Solved Reappearing Malware Problem

AtomicTyson · 2010/06/06

[Resolved] Reappearing Malware Problem

Hey sorry Broni but I got this same old malware problem with the fake antivirus pop up. I thought I got it from a site with a lot of pop ups so I haven't visited it again. Unfortunately, it appeared again without me going to it. I have been using the Avira AntiVirus and one time when the malware appeared it updated itself and deleted it. Now it seems the malware has shut off the updating system or something and I can't get it to work. Below is the two requested attachments and thankyou again!

DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 10:42:57.53 on Sun 06/06/2010
Internet Explorer: 7.0.6000.16809 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.2942.2092 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\John\Desktop\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: installbroadcast: {6f0d004e-278f-2db1-1b8b-8f6089457d3a} - c:\windows\system32\_ZdA4C_pw.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\john\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [bihvtwet] c:\users\john\appdata\local\gxbxklran\qpnsogstssd.exe
mRun: [sealmon.exe] c:\program files\oracle\information rights management\desktop\sealmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\john\appdata\roaming\mozilla\firefox\profiles\707tt871.default\
FF - component: c:\program files\mozilla firefox\extensions\{8dbc0cf5-1736-5995-a8ad-e8562ebdf9af}\components\tb2AMjRmR.dll
FF - component: c:\users\john\appdata\roaming\mozilla\firefox\profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\john\appdata\local\google\update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\users\john\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\john\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\john\appdata\roaming\mozilla\firefox\profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\john\appdata\roaming\mozilla\firefox\profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\program files\mozilla firefox\extensions\{8dbc0cf5-1736-5995-a8ad-e8562ebdf9af}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-19 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-19 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-19 60936]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-6-11 968064]

=============== Created Last 30 ================

==================== Find3M ====================

2010-06-06 17:36:40 34800 ----a-w- c:\programdata\nvModes.dat
2010-04-25 15:38:42 111730 ----a-w- c:\windows\system32\FmNUmhRM6-.exe
2010-04-13 14:08:34 1331200 ----a-w- c:\windows\system32\_ZdA4C_pw.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-18 04:11:47 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-02-18 04:11:47 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-18 04:11:46 86016 ----a-w- c:\windows\inf\infstor.dat
2008-12-10 11:04:53 174 --sha-w- c:\program files\desktop.ini
2008-09-29 14:18:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 10:43:43.34 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/28/2008 11:08:30 AM
System Uptime: 6/6/2010 10:35:05 AM (0 hours ago)

Motherboard: ECS | | Nettle2
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | Socket M2 | 3000/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 466 GiB total, 420.212 GiB free.
D: is CDROM (CDFS)
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0000
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0000
Service: tunnel

Class GUID: {4d36e96d-e325-11ce-bfc1-08002be10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&2CF26B65&0&3020
Manufacturer: CXT
Name: PCI Soft Data Fax Modem with SmartCP
PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200C14F1&REV_00\4&2CF26B65&0&3020
Service: Modem

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
ACD/Labs Software in C:\Program Files\ACDFREE12\
Acrobat.com
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.3
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AusLogics Disk Defrag
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Bonjour
DivX Codec
DivX Converter
DivX Player
DivX Setup
FLV Player 2.0 (build 25)
Google Chrome
Guitar Pro 5.2
iTunes
Java(TM) 6 Update 16
Java(TM) 6 Update 7
LG USB Modem driver
LimeWire 5.1.2
Logitech Audio Echo Cancellation Component
Logitech QuickCam Driver Package
Logitech® Camera Driver
LoudMo Contextual Ad Assistant
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel Viewer
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Subscription
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual J# 2.0 Redistributable Package
Move Media Player
Mozilla Firefox (3.6.3)
MSVCRT
MVision
NVIDIA Display Control Panel
NVIDIA Drivers
Oracle IRM Desktop 5.5.12 10gR3 PR5
Pando Media Booster
QuickTime
Respondus LockDown Browser
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Skypeâ„¢ 3.8
Symyx Draw
System Requirements Lab
TVUPlayer 2.4.8.2
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Vuze
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
WinZip 12.0

==== Event Viewer Messages From Past Week ========

6/4/2010 7:05:45 AM, Error: EventLog [6008] - The previous system shutdown at 3:36:47 PM on 6/3/2010 was unexpected.
6/3/2010 9:01:25 AM, Error: EventLog [6008] - The previous system shutdown at 8:58:45 AM on 6/3/2010 was unexpected.
6/3/2010 8:55:45 AM, Error: EventLog [6008] - The previous system shutdown at 6:47:02 PM on 6/1/2010 was unexpected.
5/31/2010 9:29:50 AM, Error: EventLog [6008] - The previous system shutdown at 7:49:09 AM on 5/31/2010 was unexpected.
5/31/2010 7:43:08 AM, Error: LSM [1050] - Registering with Service Control Manager to monitor Terminal Service status failed with The specified service does not exist as an installed service. , retry in ten minute.
5/31/2010 7:37:21 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86.
5/31/2010 7:33:09 AM, Error: EventLog [6008] - The previous system shutdown at 7:30:07 AM on 5/31/2010 was unexpected.
5/31/2010 7:29:14 AM, Error: EventLog [6008] - The previous system shutdown at 9:48:56 PM on 5/23/2010 was unexpected.
5/31/2010 10:59:36 PM, Error: Service Control Manager [7023] - The seclogon service terminated with the following error: The specified module could not be found.
5/31/2010 10:57:38 PM, Error: volmgr [46] - Crash dump initialization failed!

==== End Of File ===========================

PeteC · 2010/06/06

What do you expect?? ....

I see you have P2P software ( Limewire, BitTorrent, uTorrent etcâ€¦ ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

broni · 2010/06/06

What do you expect?? ....
Click to expand...

Unfortunately....

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

RESTART COMPUTER

STEP 3. Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

AtomicTyson · 2010/06/06

"broni said: ↑

Unfortunately....

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

RESTART COMPUTER

STEP 3. Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Click to expand...

I had a computer guy come over yesterday for my parent's computer and he said he used it all the time and it was fine except that he uninstalled it after every use. I forgot to uninstall it but I didn't have it running so I thought that kept me safe. But regardless I uninstalled it because I am sick of problems and feel bad for bothering you guys each time lol.

Also, Malware bytes doesn't work on my computer. Is there an alternative?

broni · 2010/06/06

Malware bytes doesn't work on my computer
Click to expand...

Be more specific, please.

AtomicTyson · 2010/06/06

"broni said: ↑

Be more specific, please.
Click to expand...

When I try to install it has an error and you and me both tried to look into it and seemed to have trouble installing it. Thats why I have Avira with your help

broni · 2010/06/06

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following.

Now download and run exeHelper.

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

===============================================================

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

AtomicTyson · 2010/06/06

exeHelper by Raktor
Build 20100329
Run at 20:26:56 on 04/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Removing HKCR\secfile
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100329
Run at 20:32:47 on 04/04/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
exeHelper by Raktor
Build 20100414
Run at 19:27:40 on 04/17/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Removing HKCR\secfile
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 20:11:10 on 04/17/10
Now searching...
exeHelper by Raktor
Build 20100414
Run at 13:11:37 on 06/06/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

ComboFix 10-06-06.01 - John 06/06/2010 13:26:59.5.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.2449 [GMT -7:00]
Running from: c:\users\John\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AntiVir Desktop *disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\John\AppData\Local\gxbxklran
c:\users\John\AppData\Local\gxbxklran\qpnsogstssd.exe
c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\iSiriBuC0hc_Z
c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\k--j_Gq-lOX5St
c:\users\John\AppData\Local\Microsoft\Windows\Temporary Internet Files\n_2DQj-_N-6

Infected copy of c:\windows\system32\drivers\ssmdrv.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-06-06 20:31 . 2010-06-06 20:31 -------- d-----w- c:\users\John\AppData\Local\temp
2010-06-06 20:31 . 2010-06-06 20:31 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-06 20:31 . 2010-06-06 20:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-06 20:22 . 2010-06-06 20:23 -------- d-----w- C:\32788R22FWJFW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 19:08 . 2008-10-27 02:24 -------- d-----w- c:\program files\LimeWire
2010-06-06 17:36 . 2009-12-30 05:08 34800 ----a-w- c:\programdata\nvModes.dat
2010-05-19 00:40 . 2008-10-27 02:25 -------- d-----w- c:\users\John\AppData\Roaming\LimeWire
2010-05-06 16:54 . 2008-09-29 06:28 93680 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-03 05:02 . 2010-05-03 04:31 -------- d-----w- c:\programdata\DivX
2010-05-03 05:02 . 2010-05-03 05:02 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-03 04:34 . 2010-05-03 04:34 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-03 04:34 . 2008-10-04 21:26 -------- d-----w- c:\program files\DivX
2010-05-03 04:34 . 2010-05-03 04:34 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-05-03 04:34 . 2009-08-18 16:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-03 04:32 . 2010-05-03 04:34 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-03 04:31 . 2010-05-03 04:34 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-30 23:05 . 2010-04-04 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 23:02 . 2009-02-06 03:01 -------- d-----w- c:\program files\Maple 12
2010-04-30 23:02 . 2010-04-04 19:27 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
2010-04-30 23:02 . 2010-04-04 19:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-30 23:02 . 2009-06-25 14:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-25 15:38 . 2010-04-25 15:38 111730 ----a-w- c:\windows\system32\FmNUmhRM6-.exe
2010-04-20 02:11 . 2010-04-20 02:11 -------- d-----w- c:\users\John\AppData\Roaming\Avira
2010-04-20 02:08 . 2010-04-20 02:08 -------- d-----w- c:\programdata\Avira
2010-04-20 02:08 . 2010-04-20 02:08 -------- d-----w- c:\program files\Avira
2010-04-20 01:24 . 2010-04-20 01:23 -------- d-----w- c:\users\John\AppData\Roaming\QuickScan
2010-04-13 22:58 . 2010-04-20 01:21 670696 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-13 22:58 . 2010-04-20 01:21 833960 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-13 14:08 . 2010-04-13 14:08 1331200 ----a-w- c:\windows\system32\_ZdA4C_pw.dll
2010-04-03 17:55 . 2008-10-16 23:39 0 ----a-w- c:\users\John\AppData\Local\prvlcl.dat
2010-04-01 15:18 . 2010-04-01 15:18 1685784 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-04-01 15:18 . 2010-04-01 15:18 1035032 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-03-27 02:20 . 2010-03-27 02:20 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-03-12 20:39 . 2010-03-12 20:39 360584 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-03-12 20:39 . 2010-03-12 20:39 333192 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-03-12 20:39 . 2010-03-12 20:39 28424 ----a-w- c:\programdata\avg9\update\backup\avgmfx86.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f0d004e-278f-2db1-1b8b-8f6089457d3a}]
2010-04-13 14:08 1331200 ----a-w- c:\windows\System32\_ZdA4C_pw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-09-29 1232896]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Google Update "= "c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-03 133104]
"Pando Media Booster "= "c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-12-28 2935480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sealmon.exe "= "c:\program files\Oracle\Information Rights Management\Desktop\sealmon.exe" [2009-03-13 370952]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4 "=wdmaud.drv

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-06-11 968064]

.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000Core.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000UA.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{8dbc0cf5-1736-5995-a8ad-e8562ebdf9af}\components\tb2AMjRmR.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\John\AppData\Local\Google\Update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-bihvtwet - c:\users\John\AppData\Local\gxbxklran\qpnsogstssd.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 13:31
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
Completion time: 2010-06-06 13:33:13
ComboFix-quarantined-files.txt 2010-06-06 20:33
ComboFix2.txt 2010-04-18 04:21

Pre-Run: 451,172,868,096 bytes free
Post-Run: 451,799,531,520 bytes free

- - End Of File - - 46F6D54D1C3E2383B67E6EADAF966829

broni · 2010/06/06

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\FmNUmhRM6-.exe
c:\windows\system32\_ZdA4C_pw.dll


Folder::
c:\programdata\avg9

DirLook::
C:\32788R22FWJFW

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f0d004e-278f-2db1-1b8b-8f6089457d3a}]

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

AtomicTyson · 2010/06/06

AntiVir Desktop seems to be running and I don't know how to stop the process. Any tips?
"broni said: ↑
1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\FmNUmhRM6-.exe
c:\windows\system32\_ZdA4C_pw.dll


Folder::
c:\programdata\avg9

DirLook::
C:\32788R22FWJFW

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6f0d004e-278f-2db1-1b8b-8f6089457d3a}]

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
Click to expand...

broni · 2010/06/06

If you did what you could to disable it, run Combofix script.

AtomicTyson · 2010/06/06

ComboFix 10-06-06.01 - John 06/06/2010 15:07:50.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2942.2378 [GMT -7:00]
Running from: c:\users\John\Desktop\ComboFix.exe
Command switches used :: c:\users\John\Desktop\CFScript.txt
SP: AntiVir Desktop *enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\system32\_ZdA4C_pw.dll "
"c:\windows\system32\FmNUmhRM6-.exe "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\avg9
c:\programdata\avg9\Cfg\changecfgreg.cfg
c:\programdata\avg9\Cfg\erd.cfg
c:\programdata\avg9\Cfg\except.cfg
c:\programdata\avg9\Cfg\krnl.cfg
c:\programdata\avg9\Cfg\mail.cfg
c:\programdata\avg9\Cfg\malrep.cfg
c:\programdata\avg9\Cfg\scan.cfg
c:\programdata\avg9\Cfg\sched.cfg
c:\programdata\avg9\Cfg\update.cfg
c:\programdata\avg9\Cfg\updateall.cfg
c:\programdata\avg9\Cfg\user.cfg
c:\programdata\avg9\CfgAll\changecfgreg.cfg
c:\programdata\avg9\CfgAll\falsealarm.cfg
c:\programdata\avg9\CfgAll\krnlall.cfg
c:\programdata\avg9\CfgAll\srmall.cfg
c:\programdata\avg9\CfgAll\updateall.cfg
c:\programdata\avg9\CfgAll\userall.cfg
c:\programdata\avg9\Dumps\IEToolbar.dll_crash.exh
c:\programdata\avg9\Dumps\IEToolbar.dll_crash_f.dmp
c:\programdata\avg9\Dumps\IEToolbar.dll_crash_m.dmp
c:\programdata\avg9\Log\avgcfg.log
c:\programdata\avg9\Log\avgcfg.log.lock
c:\programdata\avg9\Log\avgchjw.log
c:\programdata\avg9\Log\avgchjw.log.1
c:\programdata\avg9\Log\avgchjw.log.10
c:\programdata\avg9\Log\avgchjw.log.2
c:\programdata\avg9\Log\avgchjw.log.3
c:\programdata\avg9\Log\avgchjw.log.4
c:\programdata\avg9\Log\avgchjw.log.5
c:\programdata\avg9\Log\avgchjw.log.6
c:\programdata\avg9\Log\avgchjw.log.7
c:\programdata\avg9\Log\avgchjw.log.8
c:\programdata\avg9\Log\avgchjw.log.9
c:\programdata\avg9\Log\avgchjw.log.lock
c:\programdata\avg9\Log\avgchjwsrv.log
c:\programdata\avg9\Log\avgchjwsrv.log.1
c:\programdata\avg9\Log\avgchjwsrv.log.lock
c:\programdata\avg9\Log\avgcore.log
c:\programdata\avg9\Log\avgcore.log.1
c:\programdata\avg9\Log\avgcore.log.10
c:\programdata\avg9\Log\avgcore.log.2
c:\programdata\avg9\Log\avgcore.log.3
c:\programdata\avg9\Log\avgcore.log.4
c:\programdata\avg9\Log\avgcore.log.5
c:\programdata\avg9\Log\avgcore.log.6
c:\programdata\avg9\Log\avgcore.log.7
c:\programdata\avg9\Log\avgcore.log.8
c:\programdata\avg9\Log\avgcore.log.9
c:\programdata\avg9\Log\avgcore.log.lock
c:\programdata\avg9\Log\avgfrw.log
c:\programdata\avg9\Log\avgfrw.log.lock
c:\programdata\avg9\Log\avgldr.log
c:\programdata\avg9\Log\avgldr.log.lock
c:\programdata\avg9\Log\avglng.log
c:\programdata\avg9\Log\avglng.log.lock
c:\programdata\avg9\Log\avgns.log
c:\programdata\avg9\Log\avgns.log.lock
c:\programdata\avg9\Log\avgrs.log
c:\programdata\avg9\Log\avgrs.log.1
c:\programdata\avg9\Log\avgrs.log.lock
c:\programdata\avg9\Log\avgscan.log
c:\programdata\avg9\Log\avgscan.log.1
c:\programdata\avg9\Log\avgscan.log.lock
c:\programdata\avg9\Log\avgsched.log
c:\programdata\avg9\Log\avgsched.log.1
c:\programdata\avg9\Log\avgsched.log.10
c:\programdata\avg9\Log\avgsched.log.2
c:\programdata\avg9\Log\avgsched.log.3
c:\programdata\avg9\Log\avgsched.log.4
c:\programdata\avg9\Log\avgsched.log.5
c:\programdata\avg9\Log\avgsched.log.6
c:\programdata\avg9\Log\avgsched.log.7
c:\programdata\avg9\Log\avgsched.log.8
c:\programdata\avg9\Log\avgsched.log.9
c:\programdata\avg9\Log\avgsched.log.lock
c:\programdata\avg9\Log\avgsrm.log
c:\programdata\avg9\Log\avgsrm.log.lock
c:\programdata\avg9\Log\avgsrmac.log
c:\programdata\avg9\Log\avgsrmac.log.lock
c:\programdata\avg9\Log\avgsrmacstat.log
c:\programdata\avg9\Log\avgsrmacstat.log.lock
c:\programdata\avg9\Log\avgtdi.log
c:\programdata\avg9\Log\avgtdi.log.lock
c:\programdata\avg9\Log\avgui.log
c:\programdata\avg9\Log\avgui.log.1
c:\programdata\avg9\Log\avgui.log.2
c:\programdata\avg9\Log\avgui.log.3
c:\programdata\avg9\Log\avgui.log.4
c:\programdata\avg9\Log\avgui.log.5
c:\programdata\avg9\Log\avgui.log.6
c:\programdata\avg9\Log\avgui.log.7
c:\programdata\avg9\Log\avgui.log.lock
c:\programdata\avg9\Log\avgupd.log
c:\programdata\avg9\Log\avgupd.log.lock
c:\programdata\avg9\Log\avgwd.log
c:\programdata\avg9\Log\avgwd.log.1
c:\programdata\avg9\Log\avgwd.log.10
c:\programdata\avg9\Log\avgwd.log.2
c:\programdata\avg9\Log\avgwd.log.3
c:\programdata\avg9\Log\avgwd.log.4
c:\programdata\avg9\Log\avgwd.log.5
c:\programdata\avg9\Log\avgwd.log.6
c:\programdata\avg9\Log\avgwd.log.7
c:\programdata\avg9\Log\avgwd.log.8
c:\programdata\avg9\Log\avgwd.log.9
c:\programdata\avg9\Log\avgwd.log.lock
c:\programdata\avg9\Log\avgwdsvc.log
c:\programdata\avg9\Log\avgwdsvc.log.lock
c:\programdata\avg9\Log\c1389002-2a69-4620-9ced-9ecf5e7d29ba
c:\programdata\avg9\Log\commonpriv.log
c:\programdata\avg9\Log\commonpriv.log.lock
c:\programdata\avg9\Log\fixcfg.log
c:\programdata\avg9\Log\fixcfg.log.lock
c:\programdata\avg9\Log\history.xml
c:\programdata\avg9\Log\vault.log
c:\programdata\avg9\Log\vault.log.lock
c:\programdata\avg9\scanlogs\I_00000001.log
c:\programdata\avg9\scanlogs\I_00000003.log
c:\programdata\avg9\scanlogs\I_00000539.log
c:\programdata\avg9\scanlogs\I_00000540.log
c:\programdata\avg9\scanlogs\I_00000541.log
c:\programdata\avg9\scanlogs\I_00000542.log
c:\programdata\avg9\scanlogs\I_00000543.log
c:\programdata\avg9\scanlogs\I_00000544.log
c:\programdata\avg9\scanlogs\I_00000545.log
c:\programdata\avg9\scanlogs\I_00000546.log
c:\programdata\avg9\scanlogs\I_00000547.log
c:\programdata\avg9\scanlogs\I_00000548.log
c:\programdata\avg9\scanlogs\I_00000549.log
c:\programdata\avg9\scanlogs\I_00000550.log
c:\programdata\avg9\scanlogs\I_00000551.log
c:\programdata\avg9\scanlogs\I_00000552.log
c:\programdata\avg9\scanlogs\I_00000553.log
c:\programdata\avg9\scanlogs\I_00000554.log
c:\programdata\avg9\scanlogs\I_00000555.log
c:\programdata\avg9\scanlogs\I_00000556.log
c:\programdata\avg9\scanlogs\I_00000557.log
c:\programdata\avg9\scanlogs\I_00000558.log
c:\programdata\avg9\scanlogs\I_00000559.log
c:\programdata\avg9\scanlogs\I_00000560.log
c:\programdata\avg9\scanlogs\I_00000561.log
c:\programdata\avg9\scanlogs\I_00000562.log
c:\programdata\avg9\scanlogs\I_00000563.log
c:\programdata\avg9\scanlogs\I_00000564.log
c:\programdata\avg9\scanlogs\I_00000565.log
c:\programdata\avg9\scanlogs\I_00000566.log
c:\programdata\avg9\scanlogs\I_00000567.log
c:\programdata\avg9\scanlogs\I_00000568.log
c:\programdata\avg9\scanlogs\I_00000569.log
c:\programdata\avg9\scanlogs\I_00000570.log
c:\programdata\avg9\scanlogs\I_00000571.log
c:\programdata\avg9\scanlogs\I_00000572.log
c:\programdata\avg9\scanlogs\I_00000573.log
c:\programdata\avg9\scanlogs\I_00000574.log
c:\programdata\avg9\scanlogs\I_00000575.log
c:\programdata\avg9\scanlogs\I_00000576.log
c:\programdata\avg9\scanlogs\I_00000577.log
c:\programdata\avg9\scanlogs\I_00000578.log
c:\programdata\avg9\scanlogs\I_00000579.log
c:\programdata\avg9\scanlogs\I_00000580.log
c:\programdata\avg9\scanlogs\I_00000581.log
c:\programdata\avg9\scanlogs\I_00000582.log
c:\programdata\avg9\scanlogs\I_00000583.log
c:\programdata\avg9\scanlogs\I_00000584.log
c:\programdata\avg9\scanlogs\I_00000585.log
c:\programdata\avg9\scanlogs\I_00000586.log
c:\programdata\avg9\scanlogs\I_00000587.log
c:\programdata\avg9\scanlogs\I_00000588.log
c:\programdata\avg9\scanlogs\srm.idx
c:\programdata\avg9\Temp\0c337962-aa3a-4330-bbd0-a077511291c1-74c-oopp.tmp
c:\programdata\avg9\Temp\6b0f6ab1-48f3-4009-9f0d-a7dc9ee2690a-204-oopp.tmp
c:\programdata\avg9\Temp\7c47a01b-0c40-4c73-bbca-9c13d64b22a8-204-oopp.tmp
c:\programdata\avg9\Temp\aa0dbd56-024b-470c-b186-69874c532916-930-oopp.tmp
c:\programdata\avg9\Temp\b8152d0d-e718-47f0-b40c-cb2d1564d9ff-b10-oopp.tmp
c:\programdata\avg9\Temp\becff3ef-7562-4fda-b659-3cd9df28719c-204-oopp.tmp
c:\programdata\avg9\Temp\c7d8ac87-9f4c-4636-8ed0-5f213cb521c9-204-oopp.tmp
c:\programdata\avg9\Temp\ca312d54-7a63-4b9b-865f-3500a9c3a039-99c-oopp.tmp
c:\programdata\avg9\Temp\d167b600-3260-4588-9025-4e48aa852135-e44-oopp.tmp
c:\programdata\avg9\Temp\file9514.tmp
c:\programdata\avg9\update\backup\avg9us.lng
c:\programdata\avg9\update\backup\avgcclix.dll
c:\programdata\avg9\update\backup\avgchclx.dll
c:\programdata\avg9\update\backup\avgchjwx.dll
c:\programdata\avg9\update\backup\avgchsvx.exe
c:\programdata\avg9\update\backup\avgcorex.dll
c:\programdata\avg9\update\backup\avgfrw.exe
c:\programdata\avg9\update\backup\avgldx86.sys
c:\programdata\avg9\update\backup\avglogx.dll
c:\programdata\avg9\update\backup\avgmfx86.sys
c:\programdata\avg9\update\backup\avgsrmx.dll
c:\programdata\avg9\update\backup\avgssie.dll
c:\programdata\avg9\update\backup\avgtdix.sys
c:\programdata\avg9\update\backup\avgtray.exe
c:\programdata\avg9\update\backup\avgtrial_us.mht
c:\programdata\avg9\update\backup\avgui.exe
c:\programdata\avg9\update\backup\avgupd.dll
c:\programdata\avg9\update\backup\avgupd.exe
c:\programdata\avg9\update\backup\avgwd.dll
c:\programdata\avg9\update\backup\avgxch32.dll
c:\programdata\avg9\update\backup\cty.cty
c:\programdata\avg9\update\backup\incavi.avm
c:\programdata\avg9\update\backup\sb.dat
c:\programdata\avg9\update\backup\sb.dat.xcd
c:\programdata\avg9\update\backup\sb2.dat
c:\programdata\avg9\update\backup\sc.dat
c:\programdata\avg9\update\backup\sc.dat.xcd
c:\programdata\avg9\update\prepare\temp\cty.cty
c:\windows\system32\_ZdA4C_pw.dll
c:\windows\system32\FmNUmhRM6-.exe

.
((((((((((((((((((((((((( Files Created from 2010-05-06 to 2010-06-06 )))))))))))))))))))))))))))))))
.

2010-06-06 22:11 . 2010-06-06 22:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-06 22:11 . 2010-06-06 22:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-06 22:06 . 2010-06-06 22:06 -------- d-----w- C:\32788R22FWJFW
2010-06-06 20:33 . 2010-06-06 22:12 -------- d-----w- c:\users\John\AppData\Local\temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-06 21:04 . 2009-12-30 05:08 34800 ----a-w- c:\programdata\nvModes.dat
2010-06-06 19:08 . 2008-10-27 02:24 -------- d-----w- c:\program files\LimeWire
2010-05-19 00:40 . 2008-10-27 02:25 -------- d-----w- c:\users\John\AppData\Roaming\LimeWire
2010-05-06 16:54 . 2008-09-29 06:28 93680 ----a-w- c:\users\John\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-03 05:02 . 2010-05-03 04:31 -------- d-----w- c:\programdata\DivX
2010-05-03 05:02 . 2010-05-03 05:02 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-03 04:34 . 2010-05-03 04:34 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-03 04:34 . 2008-10-04 21:26 -------- d-----w- c:\program files\DivX
2010-05-03 04:34 . 2010-05-03 04:34 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-03 04:34 . 2010-05-03 04:34 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-05-03 04:34 . 2009-08-18 16:58 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-03 04:32 . 2010-05-03 04:34 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-03 04:31 . 2010-05-03 04:34 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-04-30 23:05 . 2010-04-04 15:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-30 23:02 . 2009-02-06 03:01 -------- d-----w- c:\program files\Maple 12
2010-04-30 23:02 . 2010-04-04 19:27 -------- d-----w- c:\users\John\AppData\Roaming\SUPERAntiSpyware.com
2010-04-30 23:02 . 2010-04-04 19:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-30 23:02 . 2009-06-25 14:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-20 01:24 . 2010-04-20 01:23 -------- d-----w- c:\users\John\AppData\Roaming\QuickScan
2010-04-13 22:58 . 2010-04-20 01:21 670696 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-13 22:58 . 2010-04-20 01:21 833960 ----a-w- c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-03 17:55 . 2008-10-16 23:39 0 ----a-w- c:\users\John\AppData\Local\prvlcl.dat
2010-03-27 02:20 . 2010-03-27 02:20 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\32788R22FWJFW ----

2010-06-06 22:06 . 2006-11-02 12:41 135168 ----a-w- c:\32788r22fwjfw\EN-US\cmd.cfxxe.mui

((((((((((((((((((((((((((((( SnapShot@2010-06-06_20.32.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-28 19:48 . 2010-06-06 20:27 39446 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-28 19:48 . 2010-06-06 21:06 39446 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2010-06-06 20:27 46564 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-06-06 21:06 46564 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-28 18:16 . 2010-06-06 20:27 11440 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2893342972-3071724252-3358957919-1000_UserData.bin
+ 2008-09-28 18:16 . 2010-06-06 21:06 11440 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2893342972-3071724252-3358957919-1000_UserData.bin
- 2010-06-06 20:25 . 2010-06-06 20:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-06 21:04 . 2010-06-06 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-06-06 21:04 . 2010-06-06 21:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-06-06 20:25 . 2010-06-06 20:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2010-06-06 21:08 621314 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-06-06 20:31 621314 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2010-06-06 20:31 104662 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2010-06-06 21:08 104662 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-09-29 1232896]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"Google Update "= "c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-10-03 133104]
"Pando Media Booster "= "c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-12-28 2935480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sealmon.exe "= "c:\program files\Oracle\Information Rights Management\Desktop\sealmon.exe" [2009-03-13 370952]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-02-16 141608]
"DivXUpdate "= "c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4 "=wdmaud.drv

S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [2007-06-11 968064]

.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000Core.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]

2010-06-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2893342972-3071724252-3358957919-1000UA.job
- c:\users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2009-10-03 04:22]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{8dbc0cf5-1736-5995-a8ad-e8562ebdf9af}\components\tb2AMjRmR.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\users\John\AppData\Local\Google\Update\1.2.183.27\npGoogleOneClick8.dll
FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\John\AppData\Roaming\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\John\AppData\Roaming\Mozilla\Firefox\Profiles\707tt871.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-FmNUmhRM6- - c:\windows\system32\FmNUmhRM6-.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 15:12
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial "=dword:00000000
.
Completion time: 2010-06-06 15:13:06
ComboFix-quarantined-files.txt 2010-06-06 22:13
ComboFix2.txt 2010-06-06 20:33
ComboFix3.txt 2010-04-18 04:21

Pre-Run: 452,150,173,696 bytes free
Post-Run: 452,130,607,104 bytes free

- - End Of File - - 943BE9538DA78FDF3F5E85551FBD1C22

broni · 2010/06/06

Good

See, if you can install and run Malwarebytes now.

AtomicTyson · 2010/06/06

Yeah didn't work. Same expanding variables problem like last time =P

broni · 2010/06/06

OK. That's fine.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

AtomicTyson · 2010/06/07

How do you attach logs to the quote because its too long to post

broni · 2010/06/07

You can't attach it on this board.
Try to split the log between couple of post.
If it's really huge...

Upload the file(s) here: http://uploadmb.com/
Post download link (Direct Link).

I just got home, so it may take a while until I reply again

AtomicTyson · 2010/06/07

Np thankyou very much!
http://www.uploadmb.com/dw.php?id=1275967252
there ya go

"broni said: ↑

You can't attach it on this board.
Try to split the log between couple of post.
If it's really huge...

Upload the file(s) here: http://uploadmb.com/
Post download link (Direct Link).

I just got home, so it may take a while until I reply again
Click to expand...

broni · 2010/06/07

Looks good

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
* Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under "Configuration and Preferences ", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan ", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK ".
* Make sure everything has a checkmark next to it and click "Next ".
* A notification will appear that "Quarantine and Removal is Complete ". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes ".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

AtomicTyson · 2010/06/08

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2010 at 11:40 PM

Application Version : 4.38.1004

Core Rules Database Version : 5045
Trace Rules Database Version: 2857

Scan type : Complete Scan
Total Scan Time : 00:33:59

Memory items scanned : 304
Memory threats detected : 0
Registry items scanned : 6019
Registry threats detected : 0
File items scanned : 61778
File threats detected : 84

Adware.Tracking Cookie
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.redorbit[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@d.jambomedia[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@advert.funimation[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@dc.tremormedia[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@www.redorbit[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@atlas.entrepreneur[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@chitika[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@a1.interclick[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@avgtechnologies.112.2o7[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@cgm.adbureau[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.ad4game[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@smartadx[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@adlegend[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@videoegg.adbureau[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@burstnet[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@adecn[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@collective-media[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@adv.arubamediamarketing[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@network.realmedia[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@www.stopzilla[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@imrworldwide[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@bs.serving-sys[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@msnportal.112.2o7[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ad.wsod[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@rotator.adjuggler[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@atdmt[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.techguy[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@naked[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@www.burstbeacon[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@track.webbranddeals[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@serving-sys[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@statcounter[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@adserver.adtechus[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@content.yieldmanager[3].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.undertone[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.nexon[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@viacom.adbureau[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@apmebf[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@interclick[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.bcserving[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@burstbeacon[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@www5.addfreestats[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@gtp1.acecounter[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@server.cpmstar[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@redorbit[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@nextag[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@bannertgt[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@www.burstnet[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@media6degrees[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@entrepreneur.122.2o7[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@content.yieldmanager[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@realmedia[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ad.yieldmanager[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@crackle[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@legolas-media[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@invitemedia[2].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@specificmedia[1].txt
C:\Users\John\AppData\Roaming\Microsoft\Windows\Cookies\john@ads.smartadx[1].txt

Adware.Flash Tracking Cookie
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\MSNTEST.SERVING-SYS.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\YAHOO.SERVING-SYS.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\COUNTDOWNPAGE.CREATEYOURCOUNTDOWN.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\WWW.PORNSTARCLUB.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\WWWSTATIC.MEGAPORN.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\CONVOAD.TECHNORATIMEDIA.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\IA.MEDIA-IMDB.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\MEDIA.IGN.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\MEDIA.MTVNSERVICES.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\MEDIA1.BREAK.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\MEDIAFORGEWS.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\OBJECTS.TREMORMEDIA.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\UDN.SPECIFICCLICK.NET
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\CRACKLE.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\WWW.CRACKLE.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\A.ADS2.MSADS.NET
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\ADS2.MSADS.NET
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\B.ADS2.MSADS.NET
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\EC.ATDMT.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\NAIADSYSTEMS.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\WWW.NAIADSYSTEMS.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\M1.2MDN.NET
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\STATIC.2MDN.NET
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\HS.INTERPOLLS.COM
C:\Users\John\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\A46HL3KR\SECURE-US.IMRWORLDWIDE.COM

Trojan.Agent/Gen-FakeAlert
C:\QOOBOX\QUARANTINE\C\USERS\JOHN\APPDATA\LOCAL\GXBXKLRAN\QPNSOGSTSSD.EXE.VIR

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:57:23 PM, on 6/7/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16809)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [sealmon.exe] C:\Program Files\Oracle\Information Rights Management\Desktop\sealmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 3724 bytes

Log in or Sign up

Solved Reappearing Malware Problem

AtomicTyson Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Reappearing Malware Problem

AtomicTyson Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

broni Moderator Malware Analyst

AtomicTyson Inactive Thread Starter

Share This Page

Useful Searches