1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Virus problem

Discussion in 'Malware and Virus Removal Archive' started by RickyD2, 2010/05/14.

Page 1 of 2
  1. 2010/05/14
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    [Resolved] Virus problem

    I apparently have pickled up a virus that neither C cleaner, AVG. or Microsoft Security Essentials will detect. What it is doing is adding history lines to my history folder in random fashion and when I delete them they just re-appear.

    Can someone tell me where I can find the History folder in My Computer or wherever so I can try to go there and try to delete these things.

    Anyone with other ideas?
     
    RickyD2,
    #1
  2. 2010/05/14
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    I downloaded the dds file but cannot get it to run, it will reply with some instructions then dissapear. I'm going to try downloading it from the other source.

    I'm having no better luck with the other source. I get the DOS dialog box with some instructions then it dissapears.
     
    Last edited: 2010/05/14
    RickyD2,
    #2


  3. to hide this advert.

  4. 2010/05/14
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Since I could not get the dds file to cooperate, hereis as HiJack This log file for you all to look at.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:39:51 PM, on 5/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AVG\AVG9\avgui.exe
    C:\Program Files\AVG\AVG9\avgscanx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe
    C:\WINDOWS\Cfigea.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [M5T8QL3YW3] C:\DOCUME~1\RICHAR~1.HOM\LOCALS~1\Temp\Cml.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.43,93.188.166.178
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.43,93.188.166.178
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe
    O23 - Service: Windows MSI - Unknown owner - \\?\globalrootC:\WINDOWS\system32\msihost.exe (file missing)



    Please let me now what you think.
     
    RickyD2,
    #3
  5. 2010/05/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    ==============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2010/05/14
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    exeHelper by Raktor
    Build 20100414
    Run at 22:55:41 on 05/14/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Deleting file C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Security Tool.lnk
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
    RickyD2,
    #5
  7. 2010/05/14
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as Richard Doenges on 05/14/2010 at 22:54:51.


    Processes terminated by Rkill or while it was running:


    C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Temporary Internet Files\Content.IE5\9TBWV5J6\rkill[1].scr


    Rkill completed on 05/14/2010 at 22:55:16.
     
    RickyD2,
    #6
  8. 2010/05/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    ...and Combofix?
     
    broni,
    #7
  9. 2010/05/14
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Here is ComboFix log file - Hijack this will follow on another page.

    ComboFix 10-05-14.06 - Richard Doenges 05/14/2010 23:17:55.4.1 - FAT32x86
    Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Downloaded Installers
    c:\program files\Downloaded Installers\{0DA76892-D849-422B-80D0-E4FC26009AB9}\setup.msi
    c:\program files\Search Guard Plus
    c:\program files\Search Guard Plus\fbsProtection.xml
    c:\program files\Search Guard Plus\fbsSearchProvider.xml
    c:\program files\Search Guard Plus\FbsSearchProviderIE8.exe
    c:\program files\Search Guard Plus\SearchGuardPlus.exe
    c:\program files\Search Guard Plus\SearchGuardPlus.ico
    c:\program files\Search Guard Plus\uninstalSGP.exe
    c:\program files\Search Guard PlusU
    c:\program files\Search Guard PlusU\SGPU.ico
    c:\program files\Search Guard PlusU\sgpUpdater.exe
    c:\program files\Search Guard PlusU\sgpUpdater.xml
    c:\program files\Search Guard PlusU\sgpUpdaters.exe
    c:\program files\Search Guard PlusU\uninstalSGPU.exe
    c:\program files\SGPSA
    c:\program files\SGPSA\BHO.dll
    c:\windows\Cfigea.exe
    c:\windows\Downloaded Program Files\ODCTOOLS
    c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
    c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
    c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_AXPSHOOK11
    -------\Legacy_WINDOWS_MSI
    -------\Service_Windows MSI


    ((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
    .

    2010-05-15 00:48 . 2010-05-15 00:48 -------- d-----w- C:\FOUND.003
    2010-05-15 00:36 . 2010-05-15 00:36 -------- d-----w- C:\7a9f938b3d43a523dbb663
    2010-05-14 20:36 . 2010-05-14 20:36 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\ElevatedDiagnostics
    2010-05-14 17:13 . 2010-05-14 17:13 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-14 15:51 . 2010-05-14 15:52 368 ----a-w- c:\windows\system32\drivers\viabmbrq.dat
    2010-05-14 15:48 . 2010-05-14 15:48 -------- d-----w- c:\program files\CCleaner
    2010-05-14 15:10 . 2010-05-14 15:10 452 ----a-w- c:\windows\system32\drivers\yzhvvmno.dat
    2010-05-14 03:54 . 2010-05-14 03:54 368 ----a-w- c:\windows\system32\drivers\jxqbtqyt.dat
    2010-05-14 03:37 . 2010-05-14 03:37 368 ----a-w- c:\windows\system32\drivers\xjjrihkr.dat
    2010-05-14 03:21 . 2010-05-14 03:21 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\AVG9
    2010-05-13 22:14 . 2010-05-13 22:14 368 ----a-w- c:\windows\system32\drivers\iuppukxv.dat
    2010-05-13 22:05 . 2010-05-13 22:05 452 ----a-w- c:\windows\system32\drivers\xrsqfphi.dat
    2010-05-13 20:49 . 2010-05-13 20:49 368 ----a-w- c:\windows\system32\drivers\hnslqpep.dat
    2010-05-13 16:58 . 2010-05-13 16:58 -------- d-----w- C:\FOUND.002
    2010-05-13 14:46 . 2010-05-13 14:46 -------- d-----w- C:\FOUND.001
    2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\35568229
    2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\25827327
    2010-05-12 21:48 . 2010-05-12 21:48 -------- d-----w- C:\FOUND.000
    2010-05-10 22:45 . 2010-05-10 22:45 -------- d--h--w- c:\windows\ie8
    2010-05-10 21:20 . 2010-05-10 21:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Applications
    2010-04-29 18:56 . 2010-04-29 18:56 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-04-26 21:57 . 2010-04-26 21:57 -------- d-----w- C:\2167da7775d242252848
    2010-04-25 18:09 . 2010-04-25 18:09 -------- d-----w- C:\AVGcon
    2010-04-25 17:58 . 2010-04-25 17:58 -------- d-----w- C:\AVGTemp
    2010-04-24 00:46 . 2010-04-24 00:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-04-24 00:14 . 2010-04-24 00:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-04-24 00:07 . 2010-04-24 00:07 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Sunbelt Software
    2010-04-23 19:10 . 2010-04-23 19:10 -------- d-----w- C:\$AVG
    2010-04-23 19:08 . 2010-04-23 19:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
    2010-04-23 18:22 . 2010-04-23 18:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-15 04:45 . 2006-01-15 19:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-05-15 04:40 . 2008-02-03 17:16 687181 ------w- c:\windows\Internet Logs\tvDebug.Zip
    2010-05-15 04:38 . 2010-05-15 04:43 567296 ------w- c:\windows\Internet Logs\xDB303.tmp
    2010-05-14 15:25 . 2010-05-14 15:25 138594 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_14_10_19_41_small.dmp.zip
    2010-05-13 16:53 . 2010-05-13 16:59 3142656 ------w- c:\windows\Internet Logs\xDB302.tmp
    2010-05-13 16:53 . 2010-05-13 16:59 1094144 ------w- c:\windows\Internet Logs\xDB301.tmp
    2010-05-13 16:47 . 2010-05-13 16:52 3143680 ------w- c:\windows\Internet Logs\xDB300.tmp
    2010-05-13 15:23 . 2010-05-13 15:23 133443 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_13_10_18_18_small.dmp.zip
    2010-05-12 15:43 . 2010-05-12 15:43 132721 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_12_10_37_41_small.dmp.zip
    2010-05-11 19:47 . 2010-05-11 19:58 3096576 ------w- c:\windows\Internet Logs\xDB2FF.tmp
    2010-05-06 15:36 . 2009-10-02 22:01 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-06 15:15 . 2010-05-06 15:15 21998064 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_06_10_08_43_full.dmp.zip
    2010-05-04 15:10 . 2010-05-04 15:10 128312 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_04_10_05_00_small.dmp.zip
    2010-05-04 01:14 . 2010-05-04 14:49 8704 ------w- c:\windows\Internet Logs\xDB2FE.tmp
    2010-05-04 01:01 . 2010-05-04 01:14 1507328 ------w- c:\windows\Internet Logs\xDB2FD.tmp
    2010-05-02 04:36 . 2010-05-02 15:02 3038720 ------w- c:\windows\Internet Logs\xDB2FC.tmp
    2010-05-02 04:36 . 2010-05-02 15:02 478720 ------w- c:\windows\Internet Logs\xDB2FB.tmp
    2010-04-30 04:21 . 2010-04-30 16:27 3034624 ------w- c:\windows\Internet Logs\xDB2FA.tmp
    2010-04-29 17:41 . 2010-04-29 17:42 3009024 ------w- c:\windows\Internet Logs\xDB2F9.tmp
    2010-04-29 14:58 . 2010-04-29 14:58 129502 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_29_09_53_08_small.dmp.zip
    2010-04-27 21:42 . 2010-04-28 04:12 272896 ------w- c:\windows\Internet Logs\xDB2F8.tmp
    2010-04-26 18:29 . 2010-04-26 18:44 8704 ------w- c:\windows\Internet Logs\xDB2F7.tmp
    2010-04-26 02:44 . 2010-04-26 18:29 1540096 ------w- c:\windows\Internet Logs\xDB2F6.tmp
    2010-04-25 16:18 . 2010-04-25 16:18 129723 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_25_11_12_48_small.dmp.zip
    2010-04-23 19:12 . 2010-04-23 19:14 2886656 ------w- c:\windows\Internet Logs\xDB2F5.tmp
    2010-04-23 19:10 . 2008-04-16 20:45 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-23 19:10 . 2008-04-16 20:45 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-04-23 19:10 . 2007-11-19 15:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-04-23 19:09 . 2008-04-16 20:45 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2010-04-23 19:09 . 2008-04-16 20:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-04-22 20:49 . 2010-04-23 16:02 185344 ------w- c:\windows\Internet Logs\xDB2F3.tmp
    2010-04-22 20:49 . 2010-04-23 16:02 2860544 ------w- c:\windows\Internet Logs\xDB2F4.tmp
    2010-04-21 17:57 . 2010-04-21 17:57 143519 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_21_12_51_27_small.dmp.zip
    2010-04-21 17:51 . 2010-04-21 17:51 2840064 ------w- c:\windows\Internet Logs\xDB2F2.tmp
    2010-04-21 17:51 . 2010-04-21 17:51 87552 ------w- c:\windows\Internet Logs\xDB2F1.tmp
    2010-04-20 17:21 . 2010-04-20 17:21 2837504 ------w- c:\windows\Internet Logs\xDB2F0.tmp
    2010-04-20 17:21 . 2010-04-20 17:21 319488 ------w- c:\windows\Internet Logs\xDB2EF.tmp
    2010-04-15 19:44 . 2010-04-16 21:24 8704 ------w- c:\windows\Internet Logs\xDB2EE.tmp
    2010-04-15 19:29 . 2010-04-15 19:44 1474560 ------w- c:\windows\Internet Logs\xDB2ED.tmp
    2010-04-14 17:46 . 2010-04-14 17:48 2813440 ------w- c:\windows\Internet Logs\xDB2EC.tmp
    2010-04-13 16:51 . 2010-04-13 16:51 129648 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_13_11_46_05_small.dmp.zip
    2010-04-09 20:06 . 2010-04-11 21:40 8704 ------w- c:\windows\Internet Logs\xDB2EB.tmp
    2010-04-09 18:28 . 2010-04-09 20:06 1343488 ------w- c:\windows\Internet Logs\xDB2EA.tmp
    2010-04-08 17:22 . 2009-03-24 21:18 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-08 16:39 . 2010-04-08 16:49 2766848 ------w- c:\windows\Internet Logs\xDB2E9.tmp
    2010-04-08 16:39 . 2010-04-08 16:49 617472 ------w- c:\windows\Internet Logs\xDB2E8.tmp
    2010-04-08 04:50 . 2010-04-08 16:38 2766848 ------w- c:\windows\Internet Logs\xDB2E7.tmp
    2010-04-07 18:51 . 2010-04-07 18:51 -------- d-----w- c:\program files\Common Files\Java
    2010-03-28 19:34 . 2010-03-28 19:53 2740736 ------w- c:\windows\Internet Logs\xDB2E6.tmp
    2010-03-28 19:34 . 2010-03-28 19:53 522752 ------w- c:\windows\Internet Logs\xDB2E5.tmp
    2010-03-28 05:32 . 2010-03-28 19:33 2740736 ------w- c:\windows\Internet Logs\xDB2E4.tmp
    2010-03-27 19:21 . 2010-03-27 19:21 236464 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_03_27_14_15_52_small.dmp.zip
    2010-03-27 19:16 . 2010-03-27 19:16 2732032 ------w- c:\windows\Internet Logs\xDB2E3.tmp
    2010-03-26 16:30 . 2010-03-26 16:31 2730496 ------w- c:\windows\Internet Logs\xDB2E2.tmp
    2010-03-23 07:33 . 2010-03-23 17:11 2721792 ------w- c:\windows\Internet Logs\xDB2E1.tmp
    2010-03-23 00:38 . 2010-03-23 00:45 2703872 ------w- c:\windows\Internet Logs\xDB2E0.tmp
    2010-03-23 00:29 . 2010-03-23 00:29 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c85ff5b-n\decora-sse.dll
    2010-03-23 00:29 . 2010-03-23 00:29 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\msvcp71.dll
    2010-03-23 00:29 . 2010-03-23 00:29 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\jmc.dll
    2010-03-23 00:29 . 2010-03-23 00:29 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\msvcr71.dll
    2010-03-23 00:29 . 2010-03-23 00:29 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c85ff5b-n\decora-d3d.dll
    2010-03-22 21:49 . 2010-03-22 21:49 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\FixCleaner
    2010-03-22 21:49 . 2010-03-22 21:48 -------- d-----w- c:\program files\FixCleaner
    2010-03-20 18:03 . 2010-03-20 22:21 8704 ------w- c:\windows\Internet Logs\xDB2DF.tmp
    2010-03-20 04:02 . 2010-03-20 18:03 1179648 ------w- c:\windows\Internet Logs\xDB2DC.tmp
    2010-03-17 20:04 . 2010-03-18 20:12 8704 ------w- c:\windows\Internet Logs\xDB2DB.tmp
    2010-03-17 19:52 . 2010-03-17 20:04 1114112 ------w- c:\windows\Internet Logs\xDB2DA.tmp
    2010-03-16 21:32 . 2010-03-17 00:45 8704 ------w- c:\windows\Internet Logs\xDB2D9.tmp
    2010-03-16 21:32 . 2010-03-16 21:32 2638848 ------w- c:\windows\Internet Logs\xDB2DE.tmp
    2010-03-16 21:32 . 2010-03-16 21:32 8192 ------w- c:\windows\Internet Logs\xDB2DD.tmp
    2010-03-16 19:27 . 2010-03-16 21:31 8704 ------w- c:\windows\Internet Logs\xDB2D8.tmp
    2010-03-16 19:27 . 2010-03-16 19:27 2632192 ------w- c:\windows\Internet Logs\xDB2D7.tmp
    2010-03-16 19:27 . 2010-03-16 19:27 8192 ------w- c:\windows\Internet Logs\xDB2D6.tmp
    2010-03-15 20:32 . 2010-03-16 19:25 8704 ------w- c:\windows\Internet Logs\xDB2D4.tmp
    2010-03-15 04:36 . 2010-03-15 20:32 1146880 ------w- c:\windows\Internet Logs\xDB2D3.tmp
    2010-03-12 04:04 . 2010-03-12 20:14 607232 ------w- c:\windows\Internet Logs\xDB2D2.tmp
    2010-03-12 04:04 . 2010-03-12 20:14 2617344 ------w- c:\windows\Internet Logs\xDB2D5.tmp
    2010-03-10 06:15 . 2003-03-31 17:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-04 19:37 . 2006-01-15 21:37 19176 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-02 18:38 . 2008-10-16 15:36 163121891 ----a-w- C:\fix.ZIP
    2010-03-02 02:10 . 2010-03-02 17:30 8704 ------w- c:\windows\Internet Logs\xDB2D1.tmp
    2010-02-28 05:04 . 2010-03-02 02:10 1212416 ------w- c:\windows\Internet Logs\xDB2D0.tmp
    2010-02-26 01:32 . 2010-02-26 01:50 219648 ------w- c:\windows\Internet Logs\xDB2CF.tmp
    2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 13:11 . 2003-03-31 17:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 22:30 . 2010-02-23 23:12 2518528 ------w- c:\windows\Internet Logs\xDB2CE.tmp
    2010-02-23 16:36 . 2010-02-23 16:47 8704 ------w- c:\windows\Internet Logs\xDB2CD.tmp
    2010-02-23 16:16 . 2010-02-23 16:36 2392064 ------w- c:\windows\Internet Logs\xDB2CC.tmp
    2010-02-17 14:10 . 2003-03-31 17:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2002-08-29 06:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
    2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
    2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
    2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
    2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]
    "tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoThumbnailCache "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgam.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

    R1 raxwhnfo;raxwhnfo;c:\windows\system32\drivers\raxwhnfo.sys [x]
    R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-02-23 369920]
    S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-04-23 52872]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-23 216200]
    S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-23 242896]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-04-24 95024]
    S2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-04-23 916760]
    S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-23 308064]
    S2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2009-04-26 90352]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-15 c:\windows\Tasks\MpIdleTask.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

    2010-05-14 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

    2010-05-12 c:\windows\Tasks\FixCleaner Scan.job
    - c:\program files\FixCleaner\FixCleaner.exe [2010-03-22 17:30]

    2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-05-15 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

    2010-05-14 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

    2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-14 23:43
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3628)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\program files\WinZip\wzshlstb.dll
    c:\progra~1\MID86E~1\shellext.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Essentials\MsMpEng.exe
    c:\program files\FireTrust\MailWasher Pro\MailWasher.exe
    c:\program files\Executive Software\Diskeeper Home Edition\DKService.exe
    c:\windows\system32\imapi.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\AVG\AVG9\avgam.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\pctspk.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\Outlook Express\msimn.exe
    c:\program files\Internet Explorer\IEXPLORE.EXE
    c:\program files\Internet Explorer\IEXPLORE.EXE
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-14 23:53:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-15 04:53

    Pre-Run: 13,542,653,952 bytes free
    Post-Run: 13,714,751,488 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
    C:\= "Microsoft Windows "

    - - End Of File - - 6EBD88B98F71357B5F97F0DE107E4403
     
    RickyD2,
    #8
  10. 2010/05/14
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Here is new HiJack this log file -

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:54:08 PM, on 5/14/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\ComboFix\CF29482.cfxxe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe
    C:\WINDOWS\system32\notepad.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

    --
    End of file - 6568 bytes
     
    RickyD2,
    #9
  11. 2010/05/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\system32\drivers\viabmbrq.dat
c:\windows\system32\drivers\yzhvvmno.dat
c:\windows\system32\drivers\jxqbtqyt.dat
c:\windows\system32\drivers\xjjrihkr.dat
c:\windows\system32\drivers\iuppukxv.dat
c:\windows\system32\drivers\xrsqfphi.dat
c:\windows\system32\drivers\hnslqpep.dat
c:\windows\system32\drivers\raxwhnfo.sys


Folder::

Driver::
raxwhnfo


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=-
 "FirewallOverride "=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
 "DisableMonitoring "=-


RegLockDel::

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
    broni,
    #10
  12. 2010/05/15
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    ComboFix 10-05-14.06 - Richard Doenges 05/15/2010 11:03:23.5.1 - FAT32x86
    Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
    .

    2010-05-15 00:48 . 2010-05-15 00:48 -------- d-----w- C:\FOUND.003
    2010-05-15 00:36 . 2010-05-15 00:36 -------- d-----w- C:\7a9f938b3d43a523dbb663
    2010-05-14 20:36 . 2010-05-14 20:36 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\ElevatedDiagnostics
    2010-05-14 17:13 . 2010-05-14 17:13 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-14 15:51 . 2010-05-14 15:52 368 ----a-w- c:\windows\system32\drivers\viabmbrq.dat
    2010-05-14 15:48 . 2010-05-14 15:48 -------- d-----w- c:\program files\CCleaner
    2010-05-14 15:10 . 2010-05-14 15:10 452 ----a-w- c:\windows\system32\drivers\yzhvvmno.dat
    2010-05-14 03:54 . 2010-05-14 03:54 368 ----a-w- c:\windows\system32\drivers\jxqbtqyt.dat
    2010-05-14 03:37 . 2010-05-14 03:37 368 ----a-w- c:\windows\system32\drivers\xjjrihkr.dat
    2010-05-14 03:21 . 2010-05-14 03:21 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\AVG9
    2010-05-13 22:14 . 2010-05-13 22:14 368 ----a-w- c:\windows\system32\drivers\iuppukxv.dat
    2010-05-13 22:05 . 2010-05-13 22:05 452 ----a-w- c:\windows\system32\drivers\xrsqfphi.dat
    2010-05-13 20:49 . 2010-05-13 20:49 368 ----a-w- c:\windows\system32\drivers\hnslqpep.dat
    2010-05-13 16:58 . 2010-05-13 16:58 -------- d-----w- C:\FOUND.002
    2010-05-13 14:46 . 2010-05-13 14:46 -------- d-----w- C:\FOUND.001
    2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\35568229
    2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\25827327
    2010-05-12 21:48 . 2010-05-12 21:48 -------- d-----w- C:\FOUND.000
    2010-05-10 22:45 . 2010-05-10 22:45 -------- d--h--w- c:\windows\ie8
    2010-05-10 21:20 . 2010-05-10 21:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Applications
    2010-04-29 18:56 . 2010-04-29 18:56 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-04-26 21:57 . 2010-04-26 21:57 -------- d-----w- C:\2167da7775d242252848
    2010-04-25 18:09 . 2010-04-25 18:09 -------- d-----w- C:\AVGcon
    2010-04-25 17:58 . 2010-04-25 17:58 -------- d-----w- C:\AVGTemp
    2010-04-24 00:46 . 2010-04-24 00:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-04-24 00:14 . 2010-04-24 00:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-04-24 00:07 . 2010-04-24 00:07 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Sunbelt Software
    2010-04-23 19:10 . 2010-04-23 19:10 -------- d-----w- C:\$AVG
    2010-04-23 19:08 . 2010-04-23 19:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
    2010-04-23 18:31 . 2009-09-02 16:58 1107200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar\IEToolbar.dll
    2010-04-23 18:22 . 2010-04-23 18:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-15 15:13 . 2006-01-15 19:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-05-15 06:09 . 2010-05-15 14:52 3320320 ----a-w- c:\windows\Internet Logs\xDB305.tmp
    2010-05-15 06:09 . 2010-05-15 14:52 256000 ------w- c:\windows\Internet Logs\xDB304.tmp
    2010-05-15 04:40 . 2008-02-03 17:16 687181 ------w- c:\windows\Internet Logs\tvDebug.Zip
    2010-05-15 04:38 . 2010-05-15 04:43 567296 ------w- c:\windows\Internet Logs\xDB303.tmp
    2010-05-14 15:25 . 2010-05-14 15:25 138594 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_14_10_19_41_small.dmp.zip
    2010-05-13 16:53 . 2010-05-13 16:59 3142656 ------w- c:\windows\Internet Logs\xDB302.tmp
    2010-05-13 16:53 . 2010-05-13 16:59 1094144 ------w- c:\windows\Internet Logs\xDB301.tmp
    2010-05-13 16:47 . 2010-05-13 16:52 3143680 ------w- c:\windows\Internet Logs\xDB300.tmp
    2010-05-13 15:23 . 2010-05-13 15:23 133443 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_13_10_18_18_small.dmp.zip
    2010-05-12 15:43 . 2010-05-12 15:43 132721 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_12_10_37_41_small.dmp.zip
    2010-05-11 19:47 . 2010-05-11 19:58 3096576 ------w- c:\windows\Internet Logs\xDB2FF.tmp
    2010-05-06 15:36 . 2009-10-02 22:01 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-06 15:15 . 2010-05-06 15:15 21998064 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_06_10_08_43_full.dmp.zip
    2010-05-04 15:10 . 2010-05-04 15:10 128312 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_04_10_05_00_small.dmp.zip
    2010-05-04 01:14 . 2010-05-04 14:49 8704 ------w- c:\windows\Internet Logs\xDB2FE.tmp
    2010-05-04 01:01 . 2010-05-04 01:14 1507328 ------w- c:\windows\Internet Logs\xDB2FD.tmp
    2010-05-02 04:36 . 2010-05-02 15:02 3038720 ------w- c:\windows\Internet Logs\xDB2FC.tmp
    2010-05-02 04:36 . 2010-05-02 15:02 478720 ------w- c:\windows\Internet Logs\xDB2FB.tmp
    2010-04-30 04:21 . 2010-04-30 16:27 3034624 ------w- c:\windows\Internet Logs\xDB2FA.tmp
    2010-04-29 17:41 . 2010-04-29 17:42 3009024 ------w- c:\windows\Internet Logs\xDB2F9.tmp
    2010-04-29 14:58 . 2010-04-29 14:58 129502 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_29_09_53_08_small.dmp.zip
    2010-04-27 21:42 . 2010-04-28 04:12 272896 ------w- c:\windows\Internet Logs\xDB2F8.tmp
    2010-04-26 18:29 . 2010-04-26 18:44 8704 ------w- c:\windows\Internet Logs\xDB2F7.tmp
    2010-04-26 02:44 . 2010-04-26 18:29 1540096 ------w- c:\windows\Internet Logs\xDB2F6.tmp
    2010-04-25 16:18 . 2010-04-25 16:18 129723 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_25_11_12_48_small.dmp.zip
    2010-04-23 19:12 . 2010-04-23 19:14 2886656 ------w- c:\windows\Internet Logs\xDB2F5.tmp
    2010-04-23 19:10 . 2008-04-16 20:45 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-23 19:10 . 2008-04-16 20:45 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-04-23 19:10 . 2007-11-19 15:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-04-23 19:09 . 2008-04-16 20:45 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2010-04-23 19:09 . 2008-04-16 20:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-04-22 20:49 . 2010-04-23 16:02 185344 ------w- c:\windows\Internet Logs\xDB2F3.tmp
    2010-04-22 20:49 . 2010-04-23 16:02 2860544 ------w- c:\windows\Internet Logs\xDB2F4.tmp
    2010-04-21 17:57 . 2010-04-21 17:57 143519 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_21_12_51_27_small.dmp.zip
    2010-04-21 17:51 . 2010-04-21 17:51 2840064 ------w- c:\windows\Internet Logs\xDB2F2.tmp
    2010-04-21 17:51 . 2010-04-21 17:51 87552 ------w- c:\windows\Internet Logs\xDB2F1.tmp
    2010-04-20 17:21 . 2010-04-20 17:21 2837504 ------w- c:\windows\Internet Logs\xDB2F0.tmp
    2010-04-20 17:21 . 2010-04-20 17:21 319488 ------w- c:\windows\Internet Logs\xDB2EF.tmp
    2010-04-15 19:44 . 2010-04-16 21:24 8704 ------w- c:\windows\Internet Logs\xDB2EE.tmp
    2010-04-15 19:29 . 2010-04-15 19:44 1474560 ------w- c:\windows\Internet Logs\xDB2ED.tmp
    2010-04-14 17:46 . 2010-04-14 17:48 2813440 ------w- c:\windows\Internet Logs\xDB2EC.tmp
    2010-04-13 16:51 . 2010-04-13 16:51 129648 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_13_11_46_05_small.dmp.zip
    2010-04-09 20:06 . 2010-04-11 21:40 8704 ------w- c:\windows\Internet Logs\xDB2EB.tmp
    2010-04-09 18:28 . 2010-04-09 20:06 1343488 ------w- c:\windows\Internet Logs\xDB2EA.tmp
    2010-04-08 17:22 . 2009-03-24 21:18 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-08 16:39 . 2010-04-08 16:49 2766848 ------w- c:\windows\Internet Logs\xDB2E9.tmp
    2010-04-08 16:39 . 2010-04-08 16:49 617472 ------w- c:\windows\Internet Logs\xDB2E8.tmp
    2010-04-08 04:50 . 2010-04-08 16:38 2766848 ------w- c:\windows\Internet Logs\xDB2E7.tmp
    2010-04-07 18:51 . 2010-04-07 18:51 -------- d-----w- c:\program files\Common Files\Java
    2010-03-28 19:34 . 2010-03-28 19:53 2740736 ------w- c:\windows\Internet Logs\xDB2E6.tmp
    2010-03-28 19:34 . 2010-03-28 19:53 522752 ------w- c:\windows\Internet Logs\xDB2E5.tmp
    2010-03-28 05:32 . 2010-03-28 19:33 2740736 ------w- c:\windows\Internet Logs\xDB2E4.tmp
    2010-03-27 19:21 . 2010-03-27 19:21 236464 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_03_27_14_15_52_small.dmp.zip
    2010-03-27 19:16 . 2010-03-27 19:16 2732032 ------w- c:\windows\Internet Logs\xDB2E3.tmp
    2010-03-26 16:30 . 2010-03-26 16:31 2730496 ------w- c:\windows\Internet Logs\xDB2E2.tmp
    2010-03-23 07:33 . 2010-03-23 17:11 2721792 ------w- c:\windows\Internet Logs\xDB2E1.tmp
    2010-03-23 00:38 . 2010-03-23 00:45 2703872 ------w- c:\windows\Internet Logs\xDB2E0.tmp
    2010-03-23 00:29 . 2010-03-23 00:29 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c85ff5b-n\decora-sse.dll
    2010-03-23 00:29 . 2010-03-23 00:29 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\msvcp71.dll
    2010-03-23 00:29 . 2010-03-23 00:29 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\jmc.dll
    2010-03-23 00:29 . 2010-03-23 00:29 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\msvcr71.dll
    2010-03-23 00:29 . 2010-03-23 00:29 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c85ff5b-n\decora-d3d.dll
    2010-03-22 21:49 . 2010-03-22 21:49 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\FixCleaner
    2010-03-22 21:49 . 2010-03-22 21:48 -------- d-----w- c:\program files\FixCleaner
    2010-03-20 18:03 . 2010-03-20 22:21 8704 ------w- c:\windows\Internet Logs\xDB2DF.tmp
    2010-03-20 04:02 . 2010-03-20 18:03 1179648 ------w- c:\windows\Internet Logs\xDB2DC.tmp
    2010-03-17 20:04 . 2010-03-18 20:12 8704 ------w- c:\windows\Internet Logs\xDB2DB.tmp
    2010-03-17 19:52 . 2010-03-17 20:04 1114112 ------w- c:\windows\Internet Logs\xDB2DA.tmp
    2010-03-16 21:32 . 2010-03-17 00:45 8704 ------w- c:\windows\Internet Logs\xDB2D9.tmp
    2010-03-16 21:32 . 2010-03-16 21:32 2638848 ------w- c:\windows\Internet Logs\xDB2DE.tmp
    2010-03-16 21:32 . 2010-03-16 21:32 8192 ------w- c:\windows\Internet Logs\xDB2DD.tmp
    2010-03-16 19:27 . 2010-03-16 21:31 8704 ------w- c:\windows\Internet Logs\xDB2D8.tmp
    2010-03-16 19:27 . 2010-03-16 19:27 2632192 ------w- c:\windows\Internet Logs\xDB2D7.tmp
    2010-03-16 19:27 . 2010-03-16 19:27 8192 ------w- c:\windows\Internet Logs\xDB2D6.tmp
    2010-03-15 20:32 . 2010-03-16 19:25 8704 ------w- c:\windows\Internet Logs\xDB2D4.tmp
    2010-03-15 04:36 . 2010-03-15 20:32 1146880 ------w- c:\windows\Internet Logs\xDB2D3.tmp
    2010-03-12 04:04 . 2010-03-12 20:14 607232 ------w- c:\windows\Internet Logs\xDB2D2.tmp
    2010-03-12 04:04 . 2010-03-12 20:14 2617344 ------w- c:\windows\Internet Logs\xDB2D5.tmp
    2010-03-10 06:15 . 2003-03-31 17:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-04 19:37 . 2006-01-15 21:37 19176 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-02 18:38 . 2008-10-16 15:36 163121891 ----a-w- C:\fix.ZIP
    2010-03-02 02:10 . 2010-03-02 17:30 8704 ------w- c:\windows\Internet Logs\xDB2D1.tmp
    2010-02-28 05:04 . 2010-03-02 02:10 1212416 ------w- c:\windows\Internet Logs\xDB2D0.tmp
    2010-02-26 01:32 . 2010-02-26 01:50 219648 ------w- c:\windows\Internet Logs\xDB2CF.tmp
    2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 13:11 . 2003-03-31 17:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 22:30 . 2010-02-23 23:12 2518528 ------w- c:\windows\Internet Logs\xDB2CE.tmp
    2010-02-23 16:36 . 2010-02-23 16:47 8704 ------w- c:\windows\Internet Logs\xDB2CD.tmp
    2010-02-23 16:16 . 2010-02-23 16:36 2392064 ------w- c:\windows\Internet Logs\xDB2CC.tmp
    2010-02-17 14:10 . 2003-03-31 17:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2002-08-29 06:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
    2006-05-08 22:07 . 2006-05-08 22:07 28142 ------w- c:\program files\IE70BlockerHelp-GPFilteringDialog.jpg
    2006-05-08 21:13 . 2006-05-08 21:13 3730 ------w- c:\program files\IE70Blocker.adm
    2006-05-08 21:13 . 2006-05-08 21:13 1809 ------w- c:\program files\IE70Blocker.cmd
    2005-05-26 19:35 . 2007-11-23 21:24 1422 ------w- c:\program files\ReadMe.txt
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]
    "tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoThumbnailCache "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgam.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

    R1 raxwhnfo;raxwhnfo;c:\windows\system32\drivers\raxwhnfo.sys [x]
    R1 xlgjzamo;xlgjzamo;c:\windows\system32\drivers\xlgjzamo.sys [x]
    R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
    R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2010-02-23 369920]
    S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-04-23 52872]
    S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-04-23 216200]
    S1 AvgTdiX;AVG Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-04-23 242896]
    S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-04-24 95024]
    S2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-04-23 916760]
    S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-04-23 308064]
    S2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2009-04-26 90352]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-15 c:\windows\Tasks\MpIdleTask.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

    2010-05-14 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

    2010-05-15 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 23:02]

    2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-05-14 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

    2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-15 11:16
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2608)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-05-15 11:21:31
    ComboFix-quarantined-files.txt 2010-05-15 16:21
    ComboFix2.txt 2010-05-15 04:54

    Pre-Run: 13,458,964,480 bytes free
    Post-Run: 13,460,799,488 bytes free

    - - End Of File - - DA9FE378A9CFBAD0F8750A23F86F03DC

    HiJack This log will follow
     
    RickyD2,
    #11
  13. 2010/05/15
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:25:06 AM, on 5/15/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\system32\ctfmon.exe
    c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

    --
    End of file - 6717 bytes
     
    RickyD2,
    #12
  14. 2010/05/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I don't think, you ran my Combofix script, because nothing was fixed.
    Please, retry and make sure, you copy all text from code box.
     
    broni,
    #13
  15. 2010/05/15
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    I did exactly as you asked but I will do it again.
     
    RickyD2,
    #14
  16. 2010/05/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Ok :)
     
    broni,
    #15
  17. 2010/05/15
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    While running ComboFix I had a blue screen shutdown so I'm not going to try running it again until I can determine what my computer's physical problem is.

    Bear with me, I'll be back.
     
    RickyD2,
    #16
  18. 2010/05/15
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem :)
    You can even try to run it in Safe Mode.
     
    broni,
    #17
  19. 2010/05/16
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    I'm back up and in business for the most part. I've tried three times to run ComboFix and each time I have gotten an error message saying that the name CFScript appears to be incorrectly spelt. I've copied and saved it three time also and the desktop icon shows CFScript.txt.

    Now what?

    Only problem now is with Yahoo and cookies and I'll talk to you later about that if need be.
     
    RickyD2,
    #18
  20. 2010/05/16
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Got iot figured out, here is ComboFix scan -

    ComboFix 10-05-15.03 - Richard Doenges 05/16/2010 11:25:45.7.1 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.244 [GMT -5:00]
    Running from: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\CFScript.txt
    AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: ZoneAlarm Pro Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\windows\system32\drivers\hnslqpep.dat "
    "c:\windows\system32\drivers\iuppukxv.dat "
    "c:\windows\system32\drivers\jxqbtqyt.dat "
    "c:\windows\system32\drivers\raxwhnfo.sys "
    "c:\windows\system32\drivers\viabmbrq.dat "
    "c:\windows\system32\drivers\xjjrihkr.dat "
    "c:\windows\system32\drivers\xrsqfphi.dat "
    "c:\windows\system32\drivers\yzhvvmno.dat "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\drivers\hnslqpep.dat
    c:\windows\system32\drivers\iuppukxv.dat
    c:\windows\system32\drivers\jxqbtqyt.dat
    c:\windows\system32\drivers\viabmbrq.dat
    c:\windows\system32\drivers\xjjrihkr.dat
    c:\windows\system32\drivers\xrsqfphi.dat
    c:\windows\system32\drivers\yzhvvmno.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_raxwhnfo


    ((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
    .

    2010-05-16 03:57 . 2010-05-16 03:57 -------- d-----w- C:\FOUND.004
    2010-05-15 00:48 . 2010-05-15 00:48 -------- d-----w- C:\FOUND.003
    2010-05-15 00:36 . 2010-05-15 00:36 -------- d-----w- C:\7a9f938b3d43a523dbb663
    2010-05-14 20:36 . 2010-05-14 20:36 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\ElevatedDiagnostics
    2010-05-14 17:13 . 2010-05-14 17:13 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-05-14 15:48 . 2010-05-14 15:48 -------- d-----w- c:\program files\CCleaner
    2010-05-14 03:21 . 2010-05-14 03:21 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\AVG9
    2010-05-13 16:58 . 2010-05-13 16:58 -------- d-----w- C:\FOUND.002
    2010-05-13 14:46 . 2010-05-13 14:46 -------- d-----w- C:\FOUND.001
    2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\35568229
    2010-05-13 00:03 . 2010-05-13 00:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\25827327
    2010-05-12 21:48 . 2010-05-12 21:48 -------- d-----w- C:\FOUND.000
    2010-05-10 22:45 . 2010-05-10 22:45 -------- d--h--w- c:\windows\ie8
    2010-05-10 21:20 . 2010-05-10 21:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Applications
    2010-04-26 21:57 . 2010-04-26 21:57 -------- d-----w- C:\2167da7775d242252848
    2010-04-25 18:09 . 2010-04-25 18:09 -------- d-----w- C:\AVGcon
    2010-04-25 17:58 . 2010-04-25 17:58 -------- d-----w- C:\AVGTemp
    2010-04-24 00:46 . 2010-04-24 00:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-04-24 00:14 . 2010-04-24 00:14 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-04-24 00:07 . 2010-04-24 00:07 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\Sunbelt Software
    2010-04-23 19:10 . 2010-04-23 19:10 -------- d-----w- C:\$AVG
    2010-04-23 19:08 . 2010-04-23 19:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
    2010-04-23 18:22 . 2010-04-23 18:22 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-16 16:39 . 2008-02-03 17:16 828438 ------w- c:\windows\Internet Logs\tvDebug.Zip
    2010-05-16 16:37 . 2010-05-16 16:40 3359232 ----a-w- c:\windows\Internet Logs\xDB30C.tmp
    2010-05-16 16:37 . 2010-05-16 16:40 285696 ------w- c:\windows\Internet Logs\xDB30B.tmp
    2010-05-16 15:31 . 2006-01-15 19:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-05-16 04:36 . 2010-05-16 04:36 145614 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_15_23_28_13_small.dmp.zip
    2010-05-16 04:36 . 2010-05-16 04:36 135106 ------w- c:\windows\Internet Logs\vsmon_on_demand_crt_term_2010_05_15_23_28_03_small.dmp.zip
    2010-05-16 04:30 . 2010-05-16 15:16 8704 ------w- c:\windows\Internet Logs\xDB309.tmp
    2010-05-16 04:28 . 2010-05-16 04:30 8192 ------w- c:\windows\Internet Logs\xDB30A.tmp
    2010-05-16 04:22 . 2010-05-16 04:27 16384 ------w- c:\windows\Internet Logs\xDB308.tmp
    2010-05-16 04:12 . 2010-05-16 04:18 8704 ------w- c:\windows\Internet Logs\xDB307.tmp
    2010-05-16 03:39 . 2010-05-16 04:12 1507328 ------w- c:\windows\Internet Logs\xDB306.tmp
    2010-05-15 06:09 . 2010-05-15 14:52 3320320 ------w- c:\windows\Internet Logs\xDB305.tmp
    2010-05-15 06:09 . 2010-05-15 14:52 256000 ------w- c:\windows\Internet Logs\xDB304.tmp
    2010-05-15 04:38 . 2010-05-15 04:43 567296 ------w- c:\windows\Internet Logs\xDB303.tmp
    2010-05-14 15:25 . 2010-05-14 15:25 138594 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_14_10_19_41_small.dmp.zip
    2010-05-13 16:53 . 2010-05-13 16:59 3142656 ------w- c:\windows\Internet Logs\xDB302.tmp
    2010-05-13 16:53 . 2010-05-13 16:59 1094144 ------w- c:\windows\Internet Logs\xDB301.tmp
    2010-05-13 16:47 . 2010-05-13 16:52 3143680 ------w- c:\windows\Internet Logs\xDB300.tmp
    2010-05-13 15:23 . 2010-05-13 15:23 133443 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_13_10_18_18_small.dmp.zip
    2010-05-12 15:43 . 2010-05-12 15:43 132721 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_12_10_37_41_small.dmp.zip
    2010-05-11 19:47 . 2010-05-11 19:58 3096576 ------w- c:\windows\Internet Logs\xDB2FF.tmp
    2010-05-06 15:36 . 2009-10-02 22:01 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-06 15:15 . 2010-05-06 15:15 21998064 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_06_10_08_43_full.dmp.zip
    2010-05-04 15:10 . 2010-05-04 15:10 128312 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_05_04_10_05_00_small.dmp.zip
    2010-05-04 01:14 . 2010-05-04 14:49 8704 ------w- c:\windows\Internet Logs\xDB2FE.tmp
    2010-05-04 01:01 . 2010-05-04 01:14 1507328 ------w- c:\windows\Internet Logs\xDB2FD.tmp
    2010-05-02 04:36 . 2010-05-02 15:02 3038720 ------w- c:\windows\Internet Logs\xDB2FC.tmp
    2010-05-02 04:36 . 2010-05-02 15:02 478720 ------w- c:\windows\Internet Logs\xDB2FB.tmp
    2010-04-30 04:21 . 2010-04-30 16:27 3034624 ------w- c:\windows\Internet Logs\xDB2FA.tmp
    2010-04-29 17:41 . 2010-04-29 17:42 3009024 ------w- c:\windows\Internet Logs\xDB2F9.tmp
    2010-04-29 14:58 . 2010-04-29 14:58 129502 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_29_09_53_08_small.dmp.zip
    2010-04-27 21:42 . 2010-04-28 04:12 272896 ------w- c:\windows\Internet Logs\xDB2F8.tmp
    2010-04-26 18:29 . 2010-04-26 18:44 8704 ------w- c:\windows\Internet Logs\xDB2F7.tmp
    2010-04-26 02:44 . 2010-04-26 18:29 1540096 ------w- c:\windows\Internet Logs\xDB2F6.tmp
    2010-04-25 16:18 . 2010-04-25 16:18 129723 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_25_11_12_48_small.dmp.zip
    2010-04-23 19:12 . 2010-04-23 19:14 2886656 ------w- c:\windows\Internet Logs\xDB2F5.tmp
    2010-04-23 19:10 . 2008-04-16 20:45 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-04-23 19:10 . 2008-04-16 20:45 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-04-23 19:10 . 2007-11-19 15:02 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-04-23 19:09 . 2008-04-16 20:45 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2010-04-23 19:09 . 2008-04-16 20:45 12464 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-04-22 20:49 . 2010-04-23 16:02 185344 ------w- c:\windows\Internet Logs\xDB2F3.tmp
    2010-04-22 20:49 . 2010-04-23 16:02 2860544 ------w- c:\windows\Internet Logs\xDB2F4.tmp
    2010-04-21 17:57 . 2010-04-21 17:57 143519 ------w- c:\windows\Internet Logs\vsmon_2nd_2010_04_21_12_51_27_small.dmp.zip
    2010-04-21 17:51 . 2010-04-21 17:51 2840064 ------w- c:\windows\Internet Logs\xDB2F2.tmp
    2010-04-21 17:51 . 2010-04-21 17:51 87552 ------w- c:\windows\Internet Logs\xDB2F1.tmp
    2010-04-20 17:21 . 2010-04-20 17:21 2837504 ------w- c:\windows\Internet Logs\xDB2F0.tmp
    2010-04-20 17:21 . 2010-04-20 17:21 319488 ------w- c:\windows\Internet Logs\xDB2EF.tmp
    2010-04-15 19:44 . 2010-04-16 21:24 8704 ------w- c:\windows\Internet Logs\xDB2EE.tmp
    2010-04-15 19:29 . 2010-04-15 19:44 1474560 ------w- c:\windows\Internet Logs\xDB2ED.tmp
    2010-04-14 17:46 . 2010-04-14 17:48 2813440 ------w- c:\windows\Internet Logs\xDB2EC.tmp
    2010-04-09 20:06 . 2010-04-11 21:40 8704 ------w- c:\windows\Internet Logs\xDB2EB.tmp
    2010-04-09 18:28 . 2010-04-09 20:06 1343488 ------w- c:\windows\Internet Logs\xDB2EA.tmp
    2010-04-08 17:22 . 2009-03-24 21:18 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-08 16:39 . 2010-04-08 16:49 2766848 ------w- c:\windows\Internet Logs\xDB2E9.tmp
    2010-04-08 16:39 . 2010-04-08 16:49 617472 ------w- c:\windows\Internet Logs\xDB2E8.tmp
    2010-04-08 04:50 . 2010-04-08 16:38 2766848 ------w- c:\windows\Internet Logs\xDB2E7.tmp
    2010-04-07 18:51 . 2010-04-07 18:51 -------- d-----w- c:\program files\Common Files\Java
    2010-03-28 19:34 . 2010-03-28 19:53 2740736 ------w- c:\windows\Internet Logs\xDB2E6.tmp
    2010-03-28 19:34 . 2010-03-28 19:53 522752 ------w- c:\windows\Internet Logs\xDB2E5.tmp
    2010-03-28 05:32 . 2010-03-28 19:33 2740736 ------w- c:\windows\Internet Logs\xDB2E4.tmp
    2010-03-27 19:16 . 2010-03-27 19:16 2732032 ------w- c:\windows\Internet Logs\xDB2E3.tmp
    2010-03-26 16:30 . 2010-03-26 16:31 2730496 ------w- c:\windows\Internet Logs\xDB2E2.tmp
    2010-03-23 07:33 . 2010-03-23 17:11 2721792 ------w- c:\windows\Internet Logs\xDB2E1.tmp
    2010-03-23 00:38 . 2010-03-23 00:45 2703872 ------w- c:\windows\Internet Logs\xDB2E0.tmp
    2010-03-23 00:29 . 2010-03-23 00:29 61440 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c85ff5b-n\decora-sse.dll
    2010-03-23 00:29 . 2010-03-23 00:29 503808 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\msvcp71.dll
    2010-03-23 00:29 . 2010-03-23 00:29 499712 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\jmc.dll
    2010-03-23 00:29 . 2010-03-23 00:29 348160 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-36e1564b-n\msvcr71.dll
    2010-03-23 00:29 . 2010-03-23 00:29 12800 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6c85ff5b-n\decora-d3d.dll
    2010-03-22 21:49 . 2010-03-22 21:49 -------- d-----w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Application Data\FixCleaner
    2010-03-22 21:49 . 2010-03-22 21:48 -------- d-----w- c:\program files\FixCleaner
    2010-03-20 18:03 . 2010-03-20 22:21 8704 ------w- c:\windows\Internet Logs\xDB2DF.tmp
    2010-03-20 04:02 . 2010-03-20 18:03 1179648 ------w- c:\windows\Internet Logs\xDB2DC.tmp
    2010-03-17 20:04 . 2010-03-18 20:12 8704 ------w- c:\windows\Internet Logs\xDB2DB.tmp
    2010-03-17 19:52 . 2010-03-17 20:04 1114112 ------w- c:\windows\Internet Logs\xDB2DA.tmp
    2010-03-16 21:32 . 2010-03-17 00:45 8704 ------w- c:\windows\Internet Logs\xDB2D9.tmp
    2010-03-16 21:32 . 2010-03-16 21:32 2638848 ------w- c:\windows\Internet Logs\xDB2DE.tmp
    2010-03-16 21:32 . 2010-03-16 21:32 8192 ------w- c:\windows\Internet Logs\xDB2DD.tmp
    2010-03-16 19:27 . 2010-03-16 21:31 8704 ------w- c:\windows\Internet Logs\xDB2D8.tmp
    2010-03-16 19:27 . 2010-03-16 19:27 2632192 ------w- c:\windows\Internet Logs\xDB2D7.tmp
    2010-03-16 19:27 . 2010-03-16 19:27 8192 ------w- c:\windows\Internet Logs\xDB2D6.tmp
    2010-03-15 20:32 . 2010-03-16 19:25 8704 ------w- c:\windows\Internet Logs\xDB2D4.tmp
    2010-03-15 04:36 . 2010-03-15 20:32 1146880 ------w- c:\windows\Internet Logs\xDB2D3.tmp
    2010-03-12 04:04 . 2010-03-12 20:14 607232 ------w- c:\windows\Internet Logs\xDB2D2.tmp
    2010-03-12 04:04 . 2010-03-12 20:14 2617344 ------w- c:\windows\Internet Logs\xDB2D5.tmp
    2010-03-10 06:15 . 2003-03-31 17:00 420352 ----a-w- c:\windows\system32\vbscript.dll
    2010-03-04 19:37 . 2006-01-15 21:37 19176 ----a-w- c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-02 18:38 . 2008-10-16 15:36 163121891 ----a-w- C:\fix.ZIP
    2010-03-02 02:10 . 2010-03-02 17:30 8704 ------w- c:\windows\Internet Logs\xDB2D1.tmp
    2010-02-28 05:04 . 2010-03-02 02:10 1212416 ------w- c:\windows\Internet Logs\xDB2D0.tmp
    2010-02-26 01:32 . 2010-02-26 01:50 219648 ------w- c:\windows\Internet Logs\xDB2CF.tmp
    2010-02-25 06:24 . 2006-06-23 16:33 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-02-24 13:11 . 2003-03-31 17:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-23 22:30 . 2010-02-23 23:12 2518528 ------w- c:\windows\Internet Logs\xDB2CE.tmp
    2010-02-23 16:36 . 2010-02-23 16:47 8704 ------w- c:\windows\Internet Logs\xDB2CD.tmp
    2010-02-23 16:16 . 2010-02-23 16:36 2392064 ------w- c:\windows\Internet Logs\xDB2CC.tmp
    2010-02-17 14:10 . 2003-03-31 17:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-02-16 13:25 . 2002-08-29 06:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2006-07-20 20:07 . 2006-07-20 20:07 18801 ------w- c:\program files\IE70BlockerHelp.htm
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829} "= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TClockEx "= "c:\program files\TClockEx\TCLOCKEX.EXE" [2000-03-09 89088]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
    "Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator "= "Narrator.exe" [2008-04-14 53760]
    "tscuninstall "= "c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

    c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Start Menu\Programs\Startup\
    MailWasherPro.lnk - c:\program files\FireTrust\MailWasher Pro\MailWasher.exe [2006-1-6 18480224]

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoThumbnailCache "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
    @=" "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgam.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgemc.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe "=

    R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [4/16/2008 3:45 PM 52872]
    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/16/2008 3:45 PM 216200]
    R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/16/2008 3:45 PM 242896]
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [4/23/2010 7:14 PM 95024]
    R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [4/23/2010 2:08 PM 916760]
    R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/23/2010 2:08 PM 308064]
    R2 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/28/2009 11:29 AM 90352]
    S1 xlgjzamo;xlgjzamo;\??\c:\windows\system32\drivers\xlgjzamo.sys --> c:\windows\system32\drivers\xlgjzamo.sys [?]
    S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [4/23/2010 2:09 PM 369920]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-15 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-06 21:27]

    2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

    2010-05-15 c:\windows\Tasks\User_Feed_Synchronization-{9913872E-C5A8-4D8F-83A3-237CEECEEC63}.job
    - c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

    2007-01-21 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8137559368.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 05:52]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-16 11:40
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1547161642-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(4072)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Executive Software\Diskeeper Home Edition\DKService.exe
    c:\windows\system32\imapi.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\pctspk.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\program files\AVG\AVG9\avgam.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\documents and settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe
    c:\program files\Internet Explorer\iexplore.exe
    c:\program files\Internet Explorer\iexplore.exe
    c:\windows\system32\NOTEPAD.EXE
    c:\program files\Internet Explorer\iexplore.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-16 11:46:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-16 16:46
    ComboFix2.txt 2010-05-15 16:21
    ComboFix3.txt 2010-05-15 04:54

    Pre-Run: 13,206,487,040 bytes free
    Post-Run: 13,381,533,696 bytes free

    - - End Of File - - ACDD323050CFCEFEDEDE0D3E3D6F7C05
     
    RickyD2,
    #19
  21. 2010/05/16
    RickyD2

    RickyD2 Inactive Thread Starter

    Joined:
    2002/01/07
    Messages:
    421
    Likes Received:
    0
    Here is HiJack This scan -

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:46:28 AM, on 5/16/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\ComboFix\CF21603.cfxxe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\imapi.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgam.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\explorer.exe
    C:\ComboFix\CF21603.cfxxe
    C:\Documents and Settings\Richard Doenges.HOME-KVJPCI4PIU\Desktop\HiJackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
    O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
    O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
    O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - C:\Program Files\PCPitstop\PCPitstopScheduleService.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZONELABS\vsmon.exe

    --
    End of file - 6225 bytes
     
    RickyD2,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...