive Thread Starter

jform Inactive Thread Starter

jform Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches