Active Iexplore.exe Trojan (I think)

Flando · 2009/07/14

[Active] Iexplore.exe Trojan (I think)

I have an instance of iexplore.exe running when no IE browser is open and it's chewing up my CPU and God knows what else. Below are the posts from DDS, HJT, SDFix. I don't see any instances of iexplore.exe running currently after I tried the SDFix but any help would be greatly appreciated.

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:36 PM, on 7/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Mozilla Firefox Safe\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - cmdmapping - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Golden Riviera - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\goldenrivieraMPP\MPPoker.exe (file missing) (HKCU)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9dc97615601ee) (gupdate1c9dc97615601ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9882 bytes

DDS

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 20:54:07.00 on Tue 07/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.332 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Mozilla Firefox Safe\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.gatewaybiz.com
mDefault_Page_URL = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyServer = 0.0.0.0:80
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [LGBLiveUpdate] c:\windows\system32\lgbpd.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [VnrBlock21] "c:\program files\vnrblock\VnrBlock21.exe "
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [Mixersel] c:\program files\realtek\installshield\mixersel.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [mondrv411] c:\windows\mondrv411.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe "
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BHR] c:\program files\zamaan's software\browser hijack retaliator 4.5\BHR.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9g.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet v series\bin\hpoant07.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - hxxps://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
TCP: {0D01A5FD-BA52-4273-8F33-6D681F2B42FC} = 208.67.222.222,208.67.220.220
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\25bwot1e.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\mozilla firefox safe\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\mozilla firefox safe\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\mozilla firefox safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\mozilla firefox safe\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");

============= SERVICES / DRIVERS ===============

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-14 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-19 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-19 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-19 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-19 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
R2 windefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 gupdate1c9dc97615601ee;Google Update Service (gupdate1c9dc97615601ee);c:\program files\google\update\GoogleUpdate.exe [2009-5-24 133104]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-10-21 33752]

=============== Created Last 30 ================

2009-07-14 20:44 <DIR> --d----- C:\HJT
2009-07-14 20:24 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-07-14 20:22 <DIR> --d----- c:\windows\ERUNT
2009-07-14 20:21 <DIR> --d----- C:\SDFix
2009-07-14 17:55 61,440 a------- c:\windows\system32\drivers\mgnfrf.sys
2009-07-14 17:46 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-07-14 17:46 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 17:46 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-14 17:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 17:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-14 16:47 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-14 16:47 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 16:47 <DIR> --d----- c:\program files\Lavasoft
2009-07-14 16:10 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-14 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-14 15:30 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-14 15:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SecTaskMan
2009-07-14 14:20 96 a------- c:\windows\wininit.ini
2009-07-13 17:18 <DIR> --d----- c:\program files\Mozilla Firefox Safe
2009-07-12 19:22 <DIR> --d----- c:\windows\pss
2009-07-11 15:42 6 a------- c:\windows\msoffice.ini
2009-07-11 15:06 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-07-14 20:54 99,276 a------- c:\windows\system32\drivers\baa5e0bd.sys
2009-07-14 17:55 2,200 a------- c:\program files\lfqatyas.txt
2009-07-02 09:31 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 09:31 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-30 01:49 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-05-17 09:36 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-14 17:53 142,804 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-04-17 16:16 36,368 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 20:54:31.70 ===============

ATTACH

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/18/2008 7:03:39 AM
System Uptime: 7/14/2009 8:30:27 PM (0 hours ago)

Motherboard: Intel Corporation | | D915GAG
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 93.462 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 1.679 GiB free.
E: is CDROM (UDF)
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP205: 4/16/2009 4:53:31 AM - System Checkpoint
RP206: 4/17/2009 6:05:29 AM - System Checkpoint
RP207: 4/17/2009 8:58:42 AM - Avg8 Update
RP208: 4/18/2009 9:17:30 AM - System Checkpoint
RP209: 4/19/2009 9:35:42 AM - System Checkpoint
RP210: 4/20/2009 10:17:29 AM - System Checkpoint
RP211: 4/21/2009 11:17:30 AM - System Checkpoint
RP212: 4/22/2009 12:17:27 PM - System Checkpoint
RP213: 4/23/2009 1:17:26 PM - System Checkpoint
RP214: 4/24/2009 1:59:39 PM - System Checkpoint
RP215: 4/25/2009 3:15:52 PM - System Checkpoint
RP216: 4/26/2009 3:45:56 PM - System Checkpoint
RP217: 4/27/2009 3:59:39 PM - System Checkpoint
RP218: 4/28/2009 4:00:42 PM - System Checkpoint
RP219: 4/29/2009 5:48:37 PM - System Checkpoint
RP220: 4/30/2009 3:00:14 AM - Software Distribution Service 3.0
RP221: 5/1/2009 3:59:36 AM - System Checkpoint
RP222: 5/2/2009 5:23:36 AM - System Checkpoint
RP223: 5/3/2009 5:59:34 AM - System Checkpoint
RP224: 5/4/2009 8:00:01 AM - System Checkpoint
RP225: 5/5/2009 8:59:34 AM - System Checkpoint
RP226: 5/6/2009 9:47:35 AM - System Checkpoint
RP227: 5/7/2009 9:59:34 AM - System Checkpoint
RP228: 5/8/2009 10:59:34 AM - System Checkpoint
RP229: 5/8/2009 8:42:17 PM - Removed Microsoft MapPoint North America 2009
RP230: 5/8/2009 8:47:26 PM - Installed Microsoft Streets & Trips 2009
RP231: 5/9/2009 9:23:33 PM - System Checkpoint
RP232: 5/10/2009 8:10:22 PM - Removed Microsoft Streets & Trips 2009
RP233: 5/10/2009 9:54:57 PM - Installed Microsoft MapPoint North America 2009
RP234: 5/11/2009 10:02:51 PM - System Checkpoint
RP235: 5/12/2009 10:59:32 PM - System Checkpoint
RP236: 5/13/2009 3:00:21 AM - Software Distribution Service 3.0
RP237: 5/14/2009 4:47:38 AM - System Checkpoint
RP238: 5/14/2009 5:52:38 PM - Restore Operation
RP239: 5/15/2009 3:00:27 AM - Software Distribution Service 3.0
RP240: 5/16/2009 3:46:38 AM - System Checkpoint
RP241: 5/17/2009 4:02:53 AM - System Checkpoint
RP242: 5/17/2009 9:35:14 AM - Avg8 Update
RP243: 5/17/2009 9:36:36 AM - Avg8 Update
RP244: 5/18/2009 9:58:38 AM - System Checkpoint
RP245: 5/19/2009 10:15:21 AM - System Checkpoint
RP246: 5/20/2009 10:58:40 AM - System Checkpoint
RP247: 5/21/2009 11:58:40 AM - System Checkpoint
RP248: 5/21/2009 3:29:36 PM - Installed Compatibility Pack for the 2007 Office system
RP249: 5/22/2009 4:34:34 PM - System Checkpoint
RP250: 5/23/2009 8:37:10 AM - Avg8 Update
RP251: 5/23/2009 8:37:55 AM - Avg8 Update
RP252: 5/24/2009 8:42:30 AM - System Checkpoint
RP253: 5/25/2009 8:58:26 AM - System Checkpoint
RP254: 5/26/2009 8:59:32 AM - System Checkpoint
RP255: 5/27/2009 9:58:26 AM - System Checkpoint
RP256: 5/28/2009 10:30:41 AM - System Checkpoint
RP257: 5/29/2009 11:05:45 AM - System Checkpoint
RP258: 5/30/2009 11:40:22 AM - System Checkpoint
RP259: 5/31/2009 12:30:48 PM - System Checkpoint
RP260: 6/1/2009 3:47:16 PM - System Checkpoint
RP261: 6/2/2009 3:57:36 PM - System Checkpoint
RP262: 6/3/2009 4:27:41 PM - System Checkpoint
RP263: 6/4/2009 4:36:33 PM - System Checkpoint
RP264: 6/5/2009 4:37:38 PM - System Checkpoint
RP265: 6/6/2009 5:36:24 PM - System Checkpoint
RP266: 6/7/2009 6:01:54 PM - System Checkpoint
RP267: 6/8/2009 6:53:01 PM - System Checkpoint
RP268: 6/9/2009 7:37:29 PM - System Checkpoint
RP269: 6/10/2009 8:58:59 PM - System Checkpoint
RP270: 6/11/2009 9:37:29 PM - System Checkpoint
RP271: 6/12/2009 10:36:24 PM - System Checkpoint
RP272: 6/13/2009 10:37:29 PM - System Checkpoint
RP273: 6/14/2009 11:36:24 PM - System Checkpoint
RP274: 6/15/2009 11:37:31 PM - System Checkpoint
RP275: 6/17/2009 1:48:24 AM - System Checkpoint
RP276: 6/18/2009 3:07:21 AM - System Checkpoint
RP277: 6/19/2009 5:12:24 AM - System Checkpoint
RP278: 6/20/2009 6:04:15 AM - System Checkpoint
RP279: 6/21/2009 6:20:49 AM - System Checkpoint
RP280: 6/22/2009 8:58:16 AM - System Checkpoint
RP281: 6/23/2009 9:20:50 AM - System Checkpoint
RP282: 6/24/2009 9:56:51 AM - System Checkpoint
RP283: 6/25/2009 10:20:49 AM - System Checkpoint
RP284: 6/26/2009 11:20:49 AM - System Checkpoint
RP285: 6/27/2009 11:21:54 AM - System Checkpoint
RP286: 6/28/2009 12:20:47 PM - System Checkpoint
RP287: 6/29/2009 1:20:47 PM - System Checkpoint
RP288: 6/30/2009 2:31:15 PM - System Checkpoint
RP289: 7/1/2009 2:34:21 PM - System Checkpoint
RP290: 7/2/2009 9:30:14 AM - Avg8 Update
RP291: 7/2/2009 9:31:45 AM - Avg8 Update
RP292: 7/3/2009 9:53:36 AM - System Checkpoint
RP293: 7/4/2009 10:47:45 AM - System Checkpoint
RP294: 7/5/2009 11:20:45 AM - System Checkpoint
RP295: 7/6/2009 12:20:46 PM - System Checkpoint
RP296: 7/7/2009 1:20:45 PM - System Checkpoint
RP297: 7/8/2009 3:33:06 PM - System Checkpoint
RP298: 7/9/2009 4:21:50 PM - System Checkpoint
RP299: 7/10/2009 4:38:35 PM - System Checkpoint
RP300: 7/11/2009 1:58:32 PM - Installed Windows Defender
RP301: 7/11/2009 2:22:59 PM - Windows Defender Checkpoint
RP302: 7/11/2009 3:05:48 PM - Restore Operation
RP303: 7/11/2009 3:16:29 PM - Restore Operation
RP304: 7/11/2009 3:29:00 PM - Installed Windows Defender
RP305: 7/11/2009 3:46:13 PM - Removed Full Tilt Poker.Net
RP306: 7/11/2009 3:49:43 PM - Removed TravelScan 464
RP307: 7/12/2009 4:20:50 PM - System Checkpoint
RP308: 7/13/2009 6:05:14 PM - System Checkpoint
RP309: 7/14/2009 3:14:46 PM - Move file to quarantine: Internet Explorer
RP310: 7/14/2009 3:16:27 PM - Move file to quarantine: Internet Explorer
RP311: 7/14/2009 3:17:00 PM - Move file to quarantine: Internet Explorer
RP312: 7/14/2009 3:17:26 PM - Move file to quarantine: Internet Explorer
RP313: 7/14/2009 3:31:01 PM - Installed SUPERAntiSpyware Free Edition

==== Installed Programs ======================

1003 Loan Application
Absolute Poker
Acrobat.com
Ad-Aware
Adobe Acrobat 9 Pro - English, FranÃ§ais, Deutsch
Adobe Acrobat 9.1.2 - CPSID_49166
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 6.0
AVG Free 8.5
BigFix
Compatibility Pack for the 2007 Office system
Digital Media Reader
getPlus(R) for Adobe
Google Earth
Google SketchUp Pro 7
Google Update Helper
Google Updater
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
hp officejet v series
InCD EasyWrite Reader
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 11
Java(TM) 6 Update 7
LimeWire 5.1.3
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft English TTS Engine
Microsoft MapPoint North America 2009
Microsoft Office Access database engine 2007 (English)
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Web Components
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.5)
Mozilla Thunderbird (2.0.0.22)
Mozilla Thunderbird (3.0b2)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero BurnRights
Nero OEM
PDF Password Remover v2.1
PowerDVD
PrimoPDF
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
SAPI Wrapper
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Spybot - Search & Destroy
TTS Wrapper
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Backup Utility
Windows Defender
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows XP Service Pack 3
Winmail Reader 1.1.12
WinZip Self-Extractor

==== Event Viewer Messages From Past Week ========

7/14/2009 8:22:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/14/2009 8:19:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
7/14/2009 4:01:10 PM, error: System Error [1003] - Error code 10000050, parameter1 a8b5be60, parameter2 00000000, parameter3 86566f51, parameter4 00000003.
7/14/2009 3:44:18 PM, error: Dhcp [1002] - The IP address lease 99.190.229.53 for the Network Card with network address 001111B51BA7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/14/2009 3:42:20 PM, error: System Error [1003] - Error code 10000050, parameter1 aa4ceb20, parameter2 00000000, parameter3 8655ff51, parameter4 00000000.
7/14/2009 3:38:26 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm sasdifsv saskutil
7/14/2009 3:37:24 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/14/2009 3:37:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/14/2009 1:50:18 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5512.
7/13/2009 9:11:35 AM, information: Windows File Protection [64005] - The protected system file iexplore.exe was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Owner. The file version of the bad file is unknown.
7/13/2009 9:11:13 AM, error: DCOM [10000] - Unable to start a DCOM Server: {0002DF01-0000-0000-C000-000000000046}. The error: "%2" Happened while starting this command: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
7/13/2009 6:05:43 AM, error: Dhcp [1002] - The IP address lease 99.4.107.131 for the Network Card with network address 001111B51BA7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2009 7:42:43 PM, error: Dhcp [1002] - The IP address lease 99.17.106.112 for the Network Card with network address 001111B51BA7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/11/2009 3:49:50 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
7/11/2009 3:12:43 PM, error: Dhcp [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 001111B51BA7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/11/2009 3:08:02 PM, error: Service Control Manager [7000] - The Background Intelligent Transfer Service service failed to start due to the following error: The system cannot find the file specified.
7/11/2009 3:08:02 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service BITS with arguments " " in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
7/11/2009 3:07:53 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
7/11/2009 3:07:38 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
7/11/2009 2:24:02 PM, error: DCOM [10005] - DCOM got error "%2" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/11/2009 2:22:59 PM, error: WinDefend [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:WinNT/Rustock.E&threatid=125019 Scan ID: {128B1A88-B4C7-4BE8-9857-926578845DFF} Scan Type: AntiMalware User: YOUR-2498E4C98D\Owner Name: Backdoor:WinNT/Rustock.E ID: 125019 Severity: Severe Category: Backdoor Path: Action: Remove Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer.
7/10/2009 5:05:48 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

SDFIX

SDFix: Version 1.240
Run by Owner on Tue 07/14/2009 at 08:24 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\-92289~1 - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 20:35:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\baa5e0bd]
"ImagePath "= "\SystemRoot\System32\drivers\baa5e0bd.sys "
"Type "=dword:00000001
"Start "=dword:00000001
"ErrorControl "=dword:00000001
"F96ZK6nPB "= "YmluZGVyeXNlcnZpY2UubW9iaQ== "
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType "=dword:00000002
"DeviceCharacteristics "=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType "=dword:00000007
"DeviceCharacteristics "=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType "=dword:00000023
"DeviceCharacteristics "=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType "=dword:00000004
"DeviceCharacteristics "=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType "=dword:00000004
"DeviceCharacteristics "=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType "=dword:00000004
"DeviceCharacteristics "=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType "=dword:00000007
"DeviceCharacteristics "=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\baa5e0bd]
"ImagePath "= "\SystemRoot\System32\drivers\baa5e0bd.sys "
"Type "=dword:00000001
"Start "=dword:00000001
"ErrorControl "=dword:00000001
"F96ZK6nPB "= "YmluZGVyeXNlcnZpY2UubW9iaQ== "
[HKEY_LOCAL_MACHINE\SYSTEM\controlset002\Services\MRxDAV\EncryptedDirectories]
@=" "
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\baa5e0bd]
"ImagePath "= "\SystemRoot\System32\drivers\baa5e0bd.sys "
"Type "=dword:00000001
"Start "=dword:00000001
"ErrorControl "=dword:00000001
"F96ZK6nPB "= "YmluZGVyeXNlcnZpY2UubW9iaQ== "

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe "= "C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe "
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe "= "C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\\Program Files\\LimeWire\\LimeWire.exe "= "C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire "
"C:\\Program Files\\Mozilla Firefox\\firefox.exe "= "C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox "
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe "= "C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe:*:Enabled:Mozilla Thunderbird "
"C:\\Program Files\\Mozilla Thunderbird 3 Beta 2\\thunderbird.exe "= "C:\\Program Files\\Mozilla Thunderbird 3 Beta 2\\thunderbird.exe:*:Enabled:Mozilla Thunderbird "
"C:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe "= "C:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe:*:EnabledrimoPDF "
"C:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe "= "C:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe:*:Enabled:magicJack "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*isabled:AOL "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*isabled:AOL "
"C:\\Program Files\\America Online 9.0\\waol.exe "= "C:\\Program Files\\America Online 9.0\\waol.exe:*isabled:AOL "
"C:\\Program Files\\RPMPoker\\client.exe "= "C:\\Program Files\\RPMPoker\\client.exe:*isabled:RPM Poker Client "
"C:\\Program Files\\PDCPoker\\client.exe "= "C:\\Program Files\\PDCPoker\\client.exe:*isabledDC Poker Client "
"C:\\WINDOWS\\system32\\sessmgr.exe "= "C:\\WINDOWS\\system32\\sessmgr.exe:*isabledxpsp2res.dll,-22019 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL "
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe "= "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL "
"C:\\Program Files\\America Online 9.0\\waol.exe "= "C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe "
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe "
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe "
Sat 30 May 2009 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak "
Wed 4 Apr 2001 28,738 ...HR --- "C:\Documents and Settings\Office XP\MSDE2000\SQLRESLD.DLL "
Wed 4 Apr 2001 28,738 ...HR --- "C:\My Backup -- 18-10-08 0419\Office XP Lime Wire Download\MSDE2000\SQLRESLD.DLL "
Wed 15 Oct 2008 616,448 A.SH. --- "C:\My Backup -- 18-10-08 0419\WINDOWS\Temp\7phnnptg.TMP "
Wed 15 Oct 2008 616,448 A.SH. --- "C:\My Backup -- 18-10-08 0419\WINDOWS\Temp\b9kcre33.TMP "
Wed 15 Oct 2008 616,448 A.SH. --- "C:\My Backup -- 18-10-08 0419\WINDOWS\Temp\s0jue6cu.TMP "
Fri 14 Mar 2008 4,348 ..SH. --- "C:\My Backup -- 18-10-08 0419\Documents and Settings\All Users\DRM\DRMv1.bak "
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Owner\Application Data\mjusbsp\ar00000\install.exe "
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Owner\Application Data\mjusbsp\in00000\setup.exe "
Fri 10 Apr 2009 725,296 A..H. --- "C:\Documents and Settings\Owner\Application Data\mjusbsp\Upgrade\install2.exe "
Fri 10 Apr 2009 6,327,408 A..H. --- "C:\Documents and Settings\Owner\Application Data\mjusbsp\Upgrade\setup2.exe "
Fri 10 Oct 2008 0 A.SH. --- "C:\My Backup -- 18-10-08 0419\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp "
Wed 4 Apr 2001 28,738 A..HR --- "C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 7 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\MSDE2000\SQLRESLD.DLL "
Wed 4 Apr 2001 28,738 A..HR --- "C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\MSDE2000\SQLRESLD.DLL "
Wed 4 Apr 2001 28,738 A..HR --- "C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).zip\MSDE2000\SQLRESLD.DLL "

Finished!

broni · 2009/07/14

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

Flando · 2009/07/15

ComboFix Log:

ComboFix 09-07-14.08 - Owner 07/15/2009 7:55.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.563 [GMT -5:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\94628116.ini
c:\documents and settings\Office XP\AUTORUN.INF
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\IEToolbar
c:\program files\IEToolbar\ECO Bar\basis.xml
c:\program files\IEToolbar\ECO Bar\ecobar.dll
c:\program files\IEToolbar\ECO Bar\icons.bmp
c:\program files\IEToolbar\ECO Bar\info.txt
c:\program files\IEToolbar\ECO Bar\uninstall.exe
c:\program files\IEToolbar\ECO Bar\version.txt
c:\program files\IEToolbar\ECO Bar\your_logo.png
c:\recycler\S-1-5-21-2909652843-1896216275-3863269929-1003
c:\recycler\S-1-5-21-7064079582-9674713279-607379836-6003
c:\windows\Installer\63976d2e.msp
c:\windows\Installer\69d5a0f.msi
c:\windows\Installer\6cba6a98.msi
c:\windows\system32\drivers\baa5e0bd.sys
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\qjt1Fvn.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_avast!antivirus
-------\Service_baa5e0bd

((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 01:44 . 2009-07-15 01:45 -------- d-----w- C:\HJT
2009-07-15 01:24 . 2009-07-15 01:24 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-15 01:22 . 2009-07-15 01:22 -------- d-----w- c:\windows\ERUNT
2009-07-15 01:21 . 2009-07-15 01:38 -------- d-----w- C:\SDFix
2009-07-14 22:55 . 2009-07-14 22:55 61440 ----a-w- c:\windows\system32\drivers\mgnfrf.sys
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-14 21:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 21:47 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\program files\Lavasoft
2009-07-14 21:10 . 2009-07-14 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 21:10 . 2009-07-14 21:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 20:30 . 2009-07-14 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 20:11 . 2009-07-14 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 235520 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:43 338432 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:42 235008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-07-13 22:19 . 2009-03-24 19:42 345088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-07-13 22:18 . 2009-07-15 12:50 -------- d-----w- c:\program files\Mozilla Firefox Safe
2009-07-11 20:06 . 2009-07-11 20:06 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-11 18:58 . 2009-07-11 20:29 -------- d-----w- c:\program files\Windows Defender
2009-06-26 18:33 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2009-06-26 18:33 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 12:32 . 2008-10-18 12:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-14 22:55 . 2009-07-14 22:55 2200 ----a-w- c:\program files\lfqatyas.txt
2009-07-13 13:43 . 2008-10-20 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 13:41 . 2008-10-18 11:47 -------- d-----w- c:\program files\Pure Networks
2009-07-11 21:28 . 2009-03-18 13:35 -------- d-----w- c:\program files\Google
2009-07-11 20:50 . 2008-11-16 06:08 -------- d-----w- c:\program files\UltimateBet
2009-07-11 20:49 . 2009-05-17 06:03 -------- d-----w- c:\program files\SuperBook Poker
2009-07-11 20:49 . 2009-05-17 06:09 -------- d-----w- c:\program files\Sportsbook Poker
2009-07-11 20:48 . 2008-10-26 07:19 -------- d-----w- c:\program files\PokerStars.NET
2009-07-11 20:48 . 2009-05-17 06:31 -------- d-----w- c:\program files\PokerStars
2009-07-11 20:48 . 2008-10-26 07:04 -------- d-----w- c:\program files\PlayersOnly Poker
2009-07-11 20:46 . 2008-11-16 04:31 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-07-11 20:46 . 2008-10-18 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-11 20:45 . 2009-05-09 11:37 -------- d-----w- c:\program files\DoylesRoom
2009-07-11 20:45 . 2009-05-20 20:34 -------- d-----w- c:\program files\Coupons
2009-07-11 20:44 . 2008-11-23 07:12 -------- d-----w- c:\program files\Cake Poker
2009-07-11 20:44 . 2009-05-23 06:19 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-11 20:44 . 2008-10-18 11:44 -------- d-----w- c:\program files\Common Files\AOL
2009-07-11 20:44 . 2008-10-21 06:46 -------- d-----w- c:\program files\Absolute Poker
2009-07-11 20:43 . 2008-10-18 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-05 04:17 . 2008-10-22 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-02 14:31 . 2008-10-20 00:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-02 14:31 . 2008-10-20 00:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 14:31 . 2008-10-20 00:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 18:33 . 2009-04-30 21:33 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2009-06-10 20:26 . 2009-03-03 21:17 -------- d-----w- c:\program files\Winmail Reader
2009-06-02 17:52 . 2009-03-03 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-06-02 17:52 . 2009-05-23 06:16 -------- d-----w- c:\program files\SpywareGuard
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\94628116
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\14618124
2009-05-30 09:00 . 2008-10-22 15:02 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-05-30 06:49 . 2004-08-26 16:12 212224 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-05-24 17:44 . 2009-05-24 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 05:35 . 2009-05-23 05:35 -------- d-----w- c:\program files\Trend Micro
2009-05-22 05:33 . 2008-10-27 15:07 40256 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 20:29 . 2009-04-10 01:44 -------- d-----w- c:\program files\MSECache
2009-05-18 05:43 . 2009-05-18 05:33 2988592 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\Update.exe
2009-05-17 14:36 . 2008-10-20 00:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-17 06:20 . 2008-10-21 06:45 -------- d-----w- c:\program files\_uninstallation_info
2009-05-14 22:53 . 2009-07-11 19:53 142804 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-05-07 03:44 . 2009-05-07 03:44 259265 ----a-w- c:\documents and settings\All Users\Application Data\tmp75E.tmp
2009-05-01 20:49 . 2009-05-01 20:49 119960 ----a-w- c:\documents and settings\All Users\Application Data\tmp497.tmp
2009-04-20 02:29 . 2009-04-20 02:29 513939 ----a-w- c:\documents and settings\All Users\Application Data\tmp317.tmp
.

------- Sigcheck -------

[7] 2004-08-04 19:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2009-05-30 06:49 212224 !HASH: COULD NOT OPEN FILE !!!!! c:\windows\system32\dllcache\ndis.sys
[-] 2009-05-30 06:49 212224 0784FAA43DC0EE4C2D686A31AB28BE46 c:\windows\system32\drivers\ndis.sys

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"LGBLiveUpdate "= "c:\windows\system32\lgbpd.exe" [2009-04-05 1043456]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 39408]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Mixersel "= "c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-04-03 136600]
"Adobe Acrobat Speed Launcher "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-10-18 98304]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"High Definition Audio Property Page Shortcut "= "HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"SoundMan "= "SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-21 77824]
"AlcWzrd "= "ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-10-22 2744832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate "= "c:\windows\system32\Macromed\Flash\FlashUtil9g.exe" [2008-10-24 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-25 113664]
HPAiODevice(hp officejet v series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-4-25 487487]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-02 14:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!antivirus "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe "=
"c:\\Program Files\\Mozilla Thunderbird 3 Beta 2\\thunderbird.exe "=
"c:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe "=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/14/2009 4:47 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2008 7:06 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2008 7:06 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/19/2008 7:06 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/19/2008 7:06 PM 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c9dc97615601ee;Google Update Service (gupdate1c9dc97615601ee);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 12:45 PM 133104]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/21/2008 9:24 PM 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-24 17:44]

2009-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-07-14 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-07-14 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VnrBlock21 - c:\program files\VnrBlock\VnrBlock21.exe
HKLM-Run-mondrv411 - c:\windows\mondrv411.exe
HKLM-Run-BHR - c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {0D01A5FD-BA52-4273-8F33-6D681F2B42FC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 08:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4728)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-07-15 8:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 13:14

Pre-Run: 100,199,686,144 bytes free
Post-Run: 100,649,971,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

308 --- E O F --- 2009-05-15 08:04

HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:48 AM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\lgbpd.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox Safe\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - cmdmapping - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Golden Riviera - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\goldenrivieraMPP\MPPoker.exe (file missing) (HKCU)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9dc97615601ee) (gupdate1c9dc97615601ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9899 bytes

broni · 2009/07/15

AVG Anti-Virus Free *On-access scanning enabled*
Click to expand...

Combofix instructions ask to disable all security programs.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\drivers\mgnfrf.sys


Folder::

Driver::

Registry::

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Flando · 2009/07/15

Broni,

When I exited AVG program from my SysTray, I noticed there was still three or four AVG processes running (presumably the on-access scanning). Each time I try and kill those processes, they re-populate and appear again. So I was forced to run Combo while these processes were running. Should I kill AVG in my windows startup files and reboot so it won't start up at all? Then after completing the ComboFix, return the startup file to normal? Just can't figure out how to kill this AVG...

Thanks for your help!!

broni · 2009/07/15

Just can't figure out how to kill this AVG...
Click to expand...

That's fine. Unfortunately, you're not the first person with that problem.

Go ahead with Combo script.

Flando · 2009/07/15

Disabled everything within the GUI AVG program as well as anything AVG appearing in services.msc which should have allowed me to kill the processes. However, one AVGRSX.EXE remained and wouldn't die so there wasn't much I could do.

Again, us laypeople greatly appreciate what you guys do and thanks for your help! Combo and HJT logs below:

ComboFix 09-07-14.08 - Owner 07/15/2009 18:16.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.641 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\mgnfrf.sys "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mgnfrf.sys

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it
.
((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 01:44 . 2009-07-15 01:45 -------- d-----w- C:\HJT
2009-07-15 01:24 . 2009-07-15 01:24 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-15 01:22 . 2009-07-15 01:22 -------- d-----w- c:\windows\ERUNT
2009-07-15 01:21 . 2009-07-15 01:38 -------- d-----w- C:\SDFix
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-14 21:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 21:47 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\program files\Lavasoft
2009-07-14 21:10 . 2009-07-14 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 21:10 . 2009-07-14 21:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 20:30 . 2009-07-14 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 20:11 . 2009-07-14 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 235520 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:43 338432 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:42 235008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-07-13 22:19 . 2009-03-24 19:42 345088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-07-13 22:18 . 2009-07-15 23:06 -------- d-----w- c:\program files\Mozilla Firefox Safe
2009-07-11 20:06 . 2009-07-11 20:06 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-11 18:58 . 2009-07-11 20:29 -------- d-----w- c:\program files\Windows Defender
2009-06-26 18:33 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2009-06-26 18:33 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 23:22 . 2004-08-26 16:12 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-15 18:17 . 2008-10-18 12:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-14 22:55 . 2009-07-14 22:55 2200 ----a-w- c:\program files\lfqatyas.txt
2009-07-13 13:43 . 2008-10-20 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 13:41 . 2008-10-18 11:47 -------- d-----w- c:\program files\Pure Networks
2009-07-11 21:28 . 2009-03-18 13:35 -------- d-----w- c:\program files\Google
2009-07-11 20:50 . 2008-11-16 06:08 -------- d-----w- c:\program files\UltimateBet
2009-07-11 20:49 . 2009-05-17 06:03 -------- d-----w- c:\program files\SuperBook Poker
2009-07-11 20:49 . 2009-05-17 06:09 -------- d-----w- c:\program files\Sportsbook Poker
2009-07-11 20:48 . 2008-10-26 07:19 -------- d-----w- c:\program files\PokerStars.NET
2009-07-11 20:48 . 2009-05-17 06:31 -------- d-----w- c:\program files\PokerStars
2009-07-11 20:48 . 2008-10-26 07:04 -------- d-----w- c:\program files\PlayersOnly Poker
2009-07-11 20:46 . 2008-11-16 04:31 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-07-11 20:46 . 2008-10-18 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-11 20:45 . 2009-05-09 11:37 -------- d-----w- c:\program files\DoylesRoom
2009-07-11 20:45 . 2009-05-20 20:34 -------- d-----w- c:\program files\Coupons
2009-07-11 20:44 . 2008-11-23 07:12 -------- d-----w- c:\program files\Cake Poker
2009-07-11 20:44 . 2009-05-23 06:19 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-11 20:44 . 2008-10-18 11:44 -------- d-----w- c:\program files\Common Files\AOL
2009-07-11 20:44 . 2008-10-21 06:46 -------- d-----w- c:\program files\Absolute Poker
2009-07-11 20:43 . 2008-10-18 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-05 04:17 . 2008-10-22 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-02 14:31 . 2008-10-20 00:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-02 14:31 . 2008-10-20 00:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 14:31 . 2008-10-20 00:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 18:33 . 2009-04-30 21:33 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2009-06-10 20:26 . 2009-03-03 21:17 -------- d-----w- c:\program files\Winmail Reader
2009-06-02 17:52 . 2009-03-03 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-06-02 17:52 . 2009-05-23 06:16 -------- d-----w- c:\program files\SpywareGuard
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\94628116
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\14618124
2009-05-30 09:00 . 2008-10-22 15:02 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-05-24 17:44 . 2009-05-24 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 05:35 . 2009-05-23 05:35 -------- d-----w- c:\program files\Trend Micro
2009-05-22 05:33 . 2008-10-27 15:07 40256 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 20:29 . 2009-04-10 01:44 -------- d-----w- c:\program files\MSECache
2009-05-18 05:43 . 2009-05-18 05:33 2988592 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\Update.exe
2009-05-17 14:36 . 2008-10-20 00:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-17 06:20 . 2008-10-21 06:45 -------- d-----w- c:\program files\_uninstallation_info
2009-05-14 22:53 . 2009-07-11 19:53 142804 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-05-07 03:44 . 2009-05-07 03:44 259265 ----a-w- c:\documents and settings\All Users\Application Data\tmp75E.tmp
2009-05-01 20:49 . 2009-05-01 20:49 119960 ----a-w- c:\documents and settings\All Users\Application Data\tmp497.tmp
2009-04-20 02:29 . 2009-04-20 02:29 513939 ----a-w- c:\documents and settings\All Users\Application Data\tmp317.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-07-15_13.08.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-15 23:25 . 2009-07-15 23:25 16384 c:\windows\Temp\Perflib_Perfdata_414.dat
+ 2009-05-30 06:49 . 2009-07-15 23:16 182656 c:\windows\system32\dllcache\ndis.sys
+ 2004-08-26 18:10 . 2009-07-15 18:42 2248192 c:\windows\Installer\1324b.msi
- 2004-08-26 18:10 . 2009-07-14 23:19 2248192 c:\windows\Installer\1324b.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"LGBLiveUpdate "= "c:\windows\system32\lgbpd.exe" [2009-04-05 1043456]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 39408]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"VnrBlock21 "= "c:\program files\VnrBlock\VnrBlock21.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Mixersel "= "c:\program files\Realtek\InstallShield\mixersel.exe" [2003-11-11 369664]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-04-03 136600]
"Adobe Acrobat Speed Launcher "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-10-18 98304]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"MSConfig "= "c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"mondrv411 "= "c:\windows\mondrv411.exe" [BU]
"BHR "= "c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [BU]
"High Definition Audio Property Page Shortcut "= "HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"SoundMan "= "SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-21 77824]
"AlcWzrd "= "ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-10-22 2744832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate "= "c:\windows\system32\Macromed\Flash\FlashUtil9g.exe" [2008-10-24 218496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-25 113664]
HPAiODevice(hp officejet v series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-4-25 487487]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-02 14:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!antivirus "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe "=
"c:\\Program Files\\Mozilla Thunderbird 3 Beta 2\\thunderbird.exe "=
"c:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe "=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/14/2009 4:47 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2008 7:06 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2008 7:06 PM 108552]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
R2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 gupdate1c9dc97615601ee;Google Update Service (gupdate1c9dc97615601ee);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 12:45 PM 133104]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/21/2008 9:24 PM 33752]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/19/2008 7:06 PM 906520]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/19/2008 7:06 PM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-24 17:44]

2009-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-07-15 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-07-14 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {0D01A5FD-BA52-4273-8F33-6D681F2B42FC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 18:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3192)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-07-15 18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 23:31
ComboFix2.txt 2009-07-15 13:14

Pre-Run: 100,606,382,080 bytes free
Post-Run: 100,521,979,904 bytes free

285

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:17 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - cmdmapping - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Golden Riviera - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\goldenrivieraMPP\MPPoker.exe (file missing) (HKCU)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9dc97615601ee) (gupdate1c9dc97615601ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)

--
End of file - 9332 bytes

broni · 2009/07/15

How is the computer doing right now?

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, mark the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

Post fresh HijackThis log as well.

Flando · 2009/07/15

It's doing great. iexplore.exe is gone and from what I can see, any malware is gone. I think the SDFix got it along with the ComboFix. I just wanted an expert to view the logs to confirm my hopeful suspicions. Anything irregular you see in the logs? Will run the the Dr. CureIt and post the log. Again, thank you so much for your assistance!

Flando · 2009/07/15

I spoke too soon...here's the DrCure log and HJT:

lgmin[1].htm\Script.0;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U7IXOTQF\lgmin[1].htm;Trojan.Click.26097;;
lgmin[1].htm;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\U7IXOTQF;Container contains infected objects;Moved.;
7Sultans.exe;C:\Documents and Settings\Owner\My Documents;Adware.Casino.54;;
GrandMondial.exe;C:\Documents and Settings\Owner\My Documents;Adware.Casino.54;;
virtualcity.exe;C:\Documents and Settings\Owner\My Documents;Adware.Casino.54;;
little silver ring (best quality).mp3;C:\Documents and Settings\Owner\My Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;
search string cheese incident.mp3;C:\Documents and Settings\Owner\My Documents\LimeWire\Saved;Trojan.WMALoader;Cured.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:26 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox Safe\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - cmdmapping - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Golden Riviera - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\goldenrivieraMPP\MPPoker.exe (file missing) (HKCU)
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9dc97615601ee) (gupdate1c9dc97615601ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)

--
End of file - 9390 bytes

Flando · 2009/07/15

I just noticed Mondrv411.exe is in my start up files and VNRBlock21 as well. Spybot denied the registry and I unchecked both in my startup file.

broni · 2009/07/15

What happened to AVG? Did you forget to re-enable it?

Dr.Web findings were rather minor ones.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

================================================================

Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.

===============================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
- O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
- O9 - Extra button: (no name) - cmdmapping - (no file)
- O9 - Extra button: Golden Riviera - {00000000-0000-0000-0000-000000000000} - C:\MicroGaming\Poker\goldenrivieraMPP\MPPoker.exe (file missing) (HKCU)

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
- O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
- O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
- O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
- O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
- O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
- O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
- O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
- O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
- O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'SYSTEM')
- O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9g.exe (User 'Default user')
- O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
- O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
- O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

5. Click on Fix checked button.

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

7. Delete following files/folders (if present):
Note. If deletion doesn't work, attempt it in Safe Mode - restart computer, and keep tapping F8 key, until menu appears.

- mondrv411.exe file from C:\WINDOWS
- VnrBlock folder from C:\Program Files

8. Restart computer.

9. Post new HijackThis log.

Flando · 2009/07/16

I ran HJT and checked each box you suggested. However, there was no option for the "C:\whatever ". It appears in the log file in notepad but not in the actual HJT program. Regardless, I cleaned the important files you said to check. I searched all files, (including hidden files, etc.) to no avail. Also tried in Safe Mode and could not find these two Mal files. After rebooting, they appeared again. SpyBot asked if I would allow or deny the registry change from these two malware files (mondrv411.exe and VnrBlock) which of course I denied. Java updated just fine as well. Is there a reason why I can't find these files when searching manually or via MS Search?

Here's the HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:29 AM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\lgbpd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox Safe\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9dc97615601ee) (gupdate1c9dc97615601ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)

--
End of file - 8256 bytes

broni · 2009/07/16

I can see now why...

We need to re-run Combofix...

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

Flando · 2009/07/16

Here's the new ComboFix version LOG:

ComboFix 09-07-14.08 - Owner 07/16/2009 1:23.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.617 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 05:08 . 2009-07-16 05:08 -------- d-----w- C:\JavaRA
2009-07-16 02:07 . 2009-07-16 02:07 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-07-15 01:44 . 2009-07-15 01:45 -------- d-----w- C:\HJT
2009-07-15 01:24 . 2009-07-15 01:24 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-15 01:22 . 2009-07-15 01:22 -------- d-----w- c:\windows\ERUNT
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-14 21:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 21:47 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\program files\Lavasoft
2009-07-14 21:10 . 2009-07-14 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 21:10 . 2009-07-14 21:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 20:30 . 2009-07-14 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 20:11 . 2009-07-14 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 235520 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:43 338432 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:42 235008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-07-13 22:19 . 2009-03-24 19:42 345088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-07-13 22:18 . 2009-07-16 06:09 -------- d-----w- c:\program files\Mozilla Firefox Safe
2009-07-11 20:06 . 2009-07-11 20:06 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-11 18:58 . 2009-07-11 20:29 -------- d-----w- c:\program files\Windows Defender
2009-06-26 18:33 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2009-06-26 18:33 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 05:14 . 2008-10-18 11:35 -------- d-----w- c:\program files\Java
2009-07-16 05:12 . 2009-04-03 00:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-16 05:02 . 2008-10-18 12:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-15 23:22 . 2004-08-26 16:12 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-14 22:55 . 2009-07-14 22:55 2200 ----a-w- c:\program files\lfqatyas.txt
2009-07-13 13:43 . 2008-10-20 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 13:41 . 2008-10-18 11:47 -------- d-----w- c:\program files\Pure Networks
2009-07-11 21:28 . 2009-03-18 13:35 -------- d-----w- c:\program files\Google
2009-07-11 20:50 . 2008-11-16 06:08 -------- d-----w- c:\program files\UltimateBet
2009-07-11 20:49 . 2009-05-17 06:03 -------- d-----w- c:\program files\SuperBook Poker
2009-07-11 20:49 . 2009-05-17 06:09 -------- d-----w- c:\program files\Sportsbook Poker
2009-07-11 20:48 . 2008-10-26 07:19 -------- d-----w- c:\program files\PokerStars.NET
2009-07-11 20:48 . 2009-05-17 06:31 -------- d-----w- c:\program files\PokerStars
2009-07-11 20:48 . 2008-10-26 07:04 -------- d-----w- c:\program files\PlayersOnly Poker
2009-07-11 20:46 . 2008-11-16 04:31 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-07-11 20:46 . 2008-10-18 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-11 20:45 . 2009-05-09 11:37 -------- d-----w- c:\program files\DoylesRoom
2009-07-11 20:45 . 2009-05-20 20:34 -------- d-----w- c:\program files\Coupons
2009-07-11 20:44 . 2008-11-23 07:12 -------- d-----w- c:\program files\Cake Poker
2009-07-11 20:44 . 2009-05-23 06:19 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-11 20:44 . 2008-10-18 11:44 -------- d-----w- c:\program files\Common Files\AOL
2009-07-11 20:44 . 2008-10-21 06:46 -------- d-----w- c:\program files\Absolute Poker
2009-07-11 20:43 . 2008-10-18 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-05 04:17 . 2008-10-22 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-02 14:31 . 2008-10-20 00:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-02 14:31 . 2008-10-20 00:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 14:31 . 2008-10-20 00:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 18:33 . 2009-04-30 21:33 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2009-06-10 20:26 . 2009-03-03 21:17 -------- d-----w- c:\program files\Winmail Reader
2009-06-02 17:52 . 2009-03-03 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-06-02 17:52 . 2009-05-23 06:16 -------- d-----w- c:\program files\SpywareGuard
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\94628116
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\14618124
2009-05-30 09:00 . 2008-10-22 15:02 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-05-24 17:44 . 2009-05-24 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 05:35 . 2009-05-23 05:35 -------- d-----w- c:\program files\Trend Micro
2009-05-22 05:33 . 2008-10-27 15:07 40256 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 20:29 . 2009-04-10 01:44 -------- d-----w- c:\program files\MSECache
2009-05-18 05:43 . 2009-05-18 05:33 2988592 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\Update.exe
2009-05-17 14:36 . 2008-10-20 00:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-14 22:53 . 2009-07-11 19:53 142804 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-05-07 03:44 . 2009-05-07 03:44 259265 ----a-w- c:\documents and settings\All Users\Application Data\tmp75E.tmp
2009-05-01 20:49 . 2009-05-01 20:49 119960 ----a-w- c:\documents and settings\All Users\Application Data\tmp497.tmp
2009-04-20 02:29 . 2009-04-20 02:29 513939 ----a-w- c:\documents and settings\All Users\Application Data\tmp317.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGBLiveUpdate "= "c:\windows\system32\lgbpd.exe" [2009-04-05 1043456]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 39408]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Adobe Acrobat Speed Launcher "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-10-18 98304]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-02 14:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@= "Service "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!antivirus "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe "=
"c:\\Program Files\\Mozilla Thunderbird 3 Beta 2\\thunderbird.exe "=
"c:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe "=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/14/2009 4:47 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2008 7:06 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2008 7:06 PM 108552]
R2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/19/2008 7:06 PM 298776]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/19/2008 7:06 PM 906520]
S2 gupdate1c9dc97615601ee;Google Update Service (gupdate1c9dc97615601ee);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 12:45 PM 133104]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/21/2008 9:24 PM 33752]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-24 17:44]

2009-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-07-15 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-07-14 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VnrBlock21 - c:\program files\VnrBlock\VnrBlock21.exe
HKLM-Run-BHR - c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-mondrv411 - c:\windows\mondrv411.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {0D01A5FD-BA52-4273-8F33-6D681F2B42FC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 01:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-16 1:33
ComboFix-quarantined-files.txt 2009-07-16 06:33
ComboFix2.txt 2009-07-15 23:32

Pre-Run: 104,112,574,464 bytes free
Post-Run: 104,101,543,936 bytes free

248 --- E O F --- 2009-07-16 02:51

Here's the HJT LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:05 AM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\lgbpd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CF9130.exe
C:\WINDOWS\PEV.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox Safe\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9dc97615601ee) (gupdate1c9dc97615601ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)

--
End of file - 8058 bytes

broni · 2009/07/16

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\documents and settings\All Users\Application Data\tmp75E.tmp
c:\documents and settings\All Users\Application Data\tmp497.tmp
c:\documents and settings\All Users\Application Data\tmp317.tmp


Folder::
c:\program files\Viewpoint

Driver::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
 "avast!antivirus "=-

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

Flando · 2009/07/16

ComboFix 09-07-14.08 - Owner 07/16/2009 17:14.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.534 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\All Users\Application Data\tmp317.tmp "
"c:\documents and settings\All Users\Application Data\tmp497.tmp "
"c:\documents and settings\All Users\Application Data\tmp75E.tmp "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\tmp317.tmp
c:\documents and settings\All Users\Application Data\tmp497.tmp
c:\documents and settings\All Users\Application Data\tmp75E.tmp
c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0306003B.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
c:\program files\Viewpoint\Viewpoint Experience Technology\VMPUpdateCount.ini

.
((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 05:08 . 2009-07-16 05:08 -------- d-----w- C:\JavaRA
2009-07-16 02:07 . 2009-07-16 02:07 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-07-15 01:44 . 2009-07-15 01:45 -------- d-----w- C:\HJT
2009-07-15 01:24 . 2009-07-15 01:24 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll
2009-07-15 01:22 . 2009-07-15 01:22 -------- d-----w- c:\windows\ERUNT
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 22:46 . 2009-07-14 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-14 22:46 . 2009-07-13 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc----w- c:\windows\system32\DRVSTORE
2009-07-14 21:47 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-14 21:47 . 2009-07-14 21:47 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-14 21:47 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-14 21:47 . 2009-07-14 21:47 -------- d-----w- c:\program files\Lavasoft
2009-07-14 21:10 . 2009-07-14 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-14 21:10 . 2009-07-14 21:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-14 20:30 . 2009-07-14 20:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-14 20:11 . 2009-07-14 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 43008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-07-13 22:19 . 2009-03-24 19:43 235520 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:43 338432 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-07-13 22:19 . 2009-03-24 19:42 235008 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\metrics-ff3.dll
2009-07-13 22:19 . 2009-03-24 19:42 345088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-07-13 22:18 . 2009-07-16 15:28 -------- d-----w- c:\program files\Mozilla Firefox Safe
2009-07-11 20:06 . 2009-07-11 20:06 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-11 18:58 . 2009-07-11 20:29 -------- d-----w- c:\program files\Windows Defender
2009-06-26 18:33 . 2009-04-10 13:58 6327408 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\in00000\setup.exe
2009-06-26 18:33 . 2009-04-10 13:55 725296 ---ha-w- c:\documents and settings\Owner\Application Data\mjusbsp\ar00000\install.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 15:06 . 2008-10-18 12:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-16 05:14 . 2008-10-18 11:35 -------- d-----w- c:\program files\Java
2009-07-16 05:12 . 2009-04-03 00:13 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-15 23:22 . 2004-08-26 16:12 182656 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-14 22:55 . 2009-07-14 22:55 2200 ----a-w- c:\program files\lfqatyas.txt
2009-07-13 13:43 . 2008-10-20 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 13:41 . 2008-10-18 11:47 -------- d-----w- c:\program files\Pure Networks
2009-07-11 21:28 . 2009-03-18 13:35 -------- d-----w- c:\program files\Google
2009-07-11 20:50 . 2008-11-16 06:08 -------- d-----w- c:\program files\UltimateBet
2009-07-11 20:49 . 2009-05-17 06:03 -------- d-----w- c:\program files\SuperBook Poker
2009-07-11 20:49 . 2009-05-17 06:09 -------- d-----w- c:\program files\Sportsbook Poker
2009-07-11 20:48 . 2008-10-26 07:19 -------- d-----w- c:\program files\PokerStars.NET
2009-07-11 20:48 . 2009-05-17 06:31 -------- d-----w- c:\program files\PokerStars
2009-07-11 20:48 . 2008-10-26 07:04 -------- d-----w- c:\program files\PlayersOnly Poker
2009-07-11 20:46 . 2008-11-16 04:31 -------- d-----w- c:\program files\Full Tilt Poker.Net
2009-07-11 20:46 . 2008-10-18 11:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-11 20:45 . 2009-05-09 11:37 -------- d-----w- c:\program files\DoylesRoom
2009-07-11 20:45 . 2009-05-20 20:34 -------- d-----w- c:\program files\Coupons
2009-07-11 20:44 . 2008-11-23 07:12 -------- d-----w- c:\program files\Cake Poker
2009-07-11 20:44 . 2009-05-23 06:19 -------- d-----w- c:\program files\Windows Live Safety Center
2009-07-11 20:44 . 2008-10-18 11:44 -------- d-----w- c:\program files\Common Files\AOL
2009-07-11 20:44 . 2008-10-21 06:46 -------- d-----w- c:\program files\Absolute Poker
2009-07-11 20:43 . 2008-10-18 11:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-05 04:17 . 2008-10-22 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-02 14:31 . 2008-10-20 00:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-02 14:31 . 2008-10-20 00:06 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 14:31 . 2008-10-20 00:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 18:33 . 2009-04-30 21:33 -------- d-----w- c:\documents and settings\Owner\Application Data\mjusbsp
2009-06-16 14:36 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-10 20:26 . 2009-03-03 21:17 -------- d-----w- c:\program files\Winmail Reader
2009-06-03 19:09 . 2004-08-26 16:12 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 17:52 . 2009-03-03 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-06-02 17:52 . 2009-05-23 06:16 -------- d-----w- c:\program files\SpywareGuard
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\94628116
2009-06-01 05:29 . 2009-05-30 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\14618124
2009-05-30 09:00 . 2008-10-22 15:02 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-05-24 17:44 . 2009-05-24 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 05:35 . 2009-05-23 05:35 -------- d-----w- c:\program files\Trend Micro
2009-05-22 05:33 . 2008-10-27 15:07 40256 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-21 20:29 . 2009-04-10 01:44 -------- d-----w- c:\program files\MSECache
2009-05-18 05:43 . 2009-05-18 05:33 2988592 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Temp\Update.exe
2009-05-17 14:36 . 2008-10-20 00:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-14 22:53 . 2009-07-11 19:53 142804 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-05-07 15:32 . 2004-08-26 16:11 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-08-26 16:12 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-16_06.30.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-10 08:00 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2009-04-10 08:00 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
- 2009-02-20 08:10 . 2009-02-20 08:10 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 08:10 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
- 2008-10-22 16:32 . 2009-05-15 08:04 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-08-26 16:12 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2004-08-26 16:12 . 2009-04-15 14:51 585216 c:\windows\system32\rpcrt4.dll
+ 2004-08-26 10:54 . 2009-07-16 12:01 184224 c:\windows\system32\FNTCACHE.DAT
- 2004-08-26 10:54 . 2009-05-23 06:38 184224 c:\windows\system32\FNTCACHE.DAT
+ 2008-08-20 05:30 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll
+ 2008-08-20 05:30 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2008-10-22 16:32 . 2009-07-16 20:24 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2008-10-22 16:32 . 2009-07-16 20:24 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
- 2008-10-22 16:32 . 2009-05-15 08:04 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe
+ 2004-08-26 16:12 . 2009-04-17 12:26 1847168 c:\windows\system32\win32k.sys
+ 2004-08-26 16:12 . 2009-04-29 04:46 1499136 c:\windows\system32\shdocvw.dll
- 2004-08-26 16:12 . 2009-03-02 23:04 1499136 c:\windows\system32\shdocvw.dll
+ 2004-08-26 16:12 . 2009-04-29 04:46 3068928 c:\windows\system32\mshtml.dll
+ 2008-10-19 08:03 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2008-08-20 05:30 . 2009-04-29 04:46 1499136 c:\windows\system32\dllcache\shdocvw.dll
- 2008-08-20 05:30 . 2009-03-02 23:04 1499136 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2008-08-20 05:30 . 2009-04-29 04:46 3068928 c:\windows\system32\dllcache\mshtml.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGBLiveUpdate "= "c:\windows\system32\lgbpd.exe" [2009-04-05 1043456]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-24 39408]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"RemoteControl "= "c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Adobe Acrobat Speed Launcher "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-10-18 98304]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"BHR "= "c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [BU]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [BU]
"MSConfig "= "c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-02 14:31 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\windefend]
@= "Service "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe "=
"c:\\Program Files\\Mozilla Thunderbird 3 Beta 2\\thunderbird.exe "=
"c:\\Program Files\\activePDF\\PrimoPDF\\PrimoPDF.exe "=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/14/2009 4:47 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/19/2008 7:06 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/19/2008 7:06 PM 108552]
R2 windefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/19/2008 7:06 PM 906520]
S2 gupdate1c9dc97615601ee;Google Update Service (gupdate1c9dc97615601ee);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 12:45 PM 133104]
S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/21/2008 9:24 PM 33752]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/19/2008 7:06 PM 298776]
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-24 17:44]

2009-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-24 17:44]

2009-07-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-07-15 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-21 05:36]

2009-07-14 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-21 05:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gatewaybiz.com
mStart Page = hxxp://www.gatewaybiz.com
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {0D01A5FD-BA52-4273-8F33-6D681F2B42FC} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\25bwot1e.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox Safe\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\Mozilla Firefox Safe\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox Safe\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 17:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP000001537B0916B552DB414E 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-07-16 17:29
ComboFix-quarantined-files.txt 2009-07-16 22:28
ComboFix2.txt 2009-07-16 06:33
ComboFix3.txt 2009-07-15 23:32

Pre-Run: 104,000,540,672 bytes free
Post-Run: 103,984,275,456 bytes free

337 --- E O F --- 2009-07-16 11:34

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:32 PM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox Safe\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
O4 - HKCU\..\Run: [LGBLiveUpdate] C:\WINDOWS\system32\lgbpd.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Owner\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register/Branding/olr3313/OCX/v1018/flashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{0D01A5FD-BA52-4273-8F33-6D681F2B42FC}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9dc97615601ee) (gupdate1c9dc97615601ee) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: PrismXL - Unknown owner - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (file missing)

--
End of file - 7868 bytes

broni · 2009/07/16

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

Disable TeaTimer again.
Open HJT, and checkmark:
- O4 - HKLM\..\Run: [mondrv411] C:\WINDOWS\mondrv411.exe
- O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe "
Click "Fix checked" button.
Restart computer.
Post fresh HJT log.

Those files (mondrv411.exe, and VnrBlock21.exe) were removed by Combofix long time ago, only registry entries are left (nothing dangerous, but they should be removed).

SpyBot asked if I would allow or deny the registry change from these two malware files (mondrv411.exe and VnrBlock) which of course I denied.
Click to expand...

I didn't notice the above before, so this time, ALLOW registry changes.

Flando · 2009/07/16

That did the trick. Thank you so much for helping me out on this. I greatly appreciate it!!!

broni · 2009/07/16

Haha...we're running circles for a while, because of some misunderstanding.

Now....last step.

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Let me know, how is your computer doing.

Log in or Sign up

Active Iexplore.exe Trojan (I think)

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

Flando Inactive Thread Starter

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active Iexplore.exe Trojan (I think)

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

Flando Inactive Thread Starter

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Flando Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches