Solved Also have the iexplore.exe problem

csbrinkm · 2009/07/28

[Resolved] Also have the iexplore.exe problem

I have been having some unusual popups and processes running including the iexplore.exe which will pop back up right after ending the process. I am also having trouble installing and running any new security programs which I've tried to download to solve the problem. I ran a Hijack this on my system. Thank you for any help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:53 AM, on 7/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\My Documents\Downloads\rminstall.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F3 - REG:win.ini: load=c:\\parisisgay.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8EFF1A74-2AAC-46A9-9B50-CA6EAFA4A4D0} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Filter hijack: text/html - {2DC9CB6E-DF7E-4AE8-888C-25458EA87180} - (no file)
O18 - Filter: text/plain - {2DC9CB6E-DF7E-4AE8-888C-25458EA87180} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\theone\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 10008 bytes

PeteC · 2009/07/28

Welcome To WindowsBBS

Please read this as indicated at the head of the forum and post the logs requested in this thread.

An HJT log is not sufficient these days.

csbrinkm · 2009/07/28

DDS Log

I attempted to uninstall AVG 8.5 and use Symantec, but AVG is still showing that it is running. I have run scans with AVG and Spybot, but nothing is showing up as infected. Below is the DDS log.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 11:57:23.70 on Tue 07/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.130 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uWindow Title = Microsoft Internet Explorer provided by Mediacom Online
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
uWindows: load=c:\\parisisgay.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
{8eff1a74-2aac-46a9-9b50-ca6eafa4a4d0}
TB: {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] c:\program files\java\j2re1.4.2_05\bin\jusched.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [<NO NAME>]
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe "
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe "
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} - hxxps://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} - hxxp://asp.mathxl.com/books/_Players/EconPlayer.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: !SASWinLogon - c:\program files\theone\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\theone\SASSEH.DLL
================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\fow419ze.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPJPI142_05.dll
FF - plugin: c:\program files\java\j2re1.4.2_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPJPI141_01.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
============= SERVICES / DRIVERS ===============

R0 PSA128F;PSA128F;c:\windows\system32\drivers\PSA128F.SYS [2004-9-27 12390]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-17 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-17 27784]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-8-14 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-12-8 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-7-19 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090719.024\NAVENG.SYS [2009-7-19 87888]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090719.024\NAVEX15.SYS [2009-7-19 875728]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-17 298776]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\lsipnds.sys --> c:\windows\system32\drivers\LSIPNDS.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2003-4-4 30336]
S3 psa128s;psa128s;c:\windows\system32\drivers\psa128s.sys [2004-9-27 52335]
S3 psa128u;Nike psa[128max Player Control Driver;c:\windows\system32\drivers\psa128u.sys [2004-9-27 36612]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys --> c:\windows\system32\drivers\ulink.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-13 24652]

=============== Created Last 30 ================

2009-07-28 00:58 <DIR> --d----- c:\program files\theone
2009-07-28 00:58 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-07-28 00:48 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-07-20 10:53 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-20 10:53 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-20 10:53 <DIR> --d----- c:\program files\M123
2009-07-20 10:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-20 01:17 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-19 14:19 389,120 a------- c:\windows\system32\CF10743.exe
2009-07-19 12:51 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-19 12:51 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-07-19 12:51 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-19 12:51 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-19 12:50 <DIR> --d----- c:\program files\Symantec
2009-07-09 18:35 <DIR> --d----- c:\windows\pss
2009-07-09 18:02 1,082,903 a------- c:\windows\system32\rn.tmp

==================== Find3M ====================

2009-07-04 08:01 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 09:23 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2004-09-22 20:06 31,056 a------- c:\docume~1\owner\applic~1\GDIPFONTCACHEV1.DAT
2004-10-25 08:23 56 ---shr-- c:\windows\system32\D9F73121DB.sys
2008-08-06 19:40 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080620080807\index.dat

============= FINISH: 11:59:09.67 ===============

csbrinkm · 2009/07/28

Attach Log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 9/18/2004 11:47:20 PM
System Uptime: 7/28/2009 12:51:40 AM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Kelut
Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2099/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 145 GiB total, 92.081 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.594 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\8D9EA8E01800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\8D9EA8E01800
Service: NIC1394

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

==== Event Viewer Messages From Past Week ========

7/28/2009 7:29:45 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer AMRO that believes that it is the master browser for the domain on transport NetBT_Tcpip_{75142EF7-2A90-4D32-9B50. The master browser is stopping or an election is being forced.
7/28/2009 12:57:30 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the file 'MSI543e8.tmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/28/2009 12:47:41 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the file 'MSI46203.tmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/28/2009 12:46:12 AM, error: Service Control Manager [7000] - The SYMTDI service failed to start due to the following error: A device attached to the system is not functioning.
7/28/2009 12:45:01 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SYMTDI
7/28/2009 12:45:01 AM, error: Service Control Manager [7024] - The AVG8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
7/28/2009 12:37:19 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the file 'MSId9cbf.tmp' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/28/2009 12:26:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
7/28/2009 12:26:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
7/28/2009 12:26:00 AM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/28/2009 12:26:00 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================

PeteC · 2009/07/28

Thanks

One of our trained malware analysts will take a look at your logs ASAP, but it may be a day or so before you get a response as they are always very busy. All logs are dealt with in the order received.

Thank you for your patience.

broni · 2009/07/28

I attempted to uninstall AVG 8.5
Click to expand...

Please, use AVG Remover: http://www.avg.com/download-tools

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

csbrinkm · 2009/07/28

combofix log

I ran the avg uninstaller but combofix said it still detected an avg file. Went on with combofix.

ComboFix 09-07-28.01 - Owner 07/28/2009 19:29.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.142 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\WinPCap
c:\program files\WinPCap\daemon_mgm.exe
c:\program files\WinPCap\INSTALL.LOG
c:\program files\WinPCap\npf_mgm.exe
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
c:\recycler\S-1-5-21-1180975056-3221489076-3856198511-1003
C:\test.txt
c:\windows\Installer\1518a.msp
c:\windows\Installer\326388b.msi
c:\windows\Installer\888e0.msi
c:\windows\Installer\88911.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\UACbpxxucxgxipaaycoy.db
c:\windows\system32\UACiexdevpcrdqqhycta.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACvyoycucruxgbawbpe.dll
c:\windows\system32\UACxtsvqtijtavtahxwb.dat
c:\windows\system32\wpcap.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-28 )))))))))))))))))))))))))))))))
.

2009-07-28 22:57 . 2009-07-28 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-19 16:51 . 2009-07-19 18:31 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-19 16:51 . 2009-07-19 18:31 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-19 16:50 . 2009-01-21 19:24 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\WindowsInstaller-KB893803-x86.exe
2009-07-19 16:50 . 2009-01-21 19:24 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\smcinst.exe
2009-07-19 16:50 . 2009-01-21 19:24 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\Setup.exe
2009-07-19 16:50 . 2009-01-21 19:24 927088 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\LuCheck.exe
2009-07-19 16:50 . 2009-01-21 19:24 3554472 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\LUSETUP.EXE
2009-07-19 16:50 . 2009-07-19 18:31 -------- d-----w- c:\program files\Symantec
2009-07-19 12:06 . 2009-07-01 13:23 353048 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-07-19 12:06 . 2009-07-04 12:01 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-19 12:06 . 2009-07-01 13:23 2301208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
2009-07-19 03:36 . 2009-07-19 03:36 -------- d-----w- c:\program files\Windows Defender
2009-07-11 03:41 . 2009-07-04 12:01 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-11 03:41 . 2009-07-04 12:01 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-04 12:02 . 2009-07-01 13:23 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-04 12:02 . 2009-07-01 13:22 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-04 12:02 . 2009-07-01 13:22 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-04 12:01 . 2009-07-01 13:21 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-04 12:01 . 2009-07-01 13:21 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-20 02:34 . 2008-06-17 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-19 18:31 . 2009-07-19 16:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-19 18:31 . 2009-07-19 16:51 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-19 16:54 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-19 16:54 . 2004-04-03 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 10:53 . 2007-08-22 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-19 07:06 . 2007-12-18 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-19 03:23 . 2004-10-29 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-19 03:15 . 2004-10-29 06:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 22:37 . 2004-09-19 19:11 -------- d-----w- c:\program files\AIM
2009-07-09 22:37 . 2004-09-19 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2009-07-09 22:02 . 2009-07-09 22:02 1082903 ----a-w- c:\windows\system32\rn.tmp
2009-06-16 14:36 . 2004-04-29 23:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-04-29 21:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 07:49 . 2004-04-02 09:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 22:23 . 2004-04-02 09:49 -------- d-----w- c:\program files\InterVideo
2009-06-01 22:16 . 2007-04-18 06:21 -------- d-----w- c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-05-07 15:32 . 2004-04-29 23:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-15 20:30 . 2009-07-19 16:56 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2004-10-25 12:23 . 2004-10-25 12:16 56 --sh--r- c:\windows\system32\D9F73121DB.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck "= "c:\windows\system32\dumprep 0 -u" [X]
"SunJavaUpdateSched "= "c:\program files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 32881]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2 "= "c:\windows\system32\ps2.exe" [2003-09-13 98304]
"UpdateManager "= "c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"AGRSMMSG "= "AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\WINDOWS\\system32\\mshta.exe "=
"c:\\StubInstaller.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Documents and Settings\\Owner\\My Documents\\Utorrent-1.2.1.exe "=
"c:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=

R0 PSA128F;PSA128F;c:\windows\system32\drivers\PSA128F.SYS [9/27/2004 12:03 AM 12390]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/19/2009 10:22 PM 101936]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\DRIVERS\LSIPNDS.sys --> c:\windows\system32\DRIVERS\LSIPNDS.sys [?]
S3 psa128s;psa128s;c:\windows\system32\drivers\psa128s.sys [9/27/2004 12:03 AM 52335]
S3 psa128u;Nike psa[128max Player Control Driver;c:\windows\system32\drivers\psa128u.sys [9/27/2004 12:03 AM 36612]
S3 Usblink;Usblink Driver;c:\windows\system32\Drivers\ulink.sys --> c:\windows\system32\Drivers\ulink.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/13/2009 7:37 PM 24652]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8EFF1A74-2AAC-46A9-9B50-CA6EAFA4A4D0} - (no file)
Notify-!SASWinLogon - (no file)
Notify-avgrsstarter - avgrsstx.dll
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus

.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fow419ze.default\
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJPI141_01.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
.

**************************************************************************

catchme 0.3.1398.3 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-28 19:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath "= "\??\c:\windows\system32\Drivers\HNPsSdk.drv "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3656)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\dcfssvc.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-28 19:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-28 23:59

Pre-Run: 98,764,525,568 bytes free
Post-Run: 98,650,181,632 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
276 --- E O F --- 2009-07-19 07:06

csbrinkm · 2009/07/28

New HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:37 PM, on 7/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis(2).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8478 bytes

broni · 2009/07/28

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\rn.tmp
c:\windows\system32\D9F73121DB.sys


Folder::
c:\documents and settings\All Users\Application Data\avg8


Driver::

Registry::

RegLockDel::
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

A new HijackThis log.

csbrinkm · 2009/07/29

New CFlog

ComboFix 09-07-29.03 - Owner 07/30/2009 0:22.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.229 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\D9F73121DB.sys "
"c:\windows\system32\rn.tmp "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\avg8\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\setup.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\updateall.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\updatecomps.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\avg8\cfgall\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\avg8\cfgall\updateall.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.11
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.12
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.13
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.14
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.15
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.16
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.17
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.18
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.19
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.20
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgldr.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgns.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgns.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avguilog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avildr.log
c:\documents and settings\All Users\Application Data\avg8\Log\cfgexlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\cfglog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\commonpub.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpub.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\corelog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\fixcfg.log
c:\documents and settings\All Users\Application Data\avg8\Log\fixcfg.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\history.xml
c:\documents and settings\All Users\Application Data\avg8\Log\ldrlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\lnglog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\nslog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\privlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\publog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\rslog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\scanlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\schedlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\srmlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\updlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\vaultlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\wdlog.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\wdsvclog.cfg
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000008.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000009.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000010.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000011.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\avg8\update\backup\avg8us.lng
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\incavi.avm
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb2.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\searchshield.jar
c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\setupus.lns
c:\documents and settings\All Users\Application Data\avg8\update\download\avginfoavi.ctf
c:\documents and settings\All Users\Application Data\avg8\update\download\avginfowin.ctf
c:\documents and settings\All Users\Application Data\avg8\update\download\f8bnr319rw.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8bnr385jx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8bnr387r385u4.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8bnr388r3871h.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8core375rw.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8core384r375k2.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8core387r384u0.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8corex354rw.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8corex384r354k2.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8eml373r336rz.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8eml390r3731f.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8fc368w.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8hlpus373rw.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8hlpus384r373k7.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8krnl371rw.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8krnl385r371k3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8krnl391r3851f.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8lngus373rw.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8lngus386r373k0.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8lngus392r3861c.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8lsff370rx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8lsff385r370k3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8lsff392r3851f.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8lsiex392r3101f.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8ns359rx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8ns384r359k3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8rsx370rx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8setup371rx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8setup385r371k3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8ui359rx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8ui384r359k3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8ui392r3841f.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8upd374rx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\f8upd385r374k4.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1576u149525.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1577u149561.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1578u1495q1.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1580u1495do.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1582u1495wh.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1583u1495el.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1584u1495y3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1585u1495ig.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1586u14956z.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1587u1495qb.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1588u1495ue.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1589u14952b.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1590u132319.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1591u1590zx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1592u15901r.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1593u1590pg.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1594u1590di.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1595u1590y1.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1596u1590lj.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1597u15905j.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1598u1590pm.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1599u1590xz.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1600u15901x.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1609u1590u2.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7avi1610u1590i0.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2188u218726.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2189u2188mm.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2190u218962.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2191u2190q1.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2193u2191do.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2195u2193wi.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2196u2195em.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2197u2196y4.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2198u2197ih.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2199u219832.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2200u2199dp.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2201u220070.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2202u2201qb.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2203u2202a6.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2204u2203uf.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2205u2204e8.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2206u2205yb.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2207u22062c.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2208u2207ma.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2209u22081a.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2210u2209qu.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2211u2210zx.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2212u2211hd.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2213u22121s.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2214u2213lf.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2215u22145s.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2216u2215ph.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2217u22169y.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2218u2217di.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2219u2218y1.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2220u2219hj.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2221u2220lk.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2222u22215k.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2223u2222pn.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2224u22239k.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2226u22249.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2227u2226do.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2228u2227y0.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2229u2228jo.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2230u22291y.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2247u22263o.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2248u2247i1.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\u7iavi2249u224824.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_61d60l3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_62d61qm.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_63d62po.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb_64d63n3.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb2_77l4.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb2_79pp.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb2_80qm.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsb2_81po.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_88yk.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_89d88po.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_91d89xm.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_92d91hp.bin
c:\documents and settings\All Users\Application Data\avg8\update\download\x8xplsc_93d92s9.bin
c:\documents and settings\All Users\Application Data\avg8\update\prepare\incavi.avm
c:\documents and settings\All Users\Application Data\avg8\update\prepare\sb.dat.prepare
c:\documents and settings\All Users\Application Data\avg8\update\prepare\sc.dat.prepare
c:\windows\system32\D9F73121DB.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-28 22:57 . 2009-07-28 22:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-07-19 16:51 . 2009-07-19 18:31 60800 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-19 16:51 . 2009-07-19 18:31 123952 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-19 16:50 . 2009-01-21 19:24 2584848 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\WindowsInstaller-KB893803-x86.exe
2009-07-19 16:50 . 2009-01-21 19:24 669000 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\smcinst.exe
2009-07-19 16:50 . 2009-01-21 19:24 300432 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\Setup.exe
2009-07-19 16:50 . 2009-01-21 19:24 927088 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\LuCheck.exe
2009-07-19 16:50 . 2009-01-21 19:24 3554472 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\Cached Installs\{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}\LUSETUP.EXE
2009-07-19 16:50 . 2009-07-19 18:31 -------- d-----w- c:\program files\Symantec
2009-07-19 03:36 . 2009-07-19 03:36 -------- d-----w- c:\program files\Windows Defender

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 18:31 . 2009-07-19 16:51 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-19 18:31 . 2009-07-19 16:51 10563 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-19 16:54 . 2004-04-03 08:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-19 16:54 . 2004-04-03 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 10:53 . 2007-08-22 15:54 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-19 07:06 . 2007-12-18 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-19 03:23 . 2004-10-29 06:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-19 03:15 . 2004-10-29 06:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-09 22:37 . 2004-09-19 19:11 -------- d-----w- c:\program files\AIM
2009-07-09 22:37 . 2004-09-19 19:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Aim
2009-06-29 16:12 . 2004-01-22 07:16 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-04-29 23:01 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-04-29 23:02 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-04-29 21:08 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 07:49 . 2004-04-02 09:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 19:09 . 2003-05-31 00:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 22:23 . 2004-04-02 09:49 -------- d-----w- c:\program files\InterVideo
2009-06-01 22:16 . 2007-04-18 06:21 -------- d-----w- c:\program files\Easy MPEG AVI DIVX WMV RM to DVD
2009-05-07 15:32 . 2004-04-29 23:03 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-15 20:30 . 2009-07-19 16:56 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-28_23.50.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:41 . 2009-07-11 23:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
- 2004-04-29 21:06 . 2009-04-29 04:56 44544 c:\windows\system32\pngfilt.dll
+ 2004-04-29 21:06 . 2009-06-29 16:12 44544 c:\windows\system32\pngfilt.dll
- 2006-11-08 02:03 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 52224 c:\windows\system32\msfeedsbs.dll
- 2004-04-29 23:02 . 2009-04-29 04:55 27648 c:\windows\system32\jsproxy.dll
+ 2004-04-29 23:02 . 2009-06-29 16:12 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 08:26 . 2009-04-28 09:05 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 08:26 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe
+ 2004-04-29 23:02 . 2009-06-29 16:12 44544 c:\windows\system32\iernonce.dll
- 2004-04-29 23:02 . 2009-04-29 04:55 44544 c:\windows\system32\iernonce.dll
- 2004-04-29 23:02 . 2009-04-28 09:05 70656 c:\windows\system32\ie4uinit.exe
+ 2004-04-29 23:02 . 2009-06-29 11:07 70656 c:\windows\system32\ie4uinit.exe
- 2006-10-17 16:58 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
+ 2006-10-17 16:58 . 2009-06-29 16:12 63488 c:\windows\system32\icardie.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-06-27 14:34 . 2009-06-29 16:12 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-06-27 14:34 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-06-27 08:27 . 2009-06-29 11:07 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-06-27 08:27 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2006-11-07 08:26 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\iernonce.dll
- 2006-11-07 08:26 . 2009-04-29 04:55 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2009-06-29 16:12 78336 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 18:09 . 2009-04-29 04:55 78336 c:\windows\system32\dllcache\ieencode.dll
- 2006-11-07 08:26 . 2009-04-28 09:05 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2006-11-07 08:26 . 2009-06-29 11:07 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2009-06-29 16:12 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-29 16:12 . 2009-06-29 16:12 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-07-29 07:01 . 2009-04-29 04:56 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 27648 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll
+ 2009-07-29 07:01 . 2009-04-28 09:05 13824 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe
+ 2009-07-29 07:01 . 2009-04-29 04:55 44544 c:\windows\ie7updates\KB972260-IE7\iernonce.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll
+ 2009-07-29 07:01 . 2009-04-28 09:05 70656 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe
+ 2009-07-29 07:01 . 2009-04-29 04:55 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll
+ 2009-07-29 07:01 . 2008-04-14 00:11 35328 c:\windows\ie7updates\KB972260-IE7\corpol.dll
+ 2004-04-29 21:08 . 2009-06-29 16:12 233472 c:\windows\system32\webcheck.dll
- 2004-04-29 21:08 . 2009-04-29 04:56 233472 c:\windows\system32\webcheck.dll
+ 2004-04-29 21:08 . 2009-06-29 16:12 105984 c:\windows\system32\url.dll
- 2004-04-29 21:08 . 2009-04-29 04:56 105984 c:\windows\system32\url.dll
+ 2004-04-29 21:06 . 2009-06-29 16:12 102912 c:\windows\system32\occache.dll
- 2004-04-29 21:06 . 2009-04-29 04:56 102912 c:\windows\system32\occache.dll
- 2004-04-29 21:06 . 2009-04-29 04:56 671232 c:\windows\system32\mstime.dll
+ 2004-04-29 21:06 . 2009-06-29 16:12 671232 c:\windows\system32\mstime.dll
+ 2004-04-29 23:03 . 2009-06-29 16:12 193024 c:\windows\system32\msrating.dll
- 2004-04-29 23:03 . 2009-04-29 04:56 193024 c:\windows\system32\msrating.dll
+ 2004-04-29 23:03 . 2009-06-29 16:12 477696 c:\windows\system32\mshtmled.dll
- 2004-04-29 23:03 . 2009-04-29 04:56 477696 c:\windows\system32\mshtmled.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 459264 c:\windows\system32\msfeeds.dll
- 2006-11-08 02:03 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
- 2006-10-17 16:57 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
+ 2006-10-17 16:57 . 2009-06-29 16:12 268288 c:\windows\system32\iertutil.dll
+ 2004-04-29 23:02 . 2009-06-29 16:12 385024 c:\windows\system32\iedkcs32.dll
- 2004-04-29 23:02 . 2009-04-29 04:55 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 16:27 . 2009-06-29 16:12 380928 c:\windows\system32\ieapfltr.dll
- 2004-04-29 23:02 . 2009-04-25 05:26 161792 c:\windows\system32\ieakui.dll
+ 2004-04-29 23:02 . 2009-06-29 08:33 161792 c:\windows\system32\ieakui.dll
- 2004-04-29 23:02 . 2009-04-29 04:55 230400 c:\windows\system32\ieaksie.dll
+ 2004-04-29 23:02 . 2009-06-29 16:12 230400 c:\windows\system32\ieaksie.dll
- 2004-04-29 23:02 . 2009-04-29 04:55 153088 c:\windows\system32\ieakeng.dll
+ 2004-04-29 23:02 . 2009-06-29 16:12 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 07:56 . 2009-06-29 16:12 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 07:56 . 2009-04-29 04:55 133120 c:\windows\system32\extmgr.dll
+ 2004-04-29 23:02 . 2009-06-29 16:12 214528 c:\windows\system32\dxtrans.dll
- 2004-04-29 23:02 . 2009-04-29 04:55 214528 c:\windows\system32\dxtrans.dll
+ 2004-04-29 23:02 . 2009-06-29 16:12 347136 c:\windows\system32\dxtmsft.dll
- 2004-04-29 23:02 . 2009-04-29 04:55 347136 c:\windows\system32\dxtmsft.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 827392 c:\windows\system32\dllcache\wininet.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 827392 c:\windows\system32\dllcache\wininet.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-11-08 02:03 . 2009-04-29 04:56 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-10-17 17:05 . 2009-04-29 04:56 105984 c:\windows\system32\dllcache\url.dll
+ 2006-10-17 17:05 . 2009-06-29 16:12 105984 c:\windows\system32\dllcache\url.dll
- 2006-10-17 17:04 . 2009-04-29 04:56 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-10-17 17:04 . 2009-06-29 16:12 102912 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 671232 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 193024 c:\windows\system32\dllcache\msrating.dll
- 2006-05-10 05:23 . 2009-04-29 04:56 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-06-27 14:34 . 2009-06-29 16:12 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-06-27 14:34 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2006-10-17 17:04 . 2009-06-29 08:35 634632 c:\windows\system32\dllcache\iexplore.exe
- 2007-06-27 14:34 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-06-27 14:34 . 2009-06-29 16:12 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2006-11-07 08:27 . 2009-06-29 16:12 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2006-11-07 08:27 . 2009-04-29 04:55 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-06-27 14:34 . 2009-06-29 16:12 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2004-04-29 23:02 . 2009-04-25 05:26 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-04-29 23:02 . 2009-06-29 08:33 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-11-07 08:27 . 2009-04-29 04:55 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 08:27 . 2009-06-29 16:12 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-11-07 08:26 . 2009-06-29 16:12 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-11-07 08:26 . 2009-04-29 04:55 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2006-05-10 05:22 . 2009-06-29 16:12 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2006-05-10 05:22 . 2009-04-29 04:55 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-11-07 08:26 . 2009-06-29 16:12 124928 c:\windows\system32\dllcache\advpack.dll
- 2006-11-07 08:26 . 2009-04-29 04:55 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-04-29 23:01 . 2009-04-29 04:55 124928 c:\windows\system32\advpack.dll
+ 2004-04-29 23:01 . 2009-06-29 16:12 124928 c:\windows\system32\advpack.dll
+ 2009-07-29 07:00 . 2009-07-29 07:00 248832 c:\windows\Installer\191f6ab.msi
+ 2009-07-29 07:01 . 2009-04-29 04:56 827392 c:\windows\ie7updates\KB972260-IE7\wininet.dll
+ 2009-07-29 07:01 . 2009-04-29 04:56 233472 c:\windows\ie7updates\KB972260-IE7\webcheck.dll
+ 2009-07-29 07:01 . 2009-04-29 04:56 105984 c:\windows\ie7updates\KB972260-IE7\url.dll
+ 2009-07-29 07:01 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll
+ 2009-07-29 07:01 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe
+ 2009-07-29 07:01 . 2009-04-29 04:56 102912 c:\windows\ie7updates\KB972260-IE7\occache.dll
+ 2009-07-29 07:01 . 2009-04-29 04:56 671232 c:\windows\ie7updates\KB972260-IE7\mstime.dll
+ 2009-07-29 07:01 . 2009-04-29 04:56 193024 c:\windows\ie7updates\KB972260-IE7\msrating.dll
+ 2009-07-29 07:01 . 2009-04-29 04:56 477696 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll
+ 2009-07-29 07:01 . 2009-04-25 05:27 636088 c:\windows\ie7updates\KB972260-IE7\iexplore.exe
+ 2009-07-29 07:01 . 2009-04-29 04:55 268288 c:\windows\ie7updates\KB972260-IE7\iertutil.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 385024 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll
+ 2009-07-29 07:01 . 2009-04-25 05:26 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 230400 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 153088 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 133120 c:\windows\ie7updates\KB972260-IE7\extmgr.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 347136 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 124928 c:\windows\ie7updates\KB972260-IE7\advpack.dll
- 2003-09-10 22:48 . 2009-04-29 04:56 1159680 c:\windows\system32\urlmon.dll
+ 2003-09-10 22:48 . 2009-06-29 16:12 1159680 c:\windows\system32\urlmon.dll
+ 2003-09-19 09:28 . 2009-07-19 13:33 3597824 c:\windows\system32\mshtml.dll
+ 2006-11-08 02:03 . 2009-07-19 13:32 6067200 c:\windows\system32\ieframe.dll
+ 2006-09-06 04:01 . 2009-06-29 08:33 2452872 c:\windows\system32\ieapfltr.dat
- 2006-05-10 05:23 . 2009-04-29 04:56 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2006-05-10 05:23 . 2009-06-29 16:12 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2006-05-19 15:08 . 2009-07-19 13:33 3597824 c:\windows\system32\dllcache\mshtml.dll
+ 2007-06-27 14:34 . 2009-07-19 13:32 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2007-04-17 09:32 . 2009-06-29 08:33 2452872 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-07-29 07:01 . 2009-04-29 04:56 1159680 c:\windows\ie7updates\KB972260-IE7\urlmon.dll
+ 2009-07-29 07:01 . 2009-04-29 04:56 3596288 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
+ 2009-07-29 07:01 . 2009-04-29 04:55 6066176 c:\windows\ie7updates\KB972260-IE7\ieframe.dll
+ 2009-07-29 07:01 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck "= "c:\windows\system32\dumprep 0 -u" [X]
"SunJavaUpdateSched "= "c:\program files\Java\j2re1.4.2_05\bin\jusched.exe" [2004-06-04 32881]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"PS2 "= "c:\windows\system32\ps2.exe" [2003-09-13 98304]
"UpdateManager "= "c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"HP Component Manager "= "c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Windows Defender "= "c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"AGRSMMSG "= "AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\WINDOWS\\system32\\mshta.exe "=
"c:\\StubInstaller.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Documents and Settings\\Owner\\My Documents\\Utorrent-1.2.1.exe "=
"c:\\Documents and Settings\\Owner\\My Documents\\utorrent.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe "=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE "=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe "=

R0 PSA128F;PSA128F;c:\windows\system32\drivers\PSA128F.SYS [9/27/2004 12:03 AM 12390]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/19/2009 10:22 PM 101936]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [11/18/2008 6:17 PM 23888]
S3 IPN2120;Wireless-B PCI Adapter Driver;c:\windows\system32\DRIVERS\LSIPNDS.sys --> c:\windows\system32\DRIVERS\LSIPNDS.sys [?]
S3 psa128s;psa128s;c:\windows\system32\drivers\psa128s.sys [9/27/2004 12:03 AM 52335]
S3 psa128u;Nike psa[128max Player Control Driver;c:\windows\system32\drivers\psa128u.sys [9/27/2004 12:03 AM 36612]
S3 Usblink;Usblink Driver;c:\windows\system32\Drivers\ulink.sys --> c:\windows\system32\Drivers\ulink.sys [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/13/2009 7:37 PM 24652]
.
- - - - ORPHANS REMOVED - - - -

BHO-{8EFF1A74-2AAC-46A9-9B50-CA6EAFA4A4D0} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fow419ze.default\
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPJPI142_05.dll
FF - plugin: c:\program files\Java\j2re1.4.2_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava11.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava12.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJava32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPJPI141_01.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.enforce_same_site_origin ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.cache_size ", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.ogg.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.wave.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "media.autoplay.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.urlbar.autocomplete.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "capability.policy.mailnews.*.wholeText ", "noAccess ");
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.storage.default_quota ", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "content.sink.event_probe_rate ", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.http.prompt-temp-redirect ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.dpi ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "layout.css.devPixelsPerPx ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "gestures.enable_single_finger_input ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.max_chrome_script_run_time ", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.tcp.sendbuffer ", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "geo.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr ", "moz35 ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-cjkt ", "moz35 ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.blocklist.level ", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.restrict.typed ", "~ ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.default.behavior ", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.history ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.formdata ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.passwords ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.downloads ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cookies ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.cache ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.sessions ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.offlineApps ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.clearOnShutdown.siteSettings ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.history ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.formdata ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.passwords ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.downloads ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cookies ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.cache ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.sessions ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.offlineApps ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.cpd.siteSettings ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "privacy.sanitize.migrateFx3Prefs ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.ssl_override_behavior ", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "security.alternate_certificate_error_page ", "certerror ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.autostart ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.privatebrowsing.dont_prompt_on_enter ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "geo.wifi.uri ", "https://www.google.com/loc/json ");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 00:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath "= "\??\c:\windows\system32\Drivers\HNPsSdk.drv "
.
Completion time: 2009-07-30 0:35
ComboFix-quarantined-files.txt 2009-07-30 04:35
ComboFix2.txt 2009-07-28 23:59

Pre-Run: 99,449,290,752 bytes free
Post-Run: 99,397,070,848 bytes free

csbrinkm · 2009/07/29

last of CFlog and newest HJT log

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=,1,2,3,4
646 --- E O F --- 2009-07-29 07:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:47:07 AM, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8EFF1A74-2AAC-46A9-9B50-CA6EAFA4A4D0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8652 bytes

broni · 2009/07/30

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

csbrinkm · 2009/07/31

Dr Web log

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Deleted.;
ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;Moved.;
APQ7.tmp;C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine;Trojan.Packed.365;Incurable.Moved.;
4FEF8911.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\07A40000;BackDoor.Tdss.49;Deleted.;
4FEF8AA7.VBN;C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\07A40001;BackDoor.Tdss.105;Deleted.;
10 - Let The Beat Build (Produced By Kanye West & Deezle).mp3;C:\Documents and Settings\Owner\My Documents\My Music\utorrent downloads\Lil Wayne - Tha Carter III (Explicit)(2008);Trojan.WMALoader;Cured.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Deleted.;
comp01.000/data015\data386;C:\Program Files\Online Services\AOL90US\comp01.000/data015;Probably DLOADER.Trojan;;
data015;C:\Program Files\Online Services\AOL90US;Archive contains infected objects;;
comp01.000;C:\Program Files\Online Services\AOL90US;Archive contains infected objects;Moved.;
EarthLink Setup.msi/stream001\uninstll.exe;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access\EarthLink Setup.msi/stream001;Probably STPAGE.Trojan;;
stream001;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe/Windows\access;Archive contains infected objects;;
EarthLink Setup.exe;C:\Program Files\Online Services\EarthLink;Archive contains infected objects;Moved.;
A0357634.exe/data015\data055;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1592\A0357634.exe/data015;DDoS.Nitecafe.6;;
data015;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1592;Archive contains infected objects;;
A0357634.exe;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1592;Archive contains infected objects;Moved.;
A0358480.EXE/data002\WDCLEAN.EXE;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1604\A0358480.EXE/data002;Trojan.MulDrop.32025;;
data002;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1604;Archive contains infected objects;;
A0358480.EXE;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1604;Container contains infected objects;Moved.;
A0360783.dll;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1642;BackDoor.Tdss.49;Deleted.;
A0360784.dll;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1642;BackDoor.Tdss.105;Deleted.;
A0360785.dll;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1642;Trojan.Packed.365;Incurable.Moved.;
A0360833.reg;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1642;Trojan.StartPage.1505;Deleted.;
A0360948.reg;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1643;Trojan.StartPage.1505;Deleted.;
A0361180.reg;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1644;Trojan.StartPage.1505;Deleted.;
A0363481.reg;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1646;Trojan.StartPage.1505;Deleted.;
A0363641.exe\data529;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1647\A0363641.exe;Probably BACKDOOR.Trojan;;
A0363641.exe;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1647;Archive contains infected objects;Moved.;
EarthLink Setup.msi/stream001\uninstll.exe;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1647\A0363644.exe/Windows\access\EarthLink Setup.;Probably STPAGE.Trojan;;
stream001;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1647\A0363644.exe/Windows\access;Archive contains infected objects;;
\Windows\access\EarthLink Setup.msi;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1647\A0363644.exe/Windows\access;Archive contains infected objects;;
A0363644.exe;C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP1647;Archive contains infected objects;Moved.;

csbrinkm · 2009/07/31

new hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:33 PM, on 7/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8EFF1A74-2AAC-46A9-9B50-CA6EAFA4A4D0} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8122 bytes

broni · 2009/07/31

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

=============================================================

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

==================================================================

Disable Windows Defender, as it'll interfere with cleaning process:
- Open Windows Defender by clicking the Start, clicking All Programs, and then clicking Windows Defender.
- Click Tools
then...

++ Windows XP:
- Click General Settings
- Scroll down to Real Time Protection Options
- Uncheck Turn on Real Time Protection
- After you uncheck this, click on the Save button
- Close Windows Defender

++ Windows Vista:
- Click Options
- Under Administrator options, clear the Use Windows Defender check box, and then click Save.

Enable Windows Defender, when all cleaning is done.

===============================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
- R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
- O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- O2 - BHO: (no name) - {8EFF1A74-2AAC-46A9-9B50-CA6EAFA4A4D0} - (no file)
- O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
- O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
- O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
- O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
- O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
- O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
- O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe "
- O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
- O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

csbrinkm · 2009/08/01

Done, latest hjt

Safe to remove the partypoker entry too? I haven't used that in years..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:47 PM, on 8/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {588031A3-94BF-4CDD-86D0-939F6F93910F} (FixItClient Class) - https://fixit.support.microsoft.com/ActiveX/FixItClient.CAB
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} (Pearson MyEconLab Player Control) - http://asp.mathxl.com/books/_Players/EconPlayer.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 6726 bytes

broni · 2009/08/01

Safe to remove the partypoker entry too?
Click to expand...

Absolutely.

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Please, let me know, how is your computer doing.

csbrinkm · 2009/08/01

defrag

Should I just use my Windows defrag or do you have a better tool?

broni · 2009/08/01

Windows defrag is fine.

How is the computer doing?

csbrinkm · 2009/08/01

all the symptoms are gone and reboot is faster, just need to defrag and hopefully everything will speed up a bit. Thank you very much for all the help. Very kind of you!

Log in or Sign up

Solved Also have the iexplore.exe problem

csbrinkm Inactive Thread Starter

PeteC SuperGeek Staff

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Also have the iexplore.exe problem

csbrinkm Inactive Thread Starter

PeteC SuperGeek Staff

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

broni Moderator Malware Analyst

csbrinkm Inactive Thread Starter

Share This Page

Useful Searches