1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Trojan. AV security. Need assistance removing it.

Discussion in 'Malware and Virus Removal Archive' started by rpicon, 2010/06/29.

Page 1 of 3
  1. 2010/06/29
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    [Resolved] Trojan. AV security. Need assistance removing it.

    My pc has what it looks to be a trojan or malware. AV Security. It keeps closing programs and will not allow IE to connect to internet. I ran a HiJack report:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:24, on 2010-06-29
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16945)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
    O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe "
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Dell\Media Experience\DMXLauncher.exe "
    O4 - HKLM\..\Run: [DLA] "C:\WINDOWS\System32\DLA\DLACTRLW.EXE "
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [kcesybnp] C:\Documents and Settings\NetworkService\Local Settings\Application Data\vawmcjvqk\pxembvytssd.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe "
    O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.23.0.11\PlaxoHelper_en.exe -a
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PlaxoSysTray] C:\Program Files\Plaxo\3.23.0.11\PlaxoSysTray.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [kcesybnp] C:\Documents and Settings\NetworkService\Local Settings\Application Data\vawmcjvqk\pxembvytssd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [kcesybnp] C:\Documents and Settings\NetworkService\Local Settings\Application Data\vawmcjvqk\pxembvytssd.exe (User 'Default user')
    O4 - Startup: Microsoft Office Groove.lnk = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Chapura SyncManager.lnk = C:\Program Files\Chapura\Chapura SyncManager\SyncMgr.exe
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
    O16 - DPF: {0F733F27-5BBB-4D03-8D6B-19E2143880BF} (SkillGround Game Manager) - http://www1.skillground.com/cab1831/SkillGround.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://aol.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    O16 - DPF: {25D9AA40-ED39-11D2-A038-009027078284} (UrlDownloader Class) - https://b1-www.advisorservices.com/advisorweb/file/urldownloader.cab
    O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249928285454
    O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260546108330
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/luxor_2/mjolauncher.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} (BejeweledTwist Control) - http://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
    O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} (FamilyFeud Control) - http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    O16 - DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} (igLoader Content on Demand) - http://www.miniclip.com/igloader/igloader.CAB
    O16 - DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} (LASDetectX Control) - https://www.laserapp.com/dev/detect/lavdetect.ocx
    O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://www.worldwinner.com/games/v44/golfsol/golfsol.cab
    O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} (WWSpades Control) - http://www.worldwinner.com/games/v54/wwspades/wwspades.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} (veoExpress.ctlVeoExpress) - https://vex.advisorservices.com/Views/VeoExpress/AdoView/Pages/veoExpress.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aribaglb.local
    O17 - HKLM\Software\..\Telephony: DomainName = aribaglb.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aribaglb.local
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

    --
    End of file - 13889 bytes

    Thank you
     
    rpicon,
    #1
  2. 2010/06/29
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Malware logs are not permitted in any forum other than the Malware & Virus Removal forum in which you should have started your thread in the first place - moved to that forum. HJT logs are no longer the starting point for analysis .....

    Please read this as indicated at the head of the forum and post the logs requested in this thread.
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2010/06/29
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    Trojan. AV security. Need assistance removing it. Reply to Thread

    Thank you PeteC


    DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
    Run by rpicon at 13:43:44.34 on 2010-06-29
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1704 [GMT -4:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Rick Picon\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe "
    uRun: [PlaxoUpdate] c:\program files\plaxo\3.23.0.11\PlaxoHelper_en.exe -a
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [PlaxoSysTray] c:\program files\plaxo\3.23.0.11\PlaxoSysTray.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
    uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe "
    mRun: [DMXLauncher] "c:\program files\dell\media experience\DMXLauncher.exe "
    mRun: [DLA] "c:\windows\system32\dla\DLACTRLW.EXE "
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe "
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe "
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [<NO NAME>]
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [kcesybnp] c:\documents and settings\networkservice\local settings\application data\vawmcjvqk\pxembvytssd.exe
    dRun: [kcesybnp] c:\documents and settings\networkservice\local settings\application data\vawmcjvqk\pxembvytssd.exe
    StartupFolder: c:\docume~1\rickpi~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office12\GROOVE.EXE
    StartupFolder: c:\docume~1\rickpi~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\chapur~1.lnk - c:\program files\chapura\chapura syncmanager\SyncMgr.exe
    IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Subscribe with RSSRadio
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
    IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    Trusted Zone: advisorservices.com\www
    Trusted Zone: advisorservices.com\www1
    Trusted Zone: advisorservices.com\www2
    Trusted Zone: infinata2.com\www
    Trusted Zone: musicmatch.com\online
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
    DPF: {0F733F27-5BBB-4D03-8D6B-19E2143880BF} - hxxp://www1.skillground.com/cab1831/SkillGround.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://aol.worldwinner.com/games/v47/shared/FunGamesLoader.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {25D9AA40-ED39-11D2-A038-009027078284} - hxxps://b1-www.advisorservices.com/advisorweb/file/urldownloader.cab
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} - hxxps://secure.logmein.com/activex/RACtrl.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249928285454
    DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260546108330
    DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://clubgames.pogo.com/online2/pogop/luxor_2/mjolauncher.cab
    DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
    DPF: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://www.miniclip.com/igloader/igloader.CAB
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx
    DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
    DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - hxxp://www.worldwinner.com/games/v54/wwspades/wwspades.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab
    DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} - hxxps://vex.advisorservices.com/Views/VeoExpress/AdoView/Pages/veoExpress.CAB
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: LMIinit - LMIinit.dll
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\rickpi~1\applic~1\mozilla\firefox\profiles\coh2bzuj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\program files\google\google updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-22 64160]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-2 360584]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-30 333192]
    S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-7-30 28424]
    S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
    S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
    S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-2 285392]
    S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-4-10 3712]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2007-6-27 12856]
    S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-6-27 47640]
    S2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
    S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-2-17 34760]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2007-1-30 223128]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    =============== Created Last 30 ================


    ==================== Find3M ====================

    2009-09-28 20:45:49 17274 ----a-w- c:\program files\common files\widoho.bin
    2009-09-28 20:45:49 17153 ----a-w- c:\program files\common files\udaxefanuk._sy
    2009-09-25 21:43:13 18292 ----a-w- c:\program files\common files\cywuvulu.dll
    2009-09-25 20:27:03 19797 ----a-w- c:\program files\common files\cetokive.lib
    2009-09-25 20:27:03 18210 ----a-w- c:\program files\common files\ijofavaj.com
    2006-04-20 15:28:23 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

    ============= FINISH: 13:45:08.67 ===============
     
    rpicon,
    #3
  5. 2010/06/29
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    And the contents of Attach.txt - copy/paste into your next post here please.
     
    PeteC,
    #4
  6. 2010/06/29
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    LESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2006-03-31 13:54:53
    System Uptime: 2010-06-29 13:26:56 (0 hours ago)

    Motherboard: Dell Inc. | | 0YC523
    Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Microprocessor | 3192/800mhz
    Processor: Intel(R) Pentium(R) D CPU 3.20GHz | Microprocessor | 3192/800mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 109 GiB total, 36.568 GiB free.
    D: is FIXED (NTFS) - 37 GiB total, 6.035 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    O: is NetworkDisk (NTFS) - 136 GiB total, 59.928 GiB free.
    P: is NetworkDisk (NTFS) - 136 GiB total, 59.928 GiB free.
    T: is NetworkDisk (NTFS) - 136 GiB total, 59.928 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP125: 2010-03-31 17:00:06 - System Checkpoint
    RP126: 2010-04-01 17:01:30 - System Checkpoint
    RP127: 2010-04-02 18:01:31 - System Checkpoint
    RP128: 2010-04-03 19:38:00 - System Checkpoint
    RP129: 2010-04-05 16:49:21 - System Checkpoint
    RP130: 2010-04-06 16:55:50 - System Checkpoint
    RP131: 2010-04-07 21:16:19 - System Checkpoint
    RP132: 2010-04-08 21:40:16 - System Checkpoint
    RP133: 2010-04-09 22:39:51 - System Checkpoint
    RP134: 2010-04-10 23:39:00 - System Checkpoint
    RP135: 2010-04-11 23:39:42 - System Checkpoint
    RP136: 2010-04-13 00:39:47 - System Checkpoint
    RP137: 2010-04-14 01:51:43 - System Checkpoint
    RP138: 2010-04-15 02:39:38 - System Checkpoint
    RP139: 2010-04-16 04:27:38 - System Checkpoint
    RP140: 2010-04-17 05:54:37 - System Checkpoint
    RP141: 2010-04-18 07:04:01 - System Checkpoint
    RP142: 2010-04-19 12:13:52 - System Checkpoint
    RP143: 2010-04-20 12:42:05 - System Checkpoint
    RP144: 2010-04-21 14:26:00 - System Checkpoint
    RP145: 2010-04-22 15:06:05 - System Checkpoint
    RP146: 2010-04-23 15:06:41 - System Checkpoint
    RP147: 2010-04-24 16:04:49 - System Checkpoint
    RP148: 2010-04-25 16:18:01 - System Checkpoint
    RP149: 2010-04-26 16:59:33 - System Checkpoint
    RP150: 2010-04-27 17:05:51 - System Checkpoint
    RP151: 2010-04-28 18:16:20 - System Checkpoint
    RP152: 2010-04-29 18:27:57 - System Checkpoint
    RP153: 2010-04-30 18:46:01 - System Checkpoint
    RP154: 2010-05-01 18:56:38 - System Checkpoint
    RP155: 2010-05-02 18:57:45 - System Checkpoint
    RP156: 2010-05-03 19:45:44 - System Checkpoint
    RP157: 2010-05-04 20:45:37 - System Checkpoint
    RP158: 2010-05-05 21:45:40 - System Checkpoint
    RP159: 2010-05-06 22:45:03 - System Checkpoint
    RP160: 2010-05-07 22:45:53 - System Checkpoint
    RP161: 2010-05-08 23:17:27 - System Checkpoint
    RP162: 2010-05-09 23:45:21 - System Checkpoint
    RP163: 2010-05-11 00:45:21 - System Checkpoint
    RP164: 2010-05-12 01:45:15 - System Checkpoint
    RP165: 2010-05-13 02:45:13 - System Checkpoint
    RP166: 2010-05-14 04:32:45 - System Checkpoint
    RP167: 2010-05-15 05:09:01 - System Checkpoint
    RP168: 2010-05-16 05:20:59 - System Checkpoint
    RP169: 2010-05-17 05:54:42 - System Checkpoint
    RP170: 2010-05-18 06:44:02 - System Checkpoint
    RP171: 2010-05-19 07:21:57 - System Checkpoint
    RP172: 2010-05-20 07:34:29 - System Checkpoint
    RP173: 2010-05-21 08:10:30 - System Checkpoint
    RP174: 2010-05-22 08:22:30 - System Checkpoint
    RP175: 2010-05-23 09:10:19 - System Checkpoint
    RP176: 2010-05-24 10:10:17 - System Checkpoint
    RP177: 2010-05-25 13:16:23 - System Checkpoint
    RP178: 2010-05-26 13:26:30 - System Checkpoint
    RP179: 2010-05-27 14:30:11 - System Checkpoint
    RP180: 2010-05-28 15:08:25 - System Checkpoint
    RP181: 2010-05-29 15:39:53 - System Checkpoint
    RP182: 2010-05-30 16:25:21 - System Checkpoint
    RP183: 2010-05-31 16:26:20 - System Checkpoint
    RP184: 2010-06-01 16:41:41 - System Checkpoint
    RP185: 2010-06-02 17:26:19 - System Checkpoint
    RP186: 2010-06-03 17:50:05 - System Checkpoint
    RP187: 2010-06-04 18:26:14 - System Checkpoint
    RP188: 2010-06-05 19:25:44 - System Checkpoint
    RP189: 2010-06-06 19:27:01 - System Checkpoint
    RP190: 2010-06-07 20:04:08 - System Checkpoint
    RP191: 2010-06-08 20:50:17 - System Checkpoint
    RP192: 2010-06-09 22:14:09 - System Checkpoint
    RP193: 2010-06-10 22:26:09 - System Checkpoint
    RP194: 2010-06-11 23:26:07 - System Checkpoint
    RP195: 2010-06-12 23:38:06 - System Checkpoint
    RP196: 2010-06-13 23:51:05 - System Checkpoint
    RP197: 2010-06-15 00:26:03 - System Checkpoint
    RP198: 2010-06-16 01:25:57 - System Checkpoint
    RP199: 2010-06-17 02:59:02 - System Checkpoint
    RP200: 2010-06-18 05:01:58 - System Checkpoint
    RP201: 2010-06-19 05:15:26 - System Checkpoint
    RP202: 2010-06-20 05:54:07 - System Checkpoint
    RP203: 2010-06-21 07:02:52 - System Checkpoint
    RP204: 2010-06-22 07:37:52 - System Checkpoint
    RP205: 2010-06-23 08:25:50 - System Checkpoint
    RP206: 2010-06-24 08:37:50 - System Checkpoint
    RP207: 2010-06-25 09:26:54 - System Checkpoint
    RP208: 2010-06-26 09:32:20 - System Checkpoint
    RP209: 2010-06-27 16:56:21 - System Checkpoint
    RP210: 2010-06-28 17:03:26 - System Checkpoint

    ==== Installed Programs ======================


    2007 Microsoft Office Suite Service Pack 1 (SP1)
    Ad-Aware
    Ad-Aware SE Personal
    Adobe Acrobat 8 Professional - English, Français, Deutsch
    Adobe Acrobat 8.1.0 Professional
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Shockwave Player 11.5
    AIM Pro
    AOL Uninstaller (Choose which Products to Remove)
    Apple Software Update
    AutoUpdate
    AVG Free 9.0
    Better Homes and Gardens Home Designer Suite 6.0
    Chapura SyncManager
    Classic Menu for Office
    Dell CinePlayer
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Support 3.1
    Dell System Restore
    Digital Content Portal
    DivX Codec
    DivX Content Uploader
    DivX Converter
    DivX Player
    DivX Web Player
    FrostWire 4.13.1.6 BETA
    GameTap
    Google
    Google Desktop
    Google Toolbar for Firefox
    Google Toolbar for Internet Explorer
    Google Updater
    High Definition Audio Driver Package - KB835221
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB896256)
    Hotfix for Windows XP (KB906569)
    Hotfix for Windows XP (KB908673)
    Hotfix for Windows XP (KB909095)
    Hotfix for Windows XP (KB909394)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915800)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB954550-v5)
    Intel Matrix Storage Manager
    Intel(R) PRO Network Connections Drivers
    Intel(R) PROSet for Wired Connections
    IrfanView (remove only)
    iTunes
    Java(TM) 6 Update 14
    KhalSetup
    Lavasoft VX2 Cleaner
    LimeWire 5.3.6
    Logitech SetPoint
    LogMeIn
    Macromedia Flash Player
    Malwarebytes' Anti-Malware
    MCU
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync 4.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Math Add-in for Word 2007
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Primary Interop Assemblies
    Microsoft Office Access 2003 Runtime
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft Visual J# 2.0 Redistributable Package
    Move Networks Media Player for Internet Explorer
    Mozilla Firefox (3.0.8)
    MSN
    MSXML 4.0 SP2 (KB925672)
    MSXML 4.0 SP2 (KB927978)
    MSXML 6.0 Parser (KB933579)
    Musicmatch for Windows Media Player
    Musicmatch® Jukebox
    NaviPlan Standard Offline 11.0.2.0
    Network Assistant
    NVIDIA Drivers
    Octoshape add-in for Adobe Flash Player
    Plaxo Toolbar for Windows
    PokerStars
    PokerStars.net
    PortfolioCenter
    PortfolioCenter Management Console
    QBFC3.0
    Qualxserve Service Agreement
    QuickBooks Pro 2006
    QuickBooks Simple Start Special Edition
    QuickTime
    RealPlayer Basic
    Relationship Manager
    RetCalc 2.0
    Roxio DLA
    Roxio MyDVD LE
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    RSSRadio
    Security Update for CAPICOM (KB931906)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    SkillGround Game Manager
    Stamps.com
    Stamps.com Address Book Support for Microsoft Outlook 97-2007
    Stamps.com Application Support for Microsoft Outlook 2000, 2002, 2003
    Stamps.com Application Support for Microsoft Word 2000, 2002, 2003
    Stamps.com support for Microsoft Outlook 2000-2007
    Stamps.com support for Microsoft Outlook 2000, 2002, 2003
    Stamps.com support for Microsoft Outlook 97-2003
    Stamps.com support for Microsoft Outlook 97-2007
    Stamps.com support for Microsoft Word 2000-2007
    Stamps.com support for Microsoft Word 2000, 2002, 2003
    SUPERAntiSpyware Free Edition
    TD AMERITRADE Statements/Confirmations Manager
    Total Access Memo 2003 Runtime
    Trojan Remover 6.8.1
    UnHackMe 5.00 release
    Update for Outlook 2007 Junk Email Filter (KB934655)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    URL Assistant
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.2
    WebCyberCoach 3.2 Dell
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 10 Hotfix - KB894476
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB889673
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    WinRAR archiver
    Yahoo! Messenger

    ==== Event Viewer Messages From Past Week ========

    2010-06-29 11:12:23, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    2010-06-29 11:11:52, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm NetworkX SASDIFSV SASKUTIL sptd
    2010-06-25 20:28:13, error: W32Time [46] - The time service encountered an error and was forced to shut down. The error was: 0x800706BF

    ==== End Of File ===========================
     
    rpicon,
    #5
  7. 2010/06/29
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here, and here.

    I would strongly recommend that you uninstall them, and read the links above for educational value!

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

    A Malware expert will have a look at your log in due course.
     
    PeteC,
    #6
  8. 2010/06/29
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    im deleting those right now
     
    rpicon,
    #7
  9. 2010/06/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.

    RESTART COMPUTER


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #8
  10. 2010/06/30
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    Database version: 4052

    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 7.0.5730.13

    2010-06-30 10:59:46
    mbam-log-2010-06-30 (10-59-46).txt

    Scan type: Quick scan
    Objects scanned: 176187
    Time elapsed: 15 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 4
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kcesybnp (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\vawmcjvqk\pxembvytssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
     
    rpicon,
    #9
  11. 2010/06/30
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    A side note here ....
    You must install SP3 by the 13th July to continue receiving security patches, etc through Windows Update. From MS ....
    Do not do this until Broni has completed this thread.
     
    PeteC,
    #10
  12. 2010/06/30
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    Thank you PeteC.
     
    rpicon,
    #11
  13. 2010/06/30
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    Broni,

    I had to run GMER in safe mode. My PC kept crashing. However, after running GMER in safe mode it looks like the scan was completed and so I pressed OK to continue, but now it gets hung up and
     
    rpicon,
    #12
  14. 2010/06/30
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    it wont let me continue.

    Thoughts?
     
    rpicon,
    #13
  15. 2010/06/30
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    Also IE is no longer working on my PC. It won't connect or it's unable to connect to the internet. I'm using FireFox.
     
    rpicon,
    #14
  16. 2010/06/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    ==============================================================

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #15
  17. 2010/07/01
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    exeHelper by Raktor
    Build 20100414
    Run at 10:30:17 on 07/01/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
    rpicon,
    #16
  18. 2010/07/01
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    ComboFix 10-06-30.03 - rpicon 2010-07-01 10:49:37.7.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1424 [GMT -4:00]
    Running from: c:\documents and settings\Rick Picon\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Rick Picon\Application Data\iniasd.txt
    c:\documents and settings\Rick Picon\Cookies\jebajatuza.ban
    c:\documents and settings\Rick Picon\Cookies\jyveqyrif.bat
    c:\documents and settings\Rick Picon\Cookies\natu.pif
    c:\documents and settings\Rick Picon\Cookies\noty.reg
    c:\documents and settings\Rick Picon\Cookies\utot.db
    c:\documents and settings\Rick Picon\Cookies\uwygak.vbs
    c:\documents and settings\Rick Picon\Local Settings\Temporary Internet Files\jiridu.pif
    c:\documents and settings\Rick Picon\Local Settings\Temporary Internet Files\lybamu.ban
    c:\documents and settings\Rick Picon\Local Settings\Temporary Internet Files\ruzymobu.reg
    c:\documents and settings\Rick Picon\Local Settings\Temporary Internet Files\vatavyxyt._sy
    c:\documents and settings\Rick Picon\System
    c:\documents and settings\Rick Picon\System\win_qs8.jqx
    c:\windows\eqikymafiz._sy
    c:\windows\igysydoron.scr
    c:\windows\qeridygaci._sy
    c:\windows\utewyb.exe
    c:\windows\venufat.dll
    c:\windows\xpsp1hfm.log

    Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
    .

    2010-06-29 08:56 . 2010-06-30 14:59 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\vawmcjvqk
    2010-06-29 08:55 . 2010-06-29 08:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-01 14:32 . 2006-12-28 18:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-01 05:53 . 2006-11-03 17:35 -------- d-----w- c:\program files\LogMeIn
    2010-06-30 19:26 . 2006-03-07 13:04 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-30 19:24 . 2010-01-20 22:36 -------- d-----w- c:\program files\Trojan Remover
    2010-06-30 19:21 . 2006-05-08 18:17 -------- d-----w- c:\program files\Plaxo
    2010-06-30 15:01 . 2009-03-24 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-30 14:41 . 2007-01-30 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-06-29 21:10 . 2006-10-17 19:55 -------- d-----w- c:\program files\LimeWire
    2010-06-29 08:55 . 2009-05-27 21:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-28 14:18 . 2006-04-11 15:30 -------- d-----w- c:\program files\Network Assistant
    2010-06-22 18:23 . 2009-10-13 16:41 -------- d-----w- c:\documents and settings\Rick Picon\Application Data\vlc
    2010-06-17 20:58 . 2010-03-01 20:48 -------- d-----w- c:\documents and settings\Rick Picon\Application Data\dvdcss
    2010-04-29 19:39 . 2009-03-24 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2009-03-24 16:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-09-28 20:45 . 2009-09-28 20:45 17274 ----a-w- c:\program files\Common Files\widoho.bin
    2009-09-28 20:45 . 2009-09-28 20:45 17153 ----a-w- c:\program files\Common Files\udaxefanuk._sy
    2009-09-25 21:43 . 2009-09-25 21:43 18292 ----a-w- c:\program files\Common Files\cywuvulu.dll
    2009-09-25 20:27 . 2009-09-25 20:27 19797 ----a-w- c:\program files\Common Files\cetokive.lib
    2009-09-25 20:27 . 2009-09-25 20:27 18210 ----a-w- c:\program files\Common Files\ijofavaj.com
    2006-04-20 15:28 . 2006-04-17 18:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ------- Sigcheck -------

    [-] 2007-06-22 . 021415AD071EF3944C27DC9597ED2214 . 359808 . . [5.1.2600.2892] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2007-06-22 . 021415AD071EF3944C27DC9597ED2214 . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
    [7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
    [7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
    [7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
    [7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PlaxoUpdate "= "c:\program files\Plaxo\3.23.0.11\PlaxoHelper_en.exe" [2009-10-01 403015]
    "PlaxoSysTray "= "c:\program files\Plaxo\3.23.0.11\PlaxoSysTray.exe" [2009-10-01 20480]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]
    "AdobeUpdater "= "c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-11 2321600]
    "msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
    "DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-07 169472]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
    "Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
    "Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2006-05-10 94208]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

    c:\documents and settings\Rick Picon\Start Menu\Programs\Startup\
    Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2007-8-29 340856]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-25 21:44 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-10-01 18:30 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1144767884\\ee\\aolsoftware.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1144767884\\ee\\aim6.exe "=
    "c:\\Program Files\\Network Assistant\\Nassi.exe "=
    "c:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe "=
    "c:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe "=
    "c:\\StubInstaller.exe "=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "c:\\Program Files\\Xolox\\mldonkey\\mlnet.exe "=
    "c:\\Program Files\\Xolox\\XoloxEXE.exe "=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\MSN Messenger\\livecall.exe "=
    "c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe "=
    "c:\\Program Files\\FrostWire\\FrostWire.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP "= 135:TCP:DCOM
    "3389:TCP "= 3389:TCP:mad:xpsp2res.dll,-22009
    "3393:TCP "= 3393:TCP:RD-Rick
    "26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-22 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-06-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-06-23 74480]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 1029456]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-04-10 3712]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-06-27 12856]
    S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-02-17 34760]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2007-01-30 223128]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-01-30 643072]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:49]

    2010-07-01 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-07 01:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Subscribe with RSSRadio
    IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
    Trusted Zone: advisorservices.com\www
    Trusted Zone: advisorservices.com\www1
    Trusted Zone: advisorservices.com\www2
    Trusted Zone: infinata2.com\www
    Trusted Zone: musicmatch.com\online
    DPF: {25D9AA40-ED39-11D2-A038-009027078284} - hxxps://b1-www.advisorservices.com/advisorweb/file/urldownloader.cab
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx
    DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} - hxxps://vex.advisorservices.com/Views/VeoExpress/AdoView/Pages/veoExpress.CAB
    FF - ProfilePath - c:\documents and settings\Rick Picon\Application Data\Mozilla\Firefox\Profiles\coh2bzuj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
    FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    AddRemove-Stamps.com support for Microsoft Outlook 2000, 2002, 2003 - c:\documents and settings\All Users\Application Data\{9C763789-6B7A-4C3E-8999-8C1F2532A845}\MSOPIMstmp.exe
    AddRemove-Stamps.com support for Microsoft Outlook 97-2003 - c:\documents and settings\All Users\Application Data\{FDE4F0C9-21C9-4682-95F8-A19664E71A04}\MSOABPstmp.exe
    AddRemove-Stamps.com support for Microsoft Word 2000, 2002, 2003 - c:\documents and settings\All Users\Application Data\{DDA606F9-F8E1-4F2B-9EB2-A4CA501DA188}\MSW2KPIMstmp.exe
    AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-01 10:59
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(736)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2010-07-01 11:01:35
    ComboFix-quarantined-files.txt 2010-07-01 15:01
    ComboFix2.txt 2009-07-10 21:08

    Pre-Run: 41,937,813,504 bytes free
    Post-Run: 43,299,844,096 bytes free

    - - End Of File - - 63677FD60046D62EE104861F793C2575
     
    rpicon,
    #17
  19. 2010/07/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\program files\Common Files\widoho.bin
c:\program files\Common Files\udaxefanuk._sy
c:\program files\Common Files\cywuvulu.dll
c:\program files\Common Files\cetokive.lib
c:\program files\Common Files\ijofavaj.com


Folder::
c:\documents and settings\NetworkService\Local Settings\Application Data\vawmcjvqk

FCopy::
c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys | c:\windows\system32\dllcache\tcpip.sys

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5577
Trusted Zone: advisorservices.com\www
Trusted Zone: advisorservices.com\www1
Trusted Zone: advisorservices.com\www2
Trusted Zone: infinata2.com\www

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
 "AntiVirusOverride "=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "EnableFirewall "=dword:00000001

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #18
  20. 2010/07/01
    rpicon

    rpicon Inactive Thread Starter

    Joined:
    2006/12/29
    Messages:
    198
    Likes Received:
    0
    ComboFix 10-06-30.03 - rpicon 2010-07-01 12:56:46.8.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1545 [GMT -4:00]
    Running from: c:\documents and settings\Rick Picon\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Rick Picon\Desktop\CFScript.txt

    FILE ::
    "c:\program files\Common Files\cetokive.lib "
    "c:\program files\Common Files\cywuvulu.dll "
    "c:\program files\Common Files\ijofavaj.com "
    "c:\program files\Common Files\udaxefanuk._sy "
    "c:\program files\Common Files\widoho.bin "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\NetworkService\Local Settings\Application Data\vawmcjvqk
    c:\program files\Common Files\cetokive.lib
    c:\program files\Common Files\cywuvulu.dll
    c:\program files\Common Files\ijofavaj.com
    c:\program files\Common Files\udaxefanuk._sy
    c:\program files\Common Files\widoho.bin

    .
    --------------- FCopy ---------------

    c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys --> c:\windows\system32\drivers\tcpip.sys
    c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys --> c:\windows\system32\dllcache\tcpip.sys
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
    .

    2010-06-29 08:55 . 2010-06-29 08:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-01 16:55 . 2006-12-28 18:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-07-01 15:38 . 2010-02-04 16:07 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-07-01 05:53 . 2006-11-03 17:35 -------- d-----w- c:\program files\LogMeIn
    2010-06-30 19:26 . 2006-03-07 13:04 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-30 19:24 . 2010-01-20 22:36 -------- d-----w- c:\program files\Trojan Remover
    2010-06-30 19:21 . 2006-05-08 18:17 -------- d-----w- c:\program files\Plaxo
    2010-06-30 15:01 . 2009-03-24 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-30 14:41 . 2007-01-30 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-06-29 21:10 . 2006-10-17 19:55 -------- d-----w- c:\program files\LimeWire
    2010-06-29 08:55 . 2009-05-27 21:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-28 14:18 . 2006-04-11 15:30 -------- d-----w- c:\program files\Network Assistant
    2010-06-22 18:23 . 2009-10-13 16:41 -------- d-----w- c:\documents and settings\Rick Picon\Application Data\vlc
    2010-06-17 20:58 . 2010-03-01 20:48 -------- d-----w- c:\documents and settings\Rick Picon\Application Data\dvdcss
    2010-04-29 19:39 . 2009-03-24 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-04-29 19:39 . 2009-03-24 16:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2006-04-20 15:28 . 2006-04-17 18:07 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-07-01_14.59.05 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-07-01 15:38 . 2010-07-01 15:38 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
    + 2010-07-01 15:38 . 2010-07-01 15:38 20242432 c:\windows\Installer\2e720a.msp
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PlaxoUpdate "= "c:\program files\Plaxo\3.23.0.11\PlaxoHelper_en.exe" [2009-10-01 403015]
    "PlaxoSysTray "= "c:\program files\Plaxo\3.23.0.11\PlaxoSysTray.exe" [2009-10-01 20480]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-07 68856]
    "AdobeUpdater "= "c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-06-11 2321600]
    "msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif "= "c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
    "DMXLauncher "= "c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
    "DLA "= "c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-07 169472]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
    "Acrobat Assistant 8.0 "= "c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
    "Logitech Hardware Abstraction Layer "= "KHALMNPR.EXE" [2006-05-10 94208]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
    "Ad-Watch "= "c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-07-09 7110656]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

    c:\documents and settings\Rick Picon\Start Menu\Programs\Startup\
    Microsoft Office Groove.lnk - c:\program files\Microsoft Office\Office12\GROOVE.EXE [2007-8-29 340856]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-25 21:44 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-10-01 18:30 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0Partizan

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1144767884\\ee\\aolsoftware.exe "=
    "c:\\Program Files\\Common Files\\AOL\\1144767884\\ee\\aim6.exe "=
    "c:\\Program Files\\Network Assistant\\Nassi.exe "=
    "c:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\SPTServer.exe "=
    "c:\\Program Files\\Schwab Performance Technologies\\PortfolioCenter\\PortfolioCenter.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe "= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe "= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe "= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe "=
    "c:\\StubInstaller.exe "=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
    "c:\\Program Files\\Xolox\\mldonkey\\mlnet.exe "=
    "c:\\Program Files\\Xolox\\XoloxEXE.exe "=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\MSN Messenger\\livecall.exe "=
    "c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe "=
    "c:\\Program Files\\FrostWire\\FrostWire.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "135:TCP "= 135:TCP:DCOM
    "3389:TCP "= 3389:TCP:mad:xpsp2res.dll,-22009
    "3393:TCP "= 3393:TCP:RD-Rick
    "26675:TCP "= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-22 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-06-23 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-06-23 74480]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-04-10 3712]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-06-27 12856]
    S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-01-30 643072]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 1029456]
    S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-02-17 34760]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-06-23 7408]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2007-01-30 223128]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 22:49]

    2010-07-01 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-07 01:11]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
    mSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Subscribe with RSSRadio
    IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
    Trusted Zone: musicmatch.com\online
    DPF: {25D9AA40-ED39-11D2-A038-009027078284} - hxxps://b1-www.advisorservices.com/advisorweb/file/urldownloader.cab
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {DC4B2445-4A2C-46FF-BAAE-C0FBB45D866D} - hxxps://www.laserapp.com/dev/detect/lavdetect.ocx
    DPF: {FF0F7B6E-D733-11D7-8088-0001024743E4} - hxxps://vex.advisorservices.com/Views/VeoExpress/AdoView/Pages/veoExpress.CAB
    FF - ProfilePath - c:\documents and settings\Rick Picon\Application Data\Mozilla\Firefox\Profiles\coh2bzuj.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - hxxp://finance.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=
    FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    .

    **************************************************************************
    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files:

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(736)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2010-07-01 13:01:52
    ComboFix-quarantined-files.txt 2010-07-01 17:01
    ComboFix2.txt 2010-07-01 15:01
    ComboFix3.txt 2009-07-10 21:08

    Pre-Run: 43,187,679,232 bytes free
    Post-Run: 43,186,323,456 bytes free

    - - End Of File - - C1739599AD9341FDB4DC2AB3BBDD7652
     
    rpicon,
    #19
  21. 2010/07/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)
    How is your computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #20
Page 1 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...