[Resolved] First google redirects, now page load error

sakurajiru · 23rd April 2009

Hi, I've been having this problem for a while now. I couldn't access microsoft.com and have been redirected to another site. I've done HJT to solve the problem but now, instead of being redirected to that site, I get another site. And also, if I try to access anti-virus sites, all I get is a page load error. I've looked into the other threads to help me solve this problem but I'm not sure if following instructions for others would do me good. I tried running goored fix and combo fix though. >.< I hope that won't mess with my system.

Here are my logs from DDS

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jerrine at 19:02:08.64 on Thu 04/23/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://my.magicjack.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - d:\bitcomet\tools\BitCometBHO.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: IEHlprObj Class: {f171a450-7af5-43e1-afed-edc826a1b0f5} - c:\windows\system32\bgotrtu0.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\jerrine\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [HyperIM] c:\program files\hyperim\HyperIM.exe -min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [BigDogPath] c:\windows\VM_STI.EXE A4 Tech USB PC Camera
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-ph\msntabres.dll.mui/229?5dfdc8dc23be4c7a801fe86b1040b5b2
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-ph\msntabres.dll.mui/230?5dfdc8dc23be4c7a801fe86b1040b5b2
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\imon.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerrine\applic~1\mozilla\firefox\profiles\s1p9xkgj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZK&fl=0&ptb=zoHy9EBFIgl_3GyHSWSnbw&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\jerrine\application data\mozilla\firefox\profiles\s1p9xkgj.default\extensions\npmozax@real.com\ plugins\npmozax.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: d:\program files\mozilla plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-04-23 16:41 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-23 16:27 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-23 16:27 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-23 16:27 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-23 16:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-23 16:26 <DIR> --d----- c:\program files\AVG
2009-04-23 16:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-17 18:11 <DIR> --d----- c:\docume~1\jerrine\applic~1\iWin
2009-04-16 06:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\JollyBear
2009-04-15 17:31 <DIR> --d----- c:\docume~1\jerrine\applic~1\Home Sweet Home
2009-04-12 17:02 <DIR> --d----- c:\windows\system32\Adobe
2009-04-12 16:26 <DIR> --d----- c:\program files\MyPlayCity.com
2009-04-07 12:25 172,307 ---shr-- C:\pmut.bat
2009-04-06 15:07 171,664 ---shr-- C:\gpmjw.cmd
2009-04-05 12:30 <DIR> --d----- c:\program files\Trend Micro
2009-03-31 09:50 172,913 ---shr-- C:\flnm.cmd
2009-03-30 22:40 <DIR> --d----- c:\docume~1\jerrine\applic~1\com.imeem.DesktopUploader.6C3F108F466C0F04F30B 58747CAA4DF34281133B.1
2009-03-30 22:40 <DIR> --d----- c:\program files\imeem Uploader
2009-03-30 17:50 32,397 a------- c:\windows\SGTBox.INI
2009-03-29 17:08 140,288 a------- c:\windows\~GLC0001.TMP
2009-03-29 17:08 5,607 a------- c:\windows\~GLH0001.TMP
2009-03-29 16:54 27,448 a------- c:\windows\system32\Odbcjtnw.hlp
2009-03-29 16:53 140,288 a------- c:\windows\~GLC0000.TMP
2009-03-29 16:53 5,607 a------- c:\windows\~GLH0000.TMP
2009-03-27 23:55 <DIR> --d----- c:\program files\FLAC

==================== Find3M ====================

2009-04-05 15:16 3,532 a------- C:\drmHeader.bin
2009-03-10 11:38 141,612 a------- c:\windows\system32\drivers\dump_wmimmc.sys
2009-03-07 10:33 173,756 ---shr-- C:\o3w2.com
2009-03-06 05:54 90,112 a--s-r-- c:\windows\system32\cqtjh.dll
2009-03-01 23:11 157,831 ---shr-- C:\g068vy6.cmd
2009-01-27 19:25 499,712 a------- c:\windows\system32\msvcp71.dll
2009-01-27 19:25 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-19 07:49 774,144 a------- c:\program files\RngInterstitial.dll
2008-10-18 08:25 220 ac-sh--- c:\windows\system32\ss.drv

============= FINISH: 19:02:36.57 ===============

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
A4 Tech USB PC Camera
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced Uninstaller PRO 2006 - version 7
Apple Mobile Device Support
Apple Software Update
AVG 8.5
Bonjour
Bricks of Egypt
Burger Shop
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera WIA Driver
Canon CanoCraft CS-P 3.8
Canon EOS 5D WIA Driver
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon ScanGear Toolbox CS 2.2
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.2
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Casino-On-Net
Chessmaster 5500 1.0.2
Chinese Writing Master 4.0
Cole2k Media - Codec Pack (Advanced) 7.1.0
Cooking Dash(TM)
Documents To Go
Entry
Entry (c:\Program Files\Entry\)
F1 Racing
FLAC Installer 1.1.3b (remove only)
Garena
Google Updater
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
hp deskjet 1180c printer
HP Deskjet 3740
HP Software Update
HyperIM 2.14
imeem Uploader
iTunes
Java(TM) 6 Update 11
LightScribe 1.4.136.1
Mad Medley Battle
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Sounds
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.9)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Multiply AutoUploader
NOD32 antivirus system
NVIDIA Drivers
OneCare Advisor (Windows Live Toolbar)
OutlookTools 2
Palm
PDF Settings
Pocket Quicken 2.5 for Palm OS
Popup Blocker (Windows Live Toolbar)
Quicken 2006
QuickTime
RealArcade
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Ringed Drag Strip
Sally's Salon
Sally's Spa
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Skype™ 3.8
Smart Menus (Windows Live Toolbar)
Sony Media Manager for PSP 2.5
SoundMAX
Super WHATword
Switch Sound File Converter
SymmTime
System Requirements Lab
Tabbed Browsing (Windows Live Toolbar)
Trial Bike Ultra Powered by AdVantage
Tropix 2 Quest For The Golden Banana
Tropix(TM) 2 - The Quest For the Golden Banana
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb957258)
Update for Windows XP (KB898461)
Update for Windows XP (KB911164)
Update for Windows XP (KB925720)
Update for Windows XP (KB951072-v2)
Vuze
WebFldrs XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

==== End Of File ===========================

From goored fix

GooredFix v1.92 by jpshortstuff
Log created at 19:29 on 23/04/2009 running Option #1 (Jerrine)
Firefox version 3.0.9 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

and from combo fix

ComboFix 09-04-23.A0 - Jerrine 04/23/2009 19:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1326 [GMT 8:00]
Running from: c:\documents and settings\Jerrine\Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\flnm.cmd
C:\g068vy6.cmd
C:\gpmjw.cmd
C:\pmut.bat
D:\Autorun.inf
D:\flnm.cmd
D:\g068vy6.cmd
D:\gpmjw.cmd
D:\pmut.bat
F:\Autorun.inf
F:\flnm.cmd
F:\g068vy6.cmd
F:\gpmjw.cmd
F:\pmut.bat
G:\Autorun.inf
G:\flnm.cmd
G:\g068vy6.cmd
G:\gpmjw.cmd
G:\pmut.bat
H:\Autorun.inf
H:\flnm.cmd
H:\g068vy6.cmd
H:\gpmjw.cmd
H:\pmut.bat
I:\Autorun.inf
I:\flnm.cmd
I:\g068vy6.cmd
I:\gpmjw.cmd
I:\pmut.bat

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-23 08:41 . 2009-04-23 09:24 -------- d--h--w C:\$AVG8.VAULT$
2009-04-23 08:27 . 2009-04-23 08:27 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-23 08:27 . 2009-04-23 08:27 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 08:27 . 2009-04-23 08:27 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-23 08:27 . 2009-04-23 08:27 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-23 08:26 . 2009-04-23 08:26 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-19 06:28 . 2009-04-19 06:30 -------- d-----w c:\documents and settings\Jerrine\Application Data\vlc
2009-04-17 10:11 . 2009-04-17 10:11 -------- d-----w c:\documents and settings\Jerrine\Application Data\iWin
2009-04-15 22:35 . 2009-04-16 00:12 -------- d-----w c:\documents and settings\Jerrine\Local Settings\Application Data\JollyBear
2009-04-15 22:35 . 2009-04-15 22:35 -------- d-----w c:\documents and settings\All Users\Application Data\JollyBear
2009-04-15 09:31 . 2009-04-15 09:31 -------- d-----w c:\documents and settings\Jerrine\Application Data\Home Sweet Home
2009-04-12 09:02 . 2009-04-12 09:07 -------- d-----w c:\windows\system32\Adobe
2009-04-05 04:27 . 2009-04-05 04:37 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-03-30 14:40 . 2009-03-30 14:40 -------- d-----w c:\documents and settings\Jerrine\Application Data\com.imeem.DesktopUploader.6C3F108F466C0F04F30B58747CAA4DF34281133B.1
2009-03-30 09:50 . 2009-03-30 09:50 -------- d-----w c:\documents and settings\Jerrine\Local Settings\Application Data\Help
2009-03-30 09:50 . 2009-03-30 09:50 32397 ----a-w c:\windows\SGTBox.INI
2009-03-29 09:08 . 2009-03-29 09:08 5607 ----a-w c:\windows\~GLH0001.TMP
2009-03-29 09:08 . 2009-03-29 09:08 140288 ----a-w c:\windows\~GLC0001.TMP
2009-03-29 08:54 . 1996-04-02 03:42 27448 ----a-w c:\windows\system32\Odbcjtnw.hlp
2009-03-29 08:53 . 2009-03-29 08:53 5607 ----a-w c:\windows\~GLH0000.TMP
2009-03-29 08:53 . 2009-03-29 08:53 140288 ----a-w c:\windows\~GLC0000.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 10:33 . 2008-10-14 06:12 -------- d-----w c:\program files\Entry
2009-04-23 08:34 . 2009-03-07 07:48 -------- d-----w c:\documents and settings\Jerrine\Application Data\mjusbsp
2009-04-23 08:26 . 2009-04-23 08:26 -------- d-----w c:\program files\AVG
2009-04-23 07:46 . 2008-12-02 13:08 -------- d-----w c:\documents and settings\Jerrine\Application Data\Azureus
2009-04-23 05:49 . 2008-10-14 06:50 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-04-21 10:31 . 2009-02-06 16:23 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-19 19:51 . 2008-10-14 11:37 -------- d-----w c:\documents and settings\Jerrine\Application Data\Skype
2009-04-19 17:49 . 2008-10-14 11:38 -------- d-----w c:\documents and settings\Jerrine\Application Data\skypePM
2009-04-15 08:56 . 2008-10-22 09:07 -------- d-----w c:\documents and settings\Jerrine\Application Data\U3
2009-04-14 00:20 . 2008-10-16 03:38 -------- d-----w c:\documents and settings\Jerrine\Application Data\Yahoo!
2009-04-12 11:09 . 2008-11-16 04:30 -------- d-----w c:\documents and settings\Jerrine\Application Data\ZoomBrowser EX
2009-04-12 11:09 . 2008-11-16 04:13 -------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2009-04-12 09:55 . 2008-10-14 03:51 577840 ----a-w c:\documents and settings\Jerrine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-12 08:29 . 2009-04-12 08:26 -------- d-----w c:\program files\MyPlayCity.com
2009-04-10 07:28 . 2008-12-02 13:07 -------- d-----w c:\program files\Vuze
2009-04-07 20:57 . 2008-11-21 23:36 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-07 11:17 . 2008-10-21 11:00 -------- d-----w c:\documents and settings\Jerrine\Application Data\Sony
2009-04-06 09:31 . 2008-10-14 07:21 -------- d-----w c:\program files\Eset
2009-04-05 07:16 . 2009-01-23 06:20 3532 ----a-w C:\drmHeader.bin
2009-04-05 04:30 . 2009-04-05 04:30 -------- d-----w c:\program files\Trend Micro
2009-04-05 04:27 . 2008-10-14 06:50 -------- d-----w c:\program files\Yahoo!
2009-03-30 17:40 . 2008-10-14 06:56 -------- d-----w c:\program files\MSN Messenger
2009-03-30 14:40 . 2009-03-30 14:40 -------- d-----w c:\program files\imeem Uploader
2009-03-29 09:27 . 2009-03-27 15:55 -------- d-----w c:\program files\FLAC
2009-03-17 01:58 . 2008-10-14 04:13 -------- d-----w c:\program files\Hewlett-Packard
2009-03-16 18:58 . 2008-10-15 13:02 153711 ----a-w C:\hpfr3740.log
2009-03-11 23:21 . 2008-10-14 05:08 -------- d-----w c:\program files\Palm
2009-03-10 03:38 . 2009-03-05 01:53 141612 ----a-w c:\windows\system32\drivers\dump_wmimmc.sys
2009-03-08 23:59 . 2009-03-08 05:17 -------- d-----w c:\documents and settings\Jerrine\Application Data\CasinoOnNet
2009-03-08 05:18 . 2009-03-08 05:17 -------- d-----w c:\program files\CasinoOnNet
2009-03-07 02:33 . 2009-03-07 02:34 173756 --sh--r C:\o3w2.com
2009-03-05 21:54 . 2009-03-05 21:54 90112 --s-a-r c:\windows\system32\cqtjh.dll
2009-02-24 00:29 . 2009-01-28 06:13 -------- d-----w c:\program files\Common Files\Ahead
2009-02-22 23:20 . 2008-12-23 07:11 -------- d-----w c:\program files\Google
2009-02-22 23:20 . 2008-12-22 03:35 -------- d-----w c:\program files\NCH Software
2009-02-22 23:19 . 2008-11-03 01:40 -------- d-----w c:\program files\RealArcade
2009-01-27 11:25 . 2003-03-18 12:14 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-27 11:25 . 2003-02-20 20:42 348160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-18 23:49 . 2008-10-18 23:50 774144 ----a-w c:\program files\RngInterstitial.dll
2008-10-16 07:40 . 2008-10-16 07:40 911424 -c--a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-10-18 00:25 . 2008-10-18 00:21 220 -csha-w c:\windows\system32\ss.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"cdloader"="c:\documents and settings\Jerrine\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"HyperIM"="c:\program files\HyperIM\HyperIM.exe" [2007-11-18 220672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-02-24 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-23 1932568]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-04-12 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-23 08:27 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jerrine^Start Menu^Programs^Startup^Multiply AutoUploader.lnk]
path=c:\documents and settings\Jerrine\Start Menu\Programs\Startup\Multiply AutoUploader.lnk
backup=c:\windows\pss\Multiply AutoUploader.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\installers\\Limewire\\StubInstaller.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\RealArcade\\RealArcade.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files\\iTunes.exe"=
"i:\\Warcraft III\\Warcraft III.exe"=
"i:\\GAMES\\Left.4.Dead.Full-Rip.Skullptura\\Left 4 Dead\\left4dead.exe"=
"i:\\GAMES\\minor games\\Garena\\Garena.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\Jerrine\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"55928:TCP"= 55928:TCP:PlayerJava ModemWeb
"52605:TCP"= 52605:TCP:PlayerJava DebugWeb
"37023:UDP"= 37023:UDP:PlayerJava PublishWorks
"27618:UDP"= 27618:UDP:PlayerJava tracingPatch

R2 Tapiprov;Audit Support;c:\windows\system32\svchost.exe [2006-02-28 14336]
R3 GarenaPEngine;GarenaPEngine; [x]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-23 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-23 108552]
S1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-10-14 15424]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-23 298264]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Tapiprov

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\P]
\Shell\AutoRun\command - P:\autorun.exe
\Shell\phone\command - P:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{0010daee-0744-11de-bc70-000c76ab60bf}]
\Shell\AutoRun\command - J:\o3w2.com
\Shell\open\Command - J:\o3w2.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{05f13c08-f245-11dd-bc12-000c76ab60bf}]
\Shell\AutoRun\command - K:\pmut.bat
\Shell\open\Command - K:\pmut.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{0d451e09-ffb4-11dd-bc4e-000c76ab60bf}]
\Shell\AutoRun\command - K:\pmut.bat
\Shell\open\Command - K:\pmut.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6f762209-a60d-11dd-bb27-001bfc7af398}]
\Shell\AutoRun\command - K:\ls0f92.bat
\Shell\open\Command - K:\ls0f92.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6ffe6fb1-b048-11dd-bb3e-001bfc7af398}]
\Shell\AutoRun\command - K:\br8ym2l.bat
\Shell\open\Command - K:\br8ym2l.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{aa1d18c7-99c4-11dd-bae8-001bfc7af398}]
\Shell\AutoRun\command - K:\g068vy6.cmd
\Shell\open\Command - K:\g068vy6.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{bbd678d2-0506-11de-bc66-000c76ab60bf}]
\Shell\AutoRun\command - J:\autorun.exe
\Shell\phone\command - J:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{bbd678d3-0506-11de-bc66-000c76ab60bf}]
\Shell\AutoRun\command - K:\peyfrf2.cmd
\Shell\open\Command - K:\peyfrf2.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{d8541a43-9eec-11dd-bb10-001bfc7af398}]
\Shell\AutoRun\command - K:\6l6.com
\Shell\open\Command - K:\6l6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{fb5f5666-07c9-11de-bc75-000c76ab60bf}]
\Shell\AutoRun\command - J:\g068vy6.cmd
\Shell\open\Command - J:\g068vy6.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-04-23 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 09:39]

2009-04-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 09:07]

2009-04-23 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-04-12 09:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://my.magicjack.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/229?5dfdc8dc23be4c7a801fe86b1040b5b2
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/230?5dfdc8dc23be4c7a801fe86b1040b5b2
LSP: c:\windows\system32\imon.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\COMMON~1\Skype\SKYPE4~1.DLL
FF - ProfilePath - c:\documents and settings\Jerrine\Application Data\Mozilla\Firefox\Profiles\s1p9xkgj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZK&fl=0&ptb=zoHy9EBFIgl_3GyHSWSnbw&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Jerrine\Application Data\Mozilla\Firefox\Profiles\s1p9xkgj.default\extensions\npmozax@real.com\ plugins\npmozax.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - plugin: d:\program files\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 19:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Jerrine\LOCALS~1\Temp\WQM2CEA.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tapiprov]
"ServiceDll"="c:\windows\system32\cqtjh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1220945662-2111687655-682003330-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
"FRT"="NX+pWO37p/bxEk3AxwMTskhtPI7ytPYUJyXN8kC+TEt5KzKEUCKpiw=="
"PLCK"="V45ACdmS3G69Mda1NvKiDHiQfUjC8Tu8"
"Percents"="0 0.0393 0.5462 0.664 0.6857 0.721 0.8448 0.8448 "
"Increment"=".008333"
"PHSH"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\imon.dll
.
Completion time: 2009-04-23 19:23
ComboFix-quarantined-files.txt 2009-04-23 11:22

Pre-Run: 18,887,417,856 bytes free
Post-Run: 19,063,050,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=signature(f7b7f7b7)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
signature(f7b7f7b7)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

285 --- E O F --- 2008-10-31 22:15

**Juliet** · 5th May 2009

Hi and welcome, sorry for the delay.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

Please download Flash_Disinfector by sUBs and save it to your desktop:
or from >here< and save it to your desktop.

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

Plug in your USB flash drive.
Double-click Flash_Disinfector.exe to run it.
Follow any prompts that may appear.
Your desktop will vanish for a while, and then reappear. This is normal.
Wait until the program has finished scanning, then please exit the program. If you use more than 1 flash drive, run the tool with each plugged in.

Please leave the flash drive plugged in while completing the following.

NEXT**
Locate the ComboFix icon on your desktop, right click and select delete.

I wont you to download a current version.

Download Combofix from any of the links below. .

Save it to your desktop.

Link 1
Link 2
Link 3

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

RegLockDel::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tapiprov]
File:: 
c:\windows\~GLH0001.TMP
c:\windows\~GLC0001.TMP
c:\windows\system32\Odbcjtnw.hlp
c:\windows\~GLH0000.TMP
c:\windows\~GLC0000.TMP
J:\g068vy6.cmd
K:\6l6.com
K:\peyfrf2.cmd
J:\autorun.exe
K:\br8ym2l.bat
K:\ls0f92.bat
P:\autorun.exe
J:\o3w2.com
K:\pmut.bat
c:\windows\system32\cqtjh.dll
c:\documents and settings\Jerrine\Application Data\CasinoOnNet
c:\program files\CasinoOnNet
Firefox::
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZK&fl=0&ptb=zoHy9EBFIgl_3GyHSWSnbw&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb5f5666-07c9-11de-bc75-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d8541a43-9eec-11dd-bb10-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbd678d3-0506-11de-bc66-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbd678d2-0506-11de-bc66-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa1d18c7-99c4-11dd-bae8-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ffe6fb1-b048-11dd-bb3e-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6f762209-a60d-11dd-bb27-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d451e09-ffb4-11dd-bc4e-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0010daee-0744-11de-bc70-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05f13c08-f245-11dd-bc12-000c76ab60bf}]
NetSvc::
Tapiprov
DDS::
BHO: 1 (0x1) - No File
BHO: IEHlprObj Class: {f171a450-7af5-43e1-afed-edc826a1b0f5} - c:\windows\system32\bgotrtu0.dll
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
http://img.photobucket.com/albums/v6...FScriptB-4.gif 
 
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. 
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. 
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. 
 
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. 
 
 
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply post:
ComboFix.txt
new DDS log

sakurajiru · 6th May 2009

Thank you for your reply. Here are my logs for combofix and DDS.

ComboFix 09-05-05.04 - Jerrine 05/06/2009 21:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1502 [GMT 8:00]
Running from: c:\documents and settings\Jerrine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jerrine\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\documents and settings\Jerrine\Application Data\CasinoOnNet
c:\program files\CasinoOnNet
c:\windows\~GLC0000.TMP
c:\windows\~GLC0001.TMP
c:\windows\~GLH0000.TMP
c:\windows\~GLH0001.TMP
c:\windows\system32\cqtjh.dll
c:\windows\system32\Odbcjtnw.hlp
J:\autorun.exe
J:\g068vy6.cmd
J:\o3w2.com
K:\6l6.com
K:\br8ym2l.bat
K:\ls0f92.bat
K:\peyfrf2.cmd
K:\pmut.bat
P:\autorun.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\ku.bat
c:\windows\~GLC0000.TMP
c:\windows\~GLC0001.TMP
c:\windows\~GLH0000.TMP
c:\windows\~GLH0001.TMP
c:\windows\system32\cqtjh.dll
c:\windows\system32\Odbcjtnw.hlp
C:\x.cmd
D:\Autorun.inf
D:\ku.bat
D:\x.cmd
F:\Autorun.inf
F:\ku.bat
F:\x.cmd
G:\Autorun.inf
G:\ku.bat
G:\x.cmd
H:\Autorun.inf
H:\ku.bat
H:\x.cmd
I:\Autorun.inf
I:\ku.bat
I:\x.cmd
P:\autorun.exe . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Tapiprov
-------\Service_Tapiprov

((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-04-25 10:26 . 2009-04-25 10:26 -------- d-----w c:\program files\SmartAudioConverter
2009-04-23 11:15 . 2009-04-23 11:23 -------- d-----w C:\Combo-Fix
2009-04-23 08:41 . 2009-05-06 05:18 -------- d--h--w C:\$AVG8.VAULT$
2009-04-23 08:27 . 2009-04-23 08:27 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-23 08:27 . 2009-04-23 08:27 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 08:27 . 2009-04-23 08:27 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-23 08:27 . 2009-04-23 08:27 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-23 08:26 . 2009-04-23 08:26 -------- d-----w c:\program files\AVG
2009-04-23 08:26 . 2009-05-05 17:58 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-19 06:28 . 2009-04-19 06:30 -------- d-----w c:\documents and settings\Jerrine\Application Data\vlc
2009-04-17 10:11 . 2009-04-17 10:11 -------- d-----w c:\documents and settings\Jerrine\Application Data\iWin
2009-04-15 22:35 . 2009-04-15 22:35 -------- d-----w c:\documents and settings\All Users\Application Data\JollyBear
2009-04-15 22:35 . 2009-04-16 00:12 -------- d-----w c:\documents and settings\Jerrine\Local Settings\Application Data\JollyBear
2009-04-15 09:31 . 2009-04-15 09:31 -------- d-----w c:\documents and settings\Jerrine\Application Data\Home Sweet Home
2009-04-12 09:02 . 2009-04-12 09:07 -------- d-----w c:\windows\system32\Adobe
2009-04-12 08:26 . 2009-04-12 08:29 -------- d-----w c:\program files\MyPlayCity.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 12:22 . 2008-10-14 07:21 -------- d-----w c:\program files\Eset
2009-04-23 10:33 . 2008-10-14 06:12 -------- d-----w c:\program files\Entry
2009-04-12 09:55 . 2008-10-14 03:51 577840 ----a-w c:\documents and settings\Jerrine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 07:28 . 2008-12-02 13:07 -------- d-----w c:\program files\Vuze
2009-04-07 20:57 . 2008-11-21 23:36 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-05 07:16 . 2009-01-23 06:20 3532 ----a-w C:\drmHeader.bin
2009-04-05 04:30 . 2009-04-05 04:30 -------- d-----w c:\program files\Trend Micro
2009-04-05 04:27 . 2008-10-14 06:50 -------- d-----w c:\program files\Yahoo!
2009-03-30 17:40 . 2008-10-14 06:56 -------- d-----w c:\program files\MSN Messenger
2009-03-30 14:40 . 2009-03-30 14:40 -------- d-----w c:\program files\imeem Uploader
2009-03-29 09:27 . 2009-03-27 15:55 -------- d-----w c:\program files\FLAC
2009-03-17 01:58 . 2008-10-14 04:13 -------- d-----w c:\program files\Hewlett-Packard
2009-03-11 23:21 . 2008-10-14 05:08 -------- d-----w c:\program files\Palm
2009-03-10 03:38 . 2009-03-05 01:53 141612 ----a-w c:\windows\system32\drivers\dump_wmimmc.sys
2009-03-08 05:18 . 2009-03-08 05:17 -------- d-----w c:\program files\CasinoOnNet
2009-03-07 02:33 . 2009-03-07 02:34 173756 --sh--r C:\o3w2.com
2008-10-18 23:49 . 2008-10-18 23:50 774144 ----a-w c:\program files\RngInterstitial.dll
2008-10-18 00:25 . 2008-10-18 00:21 220 -csha-w c:\windows\system32\ss.drv
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_11.21.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 13:26 . 2009-05-06 13:26 16384 c:\windows\Temp\Perflib_Perfdata_4dc.dat
+ 2006-02-28 12:00 . 2009-04-27 08:17 68360 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2009-04-23 08:38 68360 c:\windows\system32\perfc009.dat
+ 2009-03-29 15:07 . 2009-04-26 14:36 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-03-29 15:07 . 2009-03-29 15:07 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2006-02-28 12:00 . 2009-04-27 08:17 435590 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-04-23 08:38 435590 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"cdloader"="c:\documents and settings\Jerrine\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"HyperIM"="c:\program files\HyperIM\HyperIM.exe" [2007-11-18 220672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-02-24 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-23 1932568]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NSSInstallation"="c:\windows\system32\Adobe\Shockwave 11\nssstub.exe" [2009-04-12 181624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-23 08:27 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jerrine^Start Menu^Programs^Startup^Multiply AutoUploader.lnk]
path=c:\documents and settings\Jerrine\Start Menu\Programs\Startup\Multiply AutoUploader.lnk
backup=c:\windows\pss\Multiply AutoUploader.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\installers\\Limewire\\StubInstaller.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\RealArcade\\RealArcade.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files\\iTunes.exe"=
"i:\\Warcraft III\\Warcraft III.exe"=
"i:\\GAMES\\Left.4.Dead.Full-Rip.Skullptura\\Left 4 Dead\\left4dead.exe"=
"i:\\GAMES\\minor games\\Garena\\Garena.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\installers\\ITunes\\vlc-0.9.9-win32\\vlc-0.9.9\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Jerrine\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"37023:UDP"= 37023:UDP:PlayerJava PublishWorks
"10216:TCP"= 10216:TCP:PlayerJava MakerReference
"55928:TCP"= 55928:TCP:PlayerJava ModemWeb
"6869:UDP"= 6869:UDP:PlayerJava twainWeb

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2009 4:27 PM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2009 4:27 PM 108552]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [10/14/2008 3:21 PM 15424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/23/2009 4:26 PM 298264]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Jerrine\LOCALS~1\Temp\WQM2CEA.t mp --> c:\docume~1\Jerrine\LOCALS~1\Temp\WQM2CEA.tmp [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404641-371f-11de-bcf4-000c76ab60bf}]
\Shell\AutoRun\command - M:\ku.bat
\Shell\open\Command - M:\ku.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404643-371f-11de-bcf4-000c76ab60bf}]
\Shell\AutoRun\command - K:\ku.bat
\Shell\open\Command - K:\ku.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6f762209-a60d-11dd-bb27-001bfc7af398}]
\Shell\AutoRun\command - K:\6l6.com
\Shell\open\Command - K:\6l6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{bafd6b95-a018-11dd-bb14-001bfc7af398}]
\Shell\AutoRun\command - K:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{bafd6b96-a018-11dd-bb14-001bfc7af398}]
\Shell\AutoRun\command - L:\fpnw.com
\Shell\open\Command - L:\fpnw.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c3e1168d-9b2d-11dd-baf4-001bfc7af398}]
\Shell\AutoRun\command - O:\ku.bat
\Shell\open\Command - O:\ku.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{f2b69e97-a2f9-11dd-bb23-001bfc7af398}]
\Shell\AutoRun\command - J:\vn.cmd
\Shell\open\Command - J:\vn.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-05-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 09:39]

2009-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 09:07]

2009-05-06 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2009-04-12 09:02]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://my.magicjack.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/229?5dfdc8dc23be4c7a801fe86b1040b5b2
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/230?5dfdc8dc23be4c7a801fe86b1040b5b2
FF - ProfilePath - c:\documents and settings\Jerrine\Application Data\Mozilla\Firefox\Profiles\s1p9xkgj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZK&fl=0&ptb=zoHy9EBFIgl_3GyHSWSnbw&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - plugin: d:\program files\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 21:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Jerrine\LOCALS~1\Temp\WQM2CEA.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1220945662-2111687655-682003330-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
"FRT"="NX+pWO37p/bxEk3AxwMTskhtPI7ytPYUJyXN8kC+TEt5KzKEUCKpiw=="
"PLCK"="V45ACdmS3G69Mda1NvKiDHiQfUjC8Tu8"
"Percents"="0 0.0393 0.5462 0.664 0.6857 0.721 0.8448 0.8448 "
"Increment"=".008333"
"PHSH"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\shdoclc.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Eset\nod32krn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-06 21:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 13:33
ComboFix2.txt 2009-04-23 11:23

Pre-Run: 18,053,861,376 bytes free
Post-Run: 18,441,650,176 bytes free

278 --- E O F --- 2008-10-31 22:15

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jerrine at 21:38:20.68 on Wed 05/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1449 [GMT 8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HyperIM\HyperIM.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerrine\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://my.magicjack.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - d:\bitcomet\tools\BitCometBHO.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\jerrine\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [HyperIM] c:\program files\hyperim\HyperIM.exe -min
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [BigDogPath] c:\windows\VM_STI.EXE A4 Tech USB PC Camera
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [NSSInstallation] c:\windows\system32\adobe\shockwave 11\nssstub.exe /RunOnce
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\jerrine\startm~1\programs\startup\MULTIP~1.LNK -
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-ph\msntabres.dll.mui/229?5dfdc8dc23be4c7a801fe86b1040b5b2
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-ph\msntabres.dll.mui/230?5dfdc8dc23be4c7a801fe86b1040b5b2
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jerrine\applic~1\mozilla\firefox\profiles\s1p9xkgj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZK&fl=0&ptb=zoHy9EBFIgl_3GyHSWSnbw&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - plugin: d:\program files\mozilla plugins\npitunes.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-23 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-23 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-23 108552]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [2008-10-14 15424]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-23 298264]
R2 NOD32krn;NOD32 Kernel Service;c:\program files\eset\nod32krn.exe [2008-10-14 552064]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\jerrine\locals~1\temp\wqm2cea.t mp --> c:\docume~1\jerrine\locals~1\temp\WQM2CEA.tmp [?]

=============== Created Last 30 ================

2009-04-25 18:26 <DIR> --d----- c:\program files\SmartAudioConverter
2009-04-23 19:19 <DIR> a-dshr-- C:\cmdcons
2009-04-23 19:15 161,792 a------- c:\windows\SWREG.exe
2009-04-23 19:15 98,816 a------- c:\windows\sed.exe
2009-04-23 19:15 <DIR> --d----- C:\Combo-Fix
2009-04-23 16:41 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-23 16:27 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-23 16:27 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-23 16:27 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-23 16:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-23 16:26 <DIR> --d----- c:\program files\AVG
2009-04-23 16:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-17 18:11 <DIR> --d----- c:\docume~1\jerrine\applic~1\iWin
2009-04-16 06:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\JollyBear
2009-04-15 17:31 <DIR> --d----- c:\docume~1\jerrine\applic~1\Home Sweet Home
2009-04-12 17:02 <DIR> --d----- c:\windows\system32\Adobe
2009-04-12 16:26 <DIR> --d----- c:\program files\MyPlayCity.com

==================== Find3M ====================

2009-04-05 15:16 3,532 a------- C:\drmHeader.bin
2009-03-10 11:38 141,612 a------- c:\windows\system32\drivers\dump_wmimmc.sys
2009-03-07 10:33 173,756 ---shr-- C:\o3w2.com
2008-10-19 07:49 774,144 a------- c:\program files\RngInterstitial.dll
2008-10-18 08:25 220 ac-sh--- c:\windows\system32\ss.drv

============= FINISH: 21:38:28.10 ===============

**Juliet** · 6th May 2009

Welcome back

The logs shows me it's possible you have two antivirus on the computer.
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Outdated)

We need to get this down to one.
Having 2 on the machine can possibly cause us conflicts with these tools we need to use.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

Please leave your flash/usb drive plugged in while completing the following.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File:: 
C:\o3w2.com
M:\ku.bat
K:\ku.bat
K:\6l6.com
L:\fpnw.com
O:\ku.bat
J:\vn.cmd
Folder::
c:\program files\CasinoOnNet
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{f2b69e97-a2f9-11dd-bb23-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404641-371f-11de-bcf4-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404643-371f-11de-bcf4-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6f762209-a60d-11dd-bb27-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{bafd6b96-a018-11dd-bb14-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c3e1168d-9b2d-11dd-baf4-001bfc7af398}]
DDS::
IE: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZK
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZK&fl=0&ptb=zoHy9EBFIgl_3GyHSWSnbw&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=

http://img.photobucket.com/albums/v6...FScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================

NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/j...g/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419

In your next reply post:
ComboFix.txt
Kaspersky log
New HJT log taken after the above scans have run

You may need several replies to post the requested logs, otherwise they might get cut off.

Also please tell me how the computer is now.

sakurajiru · 6th May 2009

I've just tried checking the sites right now, I can now access them (Microsoft, kasperksy, etc) . Thank you very much!

Will I still have to do your latest instructions?

**Juliet** · 6th May 2009

Quote:

Originally Posted by sakurajiru

I've just tried checking the sites right now, I can now access them (Microsoft, kasperksy, etc) . Thank you very much!

Will I still have to do your latest instructions?

I'm glad things appears to be near normal, we need to continue with that last set of instructions to completely remove what needs to go.

sakurajiru · 7th May 2009

Here are my logs

ComboFix 09-05-05.04 - Jerrine 05/07/2009 1:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1560 [GMT 8:00]
Running from: c:\documents and settings\Jerrine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jerrine\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)

FILE ::
C:\o3w2.com
J:\vn.cmd
K:\6l6.com
K:\ku.bat
L:\fpnw.com
M:\ku.bat
O:\ku.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\o3w2.com
c:\program files\CasinoOnNet
c:\program files\CasinoOnNet\bin\bass.dll
c:\program files\CasinoOnNet\bin\BrandConf.cxm
c:\program files\CasinoOnNet\bin\casino.exe
c:\program files\CasinoOnNet\bin\casinoApp.exe
c:\program files\CasinoOnNet\bin\ExtractZip.dll
c:\program files\CasinoOnNet\bin\GdiPlus.dll
c:\program files\CasinoOnNet\INSTALL.LOG
c:\program files\CasinoOnNet\ListProc.exe
c:\program files\CasinoOnNet\ProcessList.txt
c:\program files\CasinoOnNet\pv.exe
c:\program files\CasinoOnNet\Unwise.exe
c:\program files\CasinoOnNet\Unwise.ini
L:\fpnw.com

.
((((((((((((((((((((((((( Files Created from 2009-04-06 to 2009-05-06 )))))))))))))))))))))))))))))))
.

2009-05-06 15:12 . 2009-05-06 15:12 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-06 15:12 . 2009-05-06 15:12 -------- d-----w c:\program files\Norton Security Scan
2009-04-25 10:26 . 2009-04-25 10:26 -------- d-----w c:\program files\SmartAudioConverter
2009-04-23 11:15 . 2009-04-23 11:23 -------- d-----w C:\Combo-Fix
2009-04-23 08:41 . 2009-05-06 05:18 -------- d--h--w C:\$AVG8.VAULT$
2009-04-23 08:27 . 2009-04-23 08:27 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-23 08:27 . 2009-04-23 08:27 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 08:27 . 2009-04-23 08:27 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-23 08:27 . 2009-04-23 08:27 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-23 08:26 . 2009-04-23 08:26 -------- d-----w c:\program files\AVG
2009-04-23 08:26 . 2009-05-05 17:58 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-19 06:28 . 2009-04-19 06:30 -------- d-----w c:\documents and settings\Jerrine\Application Data\vlc
2009-04-17 10:11 . 2009-04-17 10:11 -------- d-----w c:\documents and settings\Jerrine\Application Data\iWin
2009-04-15 22:35 . 2009-04-15 22:35 -------- d-----w c:\documents and settings\All Users\Application Data\JollyBear
2009-04-15 22:35 . 2009-04-16 00:12 -------- d-----w c:\documents and settings\Jerrine\Local Settings\Application Data\JollyBear
2009-04-15 09:31 . 2009-04-15 09:31 -------- d-----w c:\documents and settings\Jerrine\Application Data\Home Sweet Home
2009-04-12 09:02 . 2009-04-12 09:07 -------- d-----w c:\windows\system32\Adobe
2009-04-12 08:26 . 2009-04-12 08:29 -------- d-----w c:\program files\MyPlayCity.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-06 17:06 . 2008-10-14 07:21 -------- d-----w c:\program files\Eset
2009-04-23 10:33 . 2008-10-14 06:12 -------- d-----w c:\program files\Entry
2009-04-12 09:55 . 2008-10-14 03:51 577840 ----a-w c:\documents and settings\Jerrine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 07:28 . 2008-12-02 13:07 -------- d-----w c:\program files\Vuze
2009-04-07 20:57 . 2008-11-21 23:36 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-05 07:16 . 2009-01-23 06:20 3532 ----a-w C:\drmHeader.bin
2009-04-05 04:30 . 2009-04-05 04:30 -------- d-----w c:\program files\Trend Micro
2009-04-05 04:27 . 2008-10-14 06:50 -------- d-----w c:\program files\Yahoo!
2009-03-30 17:40 . 2008-10-14 06:56 -------- d-----w c:\program files\MSN Messenger
2009-03-30 14:40 . 2009-03-30 14:40 -------- d-----w c:\program files\imeem Uploader
2009-03-29 09:27 . 2009-03-27 15:55 -------- d-----w c:\program files\FLAC
2009-03-17 01:58 . 2008-10-14 04:13 -------- d-----w c:\program files\Hewlett-Packard
2009-03-11 23:21 . 2008-10-14 05:08 -------- d-----w c:\program files\Palm
2009-03-10 03:38 . 2009-03-05 01:53 141612 ----a-w c:\windows\system32\drivers\dump_wmimmc.sys
2008-10-18 23:49 . 2008-10-18 23:50 774144 ----a-w c:\program files\RngInterstitial.dll
2008-10-18 00:25 . 2008-10-18 00:21 220 -csha-w c:\windows\system32\ss.drv
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_11.21.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-06 15:05 . 2009-05-06 15:05 16384 c:\windows\Temp\Perflib_Perfdata_2f8.dat
- 2006-02-28 12:00 . 2009-04-23 08:38 68360 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-04-27 08:17 68360 c:\windows\system32\perfc009.dat
- 2009-03-29 15:07 . 2009-03-29 15:07 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-03-29 15:07 . 2009-04-26 14:36 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-05-06 15:12 . 2009-05-06 15:12 29184 c:\windows\Installer\{6FF543AB-99B3-4120-902C-70A38314ABD8}\Icon3FADAA191.exe
+ 2006-02-28 12:00 . 2009-04-27 08:17 435590 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-04-23 08:38 435590 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"cdloader"="c:\documents and settings\Jerrine\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"HyperIM"="c:\program files\HyperIM\HyperIM.exe" [2007-11-18 220672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"BigDogPath"="c:\windows\VM_STI.EXE" [2004-02-24 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-23 1932568]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-23 08:27 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Jerrine^Start Menu^Programs^Startup^Multiply AutoUploader.lnk]
path=c:\documents and settings\Jerrine\Start Menu\Programs\Startup\Multiply AutoUploader.lnk
backup=c:\windows\pss\Multiply AutoUploader.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"d:\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\installers\\Limewire\\StubInstaller.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP 2.5\\MediaManager.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\RealArcade\\RealArcade.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Program Files\\iTunes.exe"=
"i:\\Warcraft III\\Warcraft III.exe"=
"i:\\GAMES\\Left.4.Dead.Full-Rip.Skullptura\\Left 4 Dead\\left4dead.exe"=
"i:\\GAMES\\minor games\\Garena\\Garena.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"d:\\installers\\ITunes\\vlc-0.9.9-win32\\vlc-0.9.9\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Jerrine\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"37023:UDP"= 37023:UDP:PlayerJava PublishWorks
"10216:TCP"= 10216:TCP:PlayerJava MakerReference
"55928:TCP"= 55928:TCP:PlayerJava ModemWeb
"6869:UDP"= 6869:UDP:PlayerJava twainWeb

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/23/2009 4:27 PM 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/23/2009 4:27 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/23/2009 4:26 PM 298264]
R4 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys --> c:\windows\system32\drivers\nod32drv.sys [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\Jerrine\LOCALS~1\Temp\WQM2CEA.t mp --> c:\docume~1\Jerrine\LOCALS~1\Temp\WQM2CEA.tmp [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - AMON

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404641-371f-11de-bcf4-000c76ab60bf}]
\Shell\AutoRun\command - M:\ku.bat
\Shell\open\Command - M:\ku.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404643-371f-11de-bcf4-000c76ab60bf}]
\Shell\AutoRun\command - K:\ku.bat
\Shell\open\Command - K:\ku.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6f762209-a60d-11dd-bb27-001bfc7af398}]
\Shell\AutoRun\command - K:\6l6.com
\Shell\open\Command - K:\6l6.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c3e1168d-9b2d-11dd-baf4-001bfc7af398}]
\Shell\AutoRun\command - O:\ku.bat
\Shell\open\Command - O:\ku.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{f2b69e97-a2f9-11dd-bb23-001bfc7af398}]
\Shell\AutoRun\command - J:\vn.cmd
\Shell\open\Command - J:\vn.cmd
.
Contents of the 'Scheduled Tasks' folder

2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]

2009-05-06 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-27 09:39]

2009-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-06 09:07]

2009-05-06 c:\windows\Tasks\Norton Security Scan for Jerrine.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-12 21:53]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://my.magicjack.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &D&ownload &with BitComet - d:\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/229?5dfdc8dc23be4c7a801fe86b1040b5b2
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/230?5dfdc8dc23be4c7a801fe86b1040b5b2
FF - ProfilePath - c:\documents and settings\Jerrine\Application Data\Mozilla\Firefox\Profiles\s1p9xkgj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - chrome://fastdial/content/fastdial.html
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZK&fl=0&ptb=zoHy9EBFIgl_3GyHSWSnbw&st=kwd&o=kwd&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&searchfor=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - plugin: d:\program files\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 01:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\Jerrine\LOCALS~1\Temp\WQM2CEA.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1220945662-2111687655-682003330-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
"FRT"="NX+pWO37p/bxEk3AxwMTskhtPI7ytPYUJyXN8kC+TEt5KzKEUCKpiw=="
"PLCK"="V45ACdmS3G69Mda1NvKiDHiQfUjC8Tu8"
"Percents"="0 0.0393 0.5462 0.664 0.6857 0.721 0.8448 0.8448 "
"Increment"=".008333"
"PHSH"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\imon.dll
.
Completion time: 2009-05-06 1:13
ComboFix-quarantined-files.txt 2009-05-06 17:12
ComboFix2.txt 2009-05-06 13:34
ComboFix3.txt 2009-04-23 11:23

Pre-Run: 18,497,855,488 bytes free
Post-Run: 18,486,788,096 bytes free

229 --- E O F --- 2008-10-31 22:15

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:31 AM, on 5/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\HyperIM\HyperIM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.magicjack.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Jerrine\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Multiply AutoUploader.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/229?5dfdc8dc23be4c7a801fe86b1040b5b2
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/230?5dfdc8dc23be4c7a801fe86b1040b5b2
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8679 bytes
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 06, 2009 19:06:02
Records in database: 2138404
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
P:\

Scan statistics:
Files scanned: 253247
Threat name: 43
Infected objects: 218
Suspicious objects: 0
Duration of the scan: 04:27:21

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\flnm.cmd.vir Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\Qoobox\Quarantine\C\g068vy6.cmd.vir Infected: Packed.Win32.****.g 1
C:\Qoobox\Quarantine\C\gpmjw.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\Qoobox\Quarantine\C\ku.bat.vir Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\Qoobox\Quarantine\C\o3w2.com.vir Infected: Packed.Win32.****.g 1
C:\Qoobox\Quarantine\C\pmut.bat.vir Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_cqtjh_.dll.zip Infected: Trojan-Downloader.Win32.Kido.a 1
C:\Qoobox\Quarantine\C\x.cmd.vir Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\Qoobox\Quarantine\D\av1.zip Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\Qoobox\Quarantine\D\av1.zip Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\Qoobox\Quarantine\D\flnm.cmd.vir Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\Qoobox\Quarantine\D\g068vy6.cmd.vir Infected: Packed.Win32.****.g 1
C:\Qoobox\Quarantine\D\gpmjw.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\Qoobox\Quarantine\D\pmut.bat.vir Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\Qoobox\Quarantine\F\av1.zip Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\Qoobox\Quarantine\F\av1.zip Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\Qoobox\Quarantine\F\flnm.cmd.vir Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\Qoobox\Quarantine\F\g068vy6.cmd.vir Infected: Packed.Win32.****.g 1
C:\Qoobox\Quarantine\F\gpmjw.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\Qoobox\Quarantine\F\pmut.bat.vir Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\Qoobox\Quarantine\G\av1.zip Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\Qoobox\Quarantine\G\av1.zip Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\Qoobox\Quarantine\G\flnm.cmd.vir Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\Qoobox\Quarantine\G\g068vy6.cmd.vir Infected: Packed.Win32.****.g 1
C:\Qoobox\Quarantine\G\gpmjw.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\Qoobox\Quarantine\G\pmut.bat.vir Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\Qoobox\Quarantine\H\av1.zip Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\Qoobox\Quarantine\H\av1.zip Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\Qoobox\Quarantine\H\flnm.cmd.vir Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\Qoobox\Quarantine\H\g068vy6.cmd.vir Infected: Packed.Win32.****.g 1
C:\Qoobox\Quarantine\H\gpmjw.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\Qoobox\Quarantine\H\pmut.bat.vir Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\Qoobox\Quarantine\I\av1.zip Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\Qoobox\Quarantine\I\av1.zip Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\Qoobox\Quarantine\I\flnm.cmd.vir Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\Qoobox\Quarantine\I\g068vy6.cmd.vir Infected: Packed.Win32.****.g 1
C:\Qoobox\Quarantine\I\gpmjw.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\Qoobox\Quarantine\I\pmut.bat.vir Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP1\A0000003.cmd Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP1\A0000094.cmd Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP1\A0000152.cmd Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP1\A0000214.cmd Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP1\A0000270.exe Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP1\A0001214.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP1\A0001289.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027230.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.et 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027232.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ew 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027244.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027248.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027255.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027258.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ff 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027399.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.eu 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027400.dll Infected: Trojan-GameThief.Win32.Magania.axxh 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0027410.cmd Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0028393.dll Infected: Trojan-GameThief.Win32.Magania.axxh 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0028402.cmd Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0028431.dll Infected: Trojan-GameThief.Win32.Magania.axxh 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP13\A0028440.cmd Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP14\A0028547.cmd Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP15\A0028708.cmd Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP15\A0029431.dll Infected: Trojan-GameThief.Win32.Magania.axxh 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP15\A0029446.cmd Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP15\A0029476.exe Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP15\A0030461.dll Infected: Trojan-GameThief.Win32.Magania.ayom 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0030622.dll Infected: Trojan-GameThief.Win32.Magania.ayom 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0031678.dll Infected: Trojan-GameThief.Win32.Magania.ayom 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0031696.dll Infected: Trojan-GameThief.Win32.Magania.ayom 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0031727.dll Infected: Trojan-GameThief.Win32.Magania.ayom 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0031737.cmd Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0032730.cmd Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0032753.cmd Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0034752.cmd Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0034765.exe Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP16\A0034860.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP17\A0034979.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP18\A0035006.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP18\A0035509.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP18\A0035532.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP18\A0036506.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP18\A0036529.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP19\A0036551.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP19\A0036607.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP19\A0036616.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0001763.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0001787.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0001883.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0001920.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0002959.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0003081.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0003171.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0004157.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0005174.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0005229.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP2\A0005337.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0036641.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0037607.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0037608.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0038607.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0038608.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0039607.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0039609.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0039697.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0039720.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0039767.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0039777.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0040767.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0040794.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0041767.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0041769.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0041801.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0041803.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0042801.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0043801.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP20\A0043828.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0043865.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0044801.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0044861.exe Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0044862.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0045804.dll Infected: Trojan.Win32.BHO.qvk 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0045805.dll Infected: Trojan-GameThief.Win32.Magania.ayon 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0045835.dll Infected: Trojan.Win32.BHO.qvk 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP21\A0045836.dll Infected: Trojan-GameThief.Win32.OnLineGames.blvg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0046835.dll Infected: Trojan.Win32.BHO.qvk 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0046836.dll Infected: Trojan-GameThief.Win32.OnLineGames.blvg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0047881.dll Infected: Trojan.Win32.BHO.qvk 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0047882.dll Infected: Trojan-GameThief.Win32.OnLineGames.blvg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0047922.dll Infected: Trojan-GameThief.Win32.OnLineGames.blvg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0048880.dll Infected: Trojan-GameThief.Win32.Magania.ayyp 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0048881.dll Infected: Trojan-GameThief.Win32.OnLineGames.blvg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0048970.dll Infected: Trojan-GameThief.Win32.Magania.ayyp 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0050981.bat Infected: Trojan-GameThief.Win32.Magania.azid 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0050994.exe Infected: Trojan-GameThief.Win32.Magania.azid 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0051970.dll Infected: Trojan-GameThief.Win32.Magania.azfg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0052970.dll Infected: Trojan-GameThief.Win32.Magania.azfg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0052971.dll Infected: Trojan-GameThief.Win32.Magania.azzm 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0053238.dll Infected: Trojan-GameThief.Win32.Magania.azfg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP22\A0053239.dll Infected: Trojan-GameThief.Win32.Magania.azzm 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP23\A0054238.dll Infected: Trojan-GameThief.Win32.Magania.azfg 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP23\A0054239.dll Infected: Trojan-GameThief.Win32.Magania.azzm 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP23\A0054281.dll Infected: Trojan-GameThief.Win32.Magania.azzm 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP25\A0054418.dll Infected: Trojan-GameThief.Win32.Magania.azhf 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP25\A0054419.dll Infected: Trojan-GameThief.Win32.Magania.azzm 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP25\A0054435.dll Infected: Trojan-GameThief.Win32.Magania.azhf 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP25\A0055419.dll Infected: Trojan-GameThief.Win32.Magania.azhf 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP27\A0071837.cmd Infected: Trojan-GameThief.Win32.OnLineGames.blsr 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP27\A0071838.cmd Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP27\A0071839.cmd Infected: Trojan-GameThief.Win32.Magania.ayms 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP27\A0071840.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0078057.dll Infected: Trojan-GameThief.Win32.Magania.azqh 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0078177.dll Infected: Trojan-GameThief.Win32.Magania.azsj 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0079197.dll Infected: Trojan-GameThief.Win32.Magania.azsj 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0080268.dll Infected: Trojan-GameThief.Win32.Magania.azsj 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0080368.cmd Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0085366.cmd Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0085378.exe Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0086394.dll Infected: Trojan-GameThief.Win32.Magania.bafv 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0086395.cmd Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0086407.dll Infected: Trojan-GameThief.Win32.Magania.bafx 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP28\A0087373.bat Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP29\A0087503.bat Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP29\A0088374.bat Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP29\A0089381.bat Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP3\A0005380.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP3\A0006317.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP3\A0007316.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP3\A0007389.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP30\A0089415.bat Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP30\A0089562.bat Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP30\A0090601.exe Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP31\A0090941.bat Infected: Trojan-GameThief.Win32.Magania.bajt 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP31\A0090942.cmd Infected: Trojan-GameThief.Win32.Magania.azvn 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP31\A0091230.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP4\A0007441.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP4\A0008389.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP4\A0008466.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP4\A0008540.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP4\A0008544.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP4\A0008553.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP5\A0008605.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP6\A0008672.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP6\A0008698.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP7\A0008713.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP8\A0008781.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP8\A0008829.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP8\A0008877.com Infected: Packed.Win32.****.g 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP8\A0009026.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP8\A0009030.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP8\A0009038.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl 1
C:\System Volume Information\_restore{AF563314-5E7A-4FA5-AFF9-F21F9CF9147F}\RP8\A0009052.exe Infected: Packed.Win32.****.g 1
D:\installers\ESET\infected\40YZHZAA.NQF Infected: Virus.Win32.Tenga.a 1
D:\installers\ESET\infected\5X4MXBBA.NQF Infected: Virus.Win32.Tenga.a 1
D:\installers\ESET\infected\FIFOIWDA.NQF Infected: Virus.Win32.Tenga.a 1
D:\installers\ESET\infected\LFNAC4CA.NQF Infected: Trojan-Downloader.Win32.Delf.jbz 1
D:\installers\ESET\infected\LOZXSNBA.NQF Infected: Trojan-Downloader.Win32.Zlob.ozz 1
D:\installers\ESET\infected\NKC3YAAA.NQF Infected: Virus.Win32.Tenga.a 1
D:\installers\ESET\infected\OWC1LTBA.NQF Infected: Virus.Win32.Tenga.a 1
D:\installers\ESET\infected\R0SH1ODA.NQF Infected: Trojan-Downloader.Win32.Zlob.ozz 1
D:\installers\ESET\infected\YVHBFBBA.NQF Infected: Trojan-Downloader.Win32.Delf.jbz 1
D:\installers\misc\SmileyCentralPFSetup2.3.50.40.ZNfox000.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ez 1
D:\installers\Neopets\mirc62.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 1
D:\o3w2.com Infected: Packed.Win32.****.g 1
F:\o3w2.com Infected: Packed.Win32.****.g 1
G:\o3w2.com Infected: Packed.Win32.****.g 1
H:\o3w2.com Infected: Packed.Win32.****.g 1
I:\eGames\Galaxy_of_MahJongg_JC\TSUninstaller.exe Infected: not-a-virus:AdWare.Win32.TimeSink 1
I:\My Games\Big City Adventure Sydney Australia\BigCityAdventureSyd.exe.bak Infected: Trojan-Downloader.Win32.Agent.bbwb 1
I:\My Games\Finders Keepers\Finders Keepers.exe Infected: Trojan.Win32.Genome.eqx 1
I:\My Games\Nanny Mania\NannyMania.exe Infected: Trojan-Downloader.Win32.Agent.adpm 1
I:\My Games\Poker Superstars II\PokerSuperstars2.exe Infected: Trojan-Downloader.Win32.Agent.adpm 1
I:\o3w2.com Infected: Packed.Win32.****.g 1
L:\peyfrf2.cmd Infected: Trojan-GameThief.Win32.Magania.auxk 1
L:\EXPLORER.EXE Infected: Virus.Win32.VB.bu 1
L:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx Infected: Net-Worm.Win32.Kido.ih 1
L:\o3w2.com Infected: Packed.Win32.****.g 1
L:\br8ym2l.bat Infected: Trojan-GameThief.Win32.Magania.axaa 1
L:\pmut.bat Infected: Trojan-GameThief.Win32.Magania.ayor 1
L:\ls0f92.bat Infected: Trojan-Dropper.Win32.Agent.amso 1
L:\Qoobox\Quarantine\L\fpnw.com.vir Infected: Trojan-GameThief.Win32.Magania.barq 1

The selected area was scanned.

**Juliet** · 7th May 2009

Thank you for returning the information.
As you can see your computer was quite infected.

We'll take out the malicious files now and in final cleanup the remainder will go.

D:\installers\ESET\infected\40YZHZAA.NQF<- empty your Eset/Nod32 quarantined file or delete all the files in the folder.

Please download OTMoveIt3 by OldTimer and save it to your desktop

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )

Code:

:Processes
explorer.exe
:Files
K:\ku.bat
K:\6l6.com
O:\ku.bat
J:\vn.cmd
M:\ku.bat
D:\installers\misc\SmileyCentralPFSetup2.3.50.40.ZNfox000.exe
D:\o3w2.com 
F:\o3w2.com 
G:\o3w2.com 
H:\o3w2.com
I:\eGames\Galaxy_of_MahJongg_JC\TSUninstaller.exe
I:\My Games\Big City Adventure Sydney Australia\BigCityAdventureSyd.exe.bak
I:\My Games\Finders Keepers\Finders Keepers.exe 
I:\My Games\Nanny Mania\NannyMania.exe 
I:\My Games\Poker Superstars II\PokerSuperstars2.exe 
I:\o3w2.com 
L:\peyfrf2.cmd
L:\EXPLORER.EXE 
L:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx 
L:\o3w2.com 
L:\br8ym2l.bat 
L:\pmut.bat 
L:\ls0f92.bat
:reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49404641-371f-11de-bcf4-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{49404643-371f-11de-bcf4-000c76ab60bf}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6f762209-a60d-11dd-bb27-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3e1168d-9b2d-11dd-baf4-001bfc7af398}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f2b69e97-a2f9-11dd-bb23-001bfc7af398}]
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

In your next reply post:
OTMoveIt log
new HJT log

How's your computer now?

sakurajiru · 7th May 2009

As soon as my computer rebooted, I couldn't use it. I kept on restarting the computer until I decided to just go on safe mode. I am using safe mode now, I'm not quite sure if I'll be able to use it normally. Here are my logs

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder K:\ku.bat not found.
File/Folder K:\6l6.com not found.
File/Folder O:\ku.bat not found.
File/Folder J:\vn.cmd not found.
File/Folder M:\ku.bat not found.
File/Folder D:\installers\misc\SmileyCentralPFSetup2.3.50.40.ZNfox000.exe not found.
File/Folder D:\o3w2.com not found.
File/Folder F:\o3w2.com not found.
File/Folder G:\o3w2.com not found.
File/Folder H:\o3w2.com not found.
File/Folder I:\eGames\Galaxy_of_MahJongg_JC\TSUninstaller.exe not found.
File/Folder I:\My Games\Big City Adventure Sydney Australia\BigCityAdventureSyd.exe.bak not found.
File/Folder I:\My Games\Finders Keepers\Finders Keepers.exe not found.
File/Folder I:\My Games\Nanny Mania\NannyMania.exe not found.
File/Folder I:\My Games\Poker Superstars II\PokerSuperstars2.exe not found.
File/Folder I:\o3w2.com not found.
L:\peyfrf2.cmd moved successfully.
L:\EXPLORER.EXE moved successfully.
L:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx moved successfully.
L:\o3w2.com moved successfully.
L:\br8ym2l.bat moved successfully.
L:\pmut.bat moved successfully.
L:\ls0f92.bat moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404641-371f-11de-bcf4-000c76ab60bf}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{49404643-371f-11de-bcf4-000c76ab60bf}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{6f762209-a60d-11dd-bb27-001bfc7af398}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{c3e1168d-9b2d-11dd-baf4-001bfc7af398}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{f2b69e97-a2f9-11dd-bb23-001bfc7af398}\\ deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Jerrine\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05072009_221410

Files moved on Reboot...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:07 PM, on 5/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.magicjack.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Jerrine\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [HyperIM] C:\Program Files\HyperIM\HyperIM.exe -min
O4 - HKCU\..\Run: [kvasoft] C:\WINDOWS\system32\kva8wr.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Multiply AutoUploader.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/229?5dfdc8dc23be4c7a801fe86b1040b5b2
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ph\msntabres.dll.mui/230?5dfdc8dc23be4c7a801fe86b1040b5b2
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7956 bytes

**Juliet** · 7th May 2009

This is what we're trying to get off your computer. Conficker virus.
http://www.sophos.com/security/analy...utorunafq.html

I'm beginning to doubt if we will ever get it completely off.

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O4 - HKCU\..\Run: [kvasoft] C:\WINDOWS\system32\kva8wr.exe

Double-click OTMoveIt3.exe to run it.
Copy the lines in the codebox below. ( Make sure you include :Processes )

Code:

:Processes
explorer.exe
:Files
C:\WINDOWS\system32\kva8wr.exe
:reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kvasoft"=-
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

- Close ALL open windows (especially Internet Explorer!)-
Click the red Moveit! button.
Copy everything in the Results window (under the green bar), and paste it in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Please post OTmoveIt log

Can you boot back into normal mode now?

sakurajiru · 8th May 2009

I can boot in normal mode now

Also, I have noticed that this error comes up every time I boot. http://i695.photobucket.com/albums/v...screenshot.jpg

I'm planning to reformat the computer, would that help?

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\kva8wr.exe moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\kvasoft not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Jerrine\Local Settings\Temporary Internet Files\Content.IE5\4DYFKDIN\rotate2[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jerrine\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_c8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05082009_215547

Files moved on Reboot...
C:\Documents and Settings\Jerrine\Local Settings\Temporary Internet Files\Content.IE5\4DYFKDIN\rotate2[1].htm moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_c8.dat not found!

**Juliet** · 8th May 2009

The error message is related to your computers grahics card.....

Ive seen where you can uninstall and restart the computer and windows will load the driver again.

I can't say it will always work.

You can read about it here
"An exception occured while trying to run "C:\WINDOWS\system32\NvCpl.dll,NvStartup" "

http://www.techsupportforum.com/micr...urred-etc.html

Now about reformat.
Sometimes this is the best option available to get malware off a machine and start new.

We can continue working here and try to remove what we can find through running scans.

I'll leave the decision up to you.

How's your computer now since removing that last file?

sakurajiru · 8th May 2009

It seems to hang for quite some time. I'm not sure why. The reason why I plan to reformat is not only because of the malware, but to also free some memory space in the computer.

sakurajiru · 8th May 2009

I think I'll go with the reformat. I suppose my computer would run faster if I did it that way. I really appreciate all your help Juliet

Thank you very much

**Juliet** · 8th May 2009

Quote:

Originally Posted by sakurajiru

It seems to hang for quite some time. I'm not sure why. The reason why I plan to reformat is not only because of the malware, but to also free some memory space in the computer.

If it's grahics related, if I'm not wrong that can be pointing to hardware?

Of course if you reformat that will definitely free up a ton of space.

Let me supply you with a few links with good instructions and tutorials.
Also, let me know what you decide.

There is tutorial in link below on how to format.
http://web.mit.edu/ist/products/winxp/adva...all-format.html

http://www.michaelstevenstech.com/cleanxpinstall.html
Clean Install Windows XP

http://spyware-free.us/tutorials/reformat/
Reformatting Windows XP

How best to protect yourself online.
http://users.telenet.be/bluepatchy/miekiem...prevention.html