1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Google redirects, cmd.exe crashes explorer, cannot get updates

Discussion in 'Malware and Virus Removal Archive' started by Red Baron, 2009/04/17.

  1. 2009/04/17
    Red Baron

    Red Baron Inactive Thread Starter

    Joined:
    2009/04/17
    Messages:
    3
    Likes Received:
    0
    [Active] Google redirects, cmd.exe crashes explorer, cannot get updates

    Hello,
    I'm having a problem that has the same symptoms of another post I found on your forum. Someone was able to help them so I'm hoping the same will be true for me.

    My symptoms:
    1. When I search in google, and follow one of the search results, internet explorer will redirect me to a different page with ads, etc. This does not seem to happen every single time and I can go back and get to the right page. However something is not right here.

    2. When I try to run cmd.exe, Explorer will crash and restart. I noticed this problem because my usual startup items were not appearing properly. This problem happens consistantly whenever I try to launch the command prompt or run cmd.exe.

    3. Failure to update. It seems that every program I have is failing to update (see below for specifics). Seems to affect all my antivirus and also antispyware tools. Windows updates do not seem to be happening correctly either, even though I have XP set up to update automatically.

    I tried to download DDS, but the first two mirrors did not work for me. The third let me download dds.pif to my desktop, but when I run it, I see a dos window for a quick second but nothing else happens. I don't see any logs generated so I am sorry that I cannot post them.

    I've tried a few antivirus / antispyware tools but my problem actually interferes with them being able to update themselves, so I haven't scanned with all of them:
    1. Ad-aware - cannot update
    2. Avira antivirus (my orginal AV) - cannot update
    3. AVG (removed Avira and tried AVG) - cannot update
    4. Skybot S & D - seems to update OK, does not detect any problems
    5. Kapersky online AV scan - cannot update
    6. "hosts" file seems OK, don't notice any odd things running in the background.

    I really try to keep my PC clean and stay away from suspect websites & email messages. Not sure what I may have picked up. Thank you so much for any help you may be able to offer.

    I've seen other posts where they often post the hijackthis logfile, so I'm just going to post that as DDS didn't appear to run correctly for me.

    ************ HIJACKTHIS LOG *******************
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:13:37 PM, on 4/17/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Fonality\HUD3.0\HUD3.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat

    7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8

    \avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe

    Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

    Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe "
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\Daemon Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe "
    O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
    O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

    Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User

    'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32

    \syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User

    'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User

    'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User

    'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User

    'Default user')
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: FireBox Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FIREBox\FireBox.exe
    O4 - Global Startup: TClock.lnk = C:\Program Files\TClock Light\tclock.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0

    \Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

    Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program

    Files\WinHTTrack\WinHTTrackIEBar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

    http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) -

    https://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -

    http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

    http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) -

    https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

    Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

    Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive

    Software\Diskeeper\DkService.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google

    Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-

    ufad.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware

    Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common

    Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

    --
    End of file - 10354 bytes
     
    Red Baron,
    #1
  2. 2009/04/19
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Welcome to WindowsBBS Red Baron :)

    Click Start>Run and type command then hit enter to open a command window.
    If it opens successfully and explorer does not crash, continue as follows.

    Highlight and copy the contents of the code box below.
    Code:
    reg query  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 ">temp0
start /wait notepad temp0
del /q temp0
exit
cls
    Right click the command window's icon on your taskbar and select Properties.
    On the Options tab, Edit Options section, place a check in the Quick Edit Mode box.
    Click OK, then select 'Apply properties to current window only' and click OK.
    Right click in the command window and the text you copied to the clipboard should paste into the command window automatically.
    Shortly, a text file will open.
    Copy it's contents and post it here.
    The command window will close on it's own once you close the text file.



    Next, download GMER Rootkit Scanner from here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in ark.txt
    Save it where you can easily find it, such as your desktop then post the contents here.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

    Note - Please close all other programs, and all open browser windows prior to starting the scan.
     
    noahdfear,
    #2
    Dre Man likes this.


  3. to hide this advert.

  4. 2009/04/21
    Red Baron

    Red Baron Inactive Thread Starter

    Joined:
    2009/04/17
    Messages:
    3
    Likes Received:
    0
    Thank you for your help! Below are the logs you requested.

    Just FYI, I tried the batch commands you gave me for the first part and it just hung, so I just ran the first line (reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 ">temp0) in command and that produced the log file into the temp0 text file (which I have posted below). I hope that is OK.

    Please let me know what I should do next.

    I really appreciate your help!

    ******************** LOG #1 **************************
    ! REG.EXE VERSION 3.0

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
    midimapper REG_SZ midimap.dll
    msacm.imaadpcm REG_SZ imaadp32.acm
    msacm.msadpcm REG_SZ msadp32.acm
    msacm.msg711 REG_SZ msg711.acm
    msacm.msgsm610 REG_SZ msgsm32.acm
    msacm.trspch REG_SZ tssoft32.acm
    vidc.cvid REG_SZ iccvid.dll
    VIDC.I420 REG_SZ msh263.drv
    vidc.iv31 REG_SZ ir32_32.dll
    vidc.iv32 REG_SZ ir32_32.dll
    vidc.iv41 REG_SZ ir41_32.ax
    VIDC.IYUV REG_SZ iyuv_32.dll
    vidc.mrle REG_SZ msrle32.dll
    vidc.msvc REG_SZ msvidc32.dll
    VIDC.UYVY REG_SZ msyuv.dll
    VIDC.YUY2 REG_SZ msyuv.dll
    VIDC.YVU9 REG_SZ tsbyuv.dll
    VIDC.YVYU REG_SZ msyuv.dll
    wavemapper REG_SZ msacm32.drv
    msacm.msaudio1 REG_SZ msaud32.acm
    msacm.sl_anet REG_SZ sl_anet.acm
    msacm.iac2 REG_SZ C:\WINDOWS\system32\iac25_32.ax
    vidc.iv50 REG_SZ ir50_32.dll
    msacm.l3acm REG_SZ C:\WINDOWS\system32\l3codeca.acm
    vidc.DIVX REG_SZ DivX.dll
    MSVideo8 REG_SZ VfWWDM32.dll
    wave REG_SZ wdmaud.drv
    midi REG_SZ wdmaud.drv
    mixer REG_SZ wdmaud.drv
    aux REG_SZ wdmaud.drv
    msacm.ac3acm REG_SZ AC3ACM.acm
    VIDC.VMnc REG_SZ vmnc.dll
    aux2 REG_SZ C:\WINDOWS\system32\..\fwy.puq

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server


    ****************** LOG #2 *******************************

    GMER 1.0.15.14966 - http://www.gmer.net
    Rootkit scan 2009-04-21 08:27:05
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT sptd.sys ZwCreateKey [0xF75000B0]
    SSDT sptd.sys ZwEnumerateKey [0xF750584C]
    SSDT sptd.sys ZwEnumerateValueKey [0xF7505BEC]
    SSDT sptd.sys ZwOpenKey [0xF7500090]
    SSDT sptd.sys ZwQueryKey [0xF7505CC4]
    SSDT sptd.sys ZwQueryValueKey [0xF7505B44]
    SSDT sptd.sys ZwSetValueKey [0xF7505D56]

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 8A9441D8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{CDA30CE2-6321-4733-A0EB-94F13AB2A325} 8A661588

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

    Device \Driver\NetBT \Device\NetBT_Tcpip_{62111218-E6F4-4C79-B2F9-190B46684C0F} 8A661588
    Device \Driver\usbuhci \Device\USBPDO-0 8A7A61D8
    Device \Driver\usbuhci \Device\USBPDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\usbehci \Device\USBPDO-1 8A78F1D8
    Device \Driver\usbehci \Device\USBPDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A9B71D8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A9B71D8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A9B71D8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A9B71D8
    Device \Driver\usbuhci \Device\USBPDO-2 8A7A61D8
    Device \Driver\usbuhci \Device\USBPDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\usbuhci \Device\USBPDO-3 8A7A61D8
    Device \Driver\usbuhci \Device\USBPDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\usbuhci \Device\USBPDO-4 8A7A61D8
    Device \Driver\usbuhci \Device\USBPDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\usbhub \Device\00000062 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\usbhub \Device\00000063 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\usbhub \Device\USBPDO-6 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9461D8
    Device \Driver\usbhub \Device\00000064 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9461D8
    Device \Driver\usbhub \Device\00000065 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\Cdrom \Device\CdRom0 8A7301D8
    Device \Driver\Ftdisk \Device\HarddiskVolume3 8A9461D8
    Device \Driver\usbhub \Device\00000066 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\Cdrom \Device\CdRom1 8A7301D8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{EE5F7151-FBE9-46E0-AFAE-04203B77EB67} 8A661588
    Device \Driver\USBSTOR \Device\00000068 8A4BE3C0
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8A661588
    Device \Driver\00000060 \Device\0000004c sptd.sys
    Device \Driver\NetBT \Device\NetbiosSmb 8A661588

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\USBSTOR \Device\0000006b 8A4BE3C0
    Device \Driver\usbuhci \Device\USBFDO-0 8A7A61D8
    Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\usbuhci \Device\USBFDO-1 8A7A61D8
    Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A786980
    Device \Driver\usbuhci \Device\USBFDO-2 8A7A61D8
    Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A786980
    Device \Driver\usbuhci \Device\USBFDO-3 8A7A61D8
    Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\Ftdisk \Device\FtControl 8A9461D8
    Device \Driver\usbehci \Device\USBFDO-4 8A78F1D8
    Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
    Device \Driver\a1trf91x \Device\Scsi\a1trf91x1 8A6CB468
    Device \Driver\a1trf91x \Device\Scsi\a1trf91x1Port2Path0Target0Lun0 8A6CB468
    Device \FileSystem\Cdfs \Cdfs 8A4EB4D0

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1648619958
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -604694439
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\Daemon Tools\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0xB7 0x3A 0xA6 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x22 0x64 0x38 0x84 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xEE 0x21 0x48 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\Daemon Tools\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0xB7 0x3A 0xA6 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x22 0x64 0x38 0x84 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDE 0xF8 0x9D 0x14 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\Daemon Tools\
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0xB7 0x3A 0xA6 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x22 0x64 0x38 0x84 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x00 0xEE 0x21 0x48 ...

    ---- EOF - GMER 1.0.15 ----
     
    Red Baron,
    #3
  5. 2009/04/21
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please visit the following webpage for instructions for downloading and running ComboFix

    How to use ComboFix


    Download ComboFix by sUBs from here, saving the file to your desktop.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
C:\WINDOWS\fwy.puq
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
 "aux2 "= "wdmaud.drv "
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    **NOTE - Allow ComboFix to update if prompted.

    **NOTE - I recommend you allow the Recovery Console to be downloaded and installed when prompted.
     
    noahdfear,
    #4
  6. 2009/04/21
    Red Baron

    Red Baron Inactive Thread Starter

    Joined:
    2009/04/17
    Messages:
    3
    Likes Received:
    0
    Thank you for your help.

    In an interesting turn of events, before you posted, I tried to run windows update manually from the microsoft website, and was able to successfully do so. There just seemed to be one update, though, that involved .NET (I'm sorry I can't remember exactly what it was). When I rebooted, it asked me a few things about windows genuine, which I clicked "yes" to and then the computer booted normally. All my startup icons came back, and I am now able to run cmd and regedit. I also tried a few google searches and the following the results did not redirect me. So I think the bulk of the problem is gone now. I was able to update AVG and a full scan showed no problems.

    However, I really do want to make sure I am rid of whatever virus took over so I ran Combofix as you specified. Please let me know if there is anything that looks suspect.

    Thank you again for your assistance!

    **************** COMBOFIX LOG **********************

    ComboFix 09-04-22.02 - Brian Demski 04/21/2009 20:38.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1893 [GMT -7:00]
    Running from: c:\documents and settings\Brian Demski\Desktop\Combo-Fix.exe
    Command switches used :: c:\documents and settings\Brian Demski\Desktop\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    * Created a new restore point

    FILE ::
    c:\windows\fwy.puq
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Downloaded Program Files\x64
    c:\windows\Downloaded Program Files\x64\racodec.ax
    c:\windows\Downloaded Program Files\x86
    c:\windows\Downloaded Program Files\x86\racodec.ax
    c:\windows\fwy.puq
    c:\windows\jestertb.dll

    .
    ((((((((((((((((((((((((( Files Created from 2009-03-22 to 2009-04-22 )))))))))))))))))))))))))))))))
    .

    2009-04-21 23:53 . 2009-04-21 23:53 -------- d-----w c:\windows\system32\XPSViewer
    2009-04-21 23:53 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2009-04-21 23:53 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
    2009-04-21 23:53 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2009-04-21 23:53 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
    2009-04-21 23:53 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
    2009-04-21 23:53 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
    2009-04-21 23:53 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
    2009-04-21 23:52 . 2009-04-22 00:12 -------- d-----w c:\windows\SxsCaPendDel
    2009-04-18 19:48 . 2009-04-22 00:43 -------- d--h--w C:\$AVG8.VAULT$
    2009-04-17 17:11 . 2009-04-17 17:11 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
    2009-04-17 17:11 . 2009-04-17 17:11 10520 ----a-w c:\windows\system32\avgrsstx.dll
    2009-04-17 17:11 . 2009-04-17 17:11 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
    2009-04-17 17:11 . 2009-04-22 00:02 -------- d-----w c:\windows\system32\drivers\Avg
    2009-04-17 17:11 . 2009-04-17 17:11 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
    2009-04-17 17:00 . 2009-02-20 18:09 78336 -c----w c:\windows\system32\dllcache\ieencode.dll
    2009-04-17 17:00 . 2008-06-12 14:23 956928 -c----w c:\windows\system32\dllcache\msdtctm.dll
    2009-04-17 17:00 . 2008-06-12 14:23 91648 -c----w c:\windows\system32\dllcache\mtxoci.dll
    2009-04-17 17:00 . 2008-06-12 14:23 66560 -c----w c:\windows\system32\dllcache\mtxclu.dll
    2009-04-17 17:00 . 2008-06-12 14:23 58880 -c----w c:\windows\system32\dllcache\msdtclog.dll
    2009-04-17 17:00 . 2008-06-12 14:23 161792 -c----w c:\windows\system32\dllcache\msdtcuiu.dll
    2009-04-17 17:00 . 2008-12-16 12:30 354304 -c----w c:\windows\system32\dllcache\winhttp.dll
    2009-04-17 16:59 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll
    2009-04-17 16:59 . 2009-02-03 19:59 56832 -c----w c:\windows\system32\dllcache\secur32.dll
    2009-04-17 14:49 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
    2009-04-17 14:49 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
    2009-04-17 14:49 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
    2009-04-17 14:49 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
    2009-04-17 14:49 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
    2009-04-17 14:49 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
    2009-04-17 14:49 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
    2009-04-17 14:49 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
    2009-04-17 14:49 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
    2009-04-17 14:49 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
    2009-04-17 14:49 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
    2009-04-17 14:49 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
    2009-04-17 14:33 . 2009-02-13 18:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-04-22 00:16 . 2007-09-08 16:37 -------- d-----w c:\documents and settings\Brian Demski\Application Data\VMware
    2009-04-22 00:16 . 2007-09-08 16:33 -------- d-----w c:\documents and settings\All Users\Application Data\VMware
    2009-04-22 00:16 . 2007-09-08 16:35 -------- d-----w c:\documents and settings\LocalService\Application Data\VMware
    2009-04-21 23:53 . 2009-04-21 23:53 -------- d-----w c:\program files\MSBuild
    2009-04-21 23:53 . 2009-04-21 23:53 -------- d-----w c:\program files\Reference Assemblies
    2009-04-21 23:08 . 2007-09-03 00:08 -------- d-----w c:\documents and settings\Brian Demski\Application Data\LogMeIn Rescue
    2009-04-21 14:13 . 2008-07-01 22:41 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
    2009-04-17 19:12 . 2009-04-17 19:12 -------- d-----w c:\program files\Trend Micro
    2009-04-17 19:06 . 2009-01-22 02:02 -------- d-----w c:\program files\Citrix
    2009-04-17 17:19 . 2007-01-06 08:08 -------- d-----w c:\program files\Spybot - Search & Destroy
    2009-04-17 17:18 . 2007-01-06 08:08 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-04-17 17:11 . 2009-04-17 17:11 -------- d-----w c:\program files\AVG
    2009-04-17 15:12 . 2009-04-17 15:12 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
    2009-04-17 15:12 . 2009-04-17 15:12 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
    2009-04-17 15:12 . 2009-04-17 15:12 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
    2009-04-17 15:12 . 2009-04-17 15:12 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
    2009-04-08 02:06 . 2007-03-12 18:52 -------- d-----w c:\documents and settings\Brian Demski\Application Data\Canon
    2009-03-17 14:50 . 2009-03-17 14:50 -------- d-----w c:\documents and settings\Brian Demski\Application Data\Fonality
    2009-03-17 14:50 . 2008-04-24 07:39 -------- d-----w c:\program files\Fonality
    2009-03-06 14:22 . 2004-08-12 12:26 284160 ----a-w c:\windows\system32\pdh.dll
    2009-03-03 00:18 . 2006-12-23 19:45 826368 ----a-w c:\windows\system32\wininet.dll
    2009-02-26 15:06 . 2008-11-18 20:26 -------- d-----w c:\program files\Microsoft Silverlight
    2009-02-20 18:09 . 2004-08-12 12:19 78336 ----a-w c:\windows\system32\ieencode.dll
    2009-02-09 12:10 . 2006-12-23 19:43 729088 ----a-w c:\windows\system32\lsasrv.dll
    2009-02-09 12:10 . 2006-12-23 19:45 401408 ----a-w c:\windows\system32\rpcss.dll
    2009-02-09 12:10 . 2004-08-12 12:25 714752 ----a-w c:\windows\system32\ntdll.dll
    2009-02-09 12:10 . 2004-08-12 12:17 617472 ----a-w c:\windows\system32\advapi32.dll
    2009-02-09 11:13 . 2006-12-23 19:45 1846784 ----a-w c:\windows\system32\win32k.sys
    2009-02-06 11:11 . 2004-08-12 12:28 110592 ----a-w c:\windows\system32\services.exe
    2009-02-06 11:06 . 2006-12-23 19:44 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
    2009-02-06 10:39 . 2004-08-12 12:27 35328 ----a-w c:\windows\system32\sc.exe
    2009-02-06 10:32 . 2006-10-12 03:45 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
    2009-02-03 19:59 . 2004-08-12 12:28 56832 ----a-w c:\windows\system32\secur32.dll
    2008-09-29 06:09 . 2006-12-24 08:02 71288 ----a-w c:\documents and settings\Brian Demski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-02-10 03:2006-12-24 09:55 22:01 . c:\program files\mozilla firefox\components\jar50.dll
    2009-02-10 03:2006-12-24 09:55 22:01 . c:\program files\mozilla firefox\components\jsd3250.dll
    2009-02-10 03:2006-12-24 09:55 22:01 . c:\program files\mozilla firefox\components\myspell.dll
    2009-02-10 03:2006-12-24 09:55 22:02 . c:\program files\mozilla firefox\components\spellchk.dll
    2009-02-10 03:2006-12-24 09:55 22:02 . c:\program files\mozilla firefox\components\xpinstal.dll
    2007-04-29 20:14 . 2007-04-29 20:14 128 --sha-r c:\windows\Regbak.dat
    2008-07-15 20:39 . 2008-07-15 20:39 13766 --sha-w c:\windows\system32\KGyGaAvL.sys
    2008-09-29 00:39 . 2008-09-29 00:39 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
    "DiskeeperSystray "= "c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-27 184408]
    "NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "DAEMON Tools "= "c:\program files\Daemon Tools\daemon.exe" [2006-11-12 157592]
    "Acrobat Assistant 7.0 "= "c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
    "vmware-tray "= "c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-05-16 72240]
    "VMware hqtray "= "c:\program files\VMware\VMware Workstation\hqtray.exe" [2008-05-16 55856]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
    "AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-17 1932568]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    FireBox Control Panel.lnk - c:\program files\PreSonus\1394AudioDriver_FIREBox\FireBox.exe [2007-12-13 1077248]
    TClock.lnk - c:\program files\TClock Light\tclock.exe [2006-12-24 44544]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel "= 1 (0x1)
    "NoSMHelp "= 1 (0x1)
    "NoSMConfigurePrograms "= 1 (0x1)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel "= 1 (0x1)
    "NoSMHelp "= 1 (0x1)
    "StartMenuLogoff "= 1 (0x1)
    "NoSMConfigurePrograms "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-04-17 17:11 10520 ----a-w c:\windows\system32\avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\WINDOWS\\system32\\sessmgr.exe "=
    "c:\\Program Files\\BitLord\\BitLord.exe "=
    "c:\\WINDOWS\\LMI104.tmp\\lmi_rescue.exe "=
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

    R3 ps_1394;ps_1394;c:\windows\system32\Drivers\ps_1394.sys [2004-10-14 97152]
    R3 ps_avs;ps_avs;c:\windows\system32\Drivers\ps_avs.sys [2004-10-14 24576]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-17 325640]
    S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-17 108552]
    S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-17 908056]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-17 298264]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - IDSVC
    .
    Contents of the 'Scheduled Tasks' folder

    2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 19:34]

    2009-04-19 c:\windows\Tasks\DocumentsBiWeeklyIncremental.job
    - c:\windows\system32\ntbackup.exe [2004-08-12 00:12]

    2009-04-19 c:\windows\Tasks\Full Documents Weekly Backup.job
    - c:\windows\system32\ntbackup.exe [2004-08-12 00:12]

    2009-04-22 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-01 20:20]
    .
    - - - - ORPHANS REMOVED - - - -

    HKU-Default-RunOnce-nltide3 - rundll32 advpack.dll


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab
    FF - ProfilePath - c:\documents and settings\Brian Demski\Application Data\Mozilla\Firefox\Profiles\5goiz7jp.default\
    FF - prefs.js: browser.search.selectedEngine - Wikipedia - English (en)
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-04-21 20:39
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2009-04-22 20:41
    ComboFix-quarantined-files.txt 2009-04-22 03:41

    Pre-Run: 2,203,607,040 bytes free
    Post-Run: 2,255,237,120 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    211 --- E O F --- 2009-04-21 23:40
     
    Red Baron,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...