Active I need help!!!

mclovin · 2010/03/24

the hostxpert and the notepad

broni · 2010/03/24

Your computer is infected, so we're running some tools to clean it up.

mclovin · 2010/03/24

here is the log:

ComboFix 10-03-24.02 - Andrew Lawrence 03/24/2010 21:07:31.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1007.478 [GMT -4:00]
Running from: c:\documents and settings\Andrew Lawrence\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Andrew Lawrence\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\popcinfo.dat "
"c:\windows\popcinfot.dat "
"c:\windows\system32\drivers\udfpt.sys "
"c:\windows\system32\ewaleyej.tmp "
"c:\windows\system32\fimijeza.dll "
"c:\windows\system32\vaveseyi.dll "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\popcinfo.dat
c:\windows\popcinfot.dat
c:\windows\system32\ewaleyej.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_udfpt

((((((((((((((((((((((((( Files Created from 2010-02-25 to 2010-03-25 )))))))))))))))))))))))))))))))
.

2010-03-24 15:30 . 2010-03-24 15:30 -------- d-----w- c:\windows\system32\XPSViewer
2010-03-24 15:30 . 2010-03-24 15:30 -------- d-----w- c:\program files\MSBuild
2010-03-24 15:30 . 2010-03-24 15:30 -------- d-----w- c:\program files\Reference Assemblies
2010-03-24 15:29 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-03-24 15:28 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-03-24 15:28 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-03-24 15:28 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-03-24 15:28 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2010-03-24 15:28 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-03-24 15:28 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-03-24 15:28 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-03-24 15:28 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-03-24 03:12 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-03-24 03:08 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-03-24 03:08 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2010-03-24 03:07 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-03-24 03:07 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-03-24 03:07 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-03-24 03:07 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2010-03-24 03:07 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2010-03-24 03:07 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-03-24 03:07 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-03-24 03:07 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-03-24 03:07 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-03-24 03:06 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-24 03:03 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-03-24 02:57 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-03-24 02:57 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-03-24 00:40 . 2010-03-24 00:40 -------- d-----w- c:\program files\Trend Micro
2010-03-23 23:37 . 2010-03-23 23:37 -------- d-----w- C:\found.001
2010-03-23 17:20 . 2010-03-23 17:20 -------- d-----w- C:\found.000
2010-03-23 03:16 . 2010-03-23 03:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-23 03:16 . 2010-03-24 01:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-23 03:16 . 2010-03-23 03:16 -------- d-----w- c:\documents and settings\Andrew Lawrence\Application Data\SUPERAntiSpyware.com
2010-03-23 03:12 . 2010-03-23 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2010-03-23 02:51 . 2010-03-23 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2010-03-23 02:50 . 2010-03-23 03:03 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-23 02:50 . 2008-08-22 00:41 72592 ----a-w- c:\windows\zllsputility.exe
2010-03-23 02:49 . 2008-08-22 00:41 69008 ----a-w- c:\windows\system32\zlcomm.dll
2010-03-23 02:49 . 2008-08-22 00:41 106384 ----a-w- c:\windows\system32\zlcommdb.dll
2010-03-23 02:49 . 2008-08-22 00:41 1221008 ----a-w- c:\windows\system32\zpeng25.dll
2010-03-23 02:49 . 2010-03-23 03:00 -------- d-----w- c:\windows\system32\ZoneLabs
2010-03-23 02:49 . 2010-03-23 02:49 -------- d-----w- c:\program files\Zone Labs
2010-03-23 02:48 . 2010-03-24 18:00 -------- d-----w- c:\windows\Internet Logs
2010-03-23 02:33 . 2010-02-25 15:03 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-03-23 02:32 . 2010-03-23 02:34 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-03-23 02:31 . 2010-03-23 02:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-03-23 02:12 . 2010-02-25 14:56 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-03-23 02:12 . 2010-03-23 02:13 -------- d-----w- c:\program files\TuneUp Utilities 2007
2010-03-23 02:12 . 2010-03-23 03:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-23 02:06 . 2010-03-23 02:06 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-23 02:05 . 2010-03-23 02:06 -------- d-----w- c:\program files\Lavasoft
2010-03-23 01:39 . 2010-03-23 03:08 201728 --sha-w- c:\documents and settings\Andrew Lawrence\Local Settings\Application Data\128822158.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-25 00:53 . 2008-06-02 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-25 00:47 . 2008-08-17 02:17 -------- d-----w- c:\documents and settings\Andrew Lawrence\Application Data\AVGTOOLBAR
2010-03-24 22:11 . 2008-05-29 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-24 16:02 . 2008-11-07 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-24 15:59 . 2007-12-05 05:08 134968 ----a-w- c:\documents and settings\Andrew Lawrence\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-24 15:54 . 2009-04-18 03:16 -------- d-----w- c:\program files\Microsoft Works
2010-03-23 03:17 . 2010-03-23 03:17 52224 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-23 03:17 . 2010-03-23 03:17 117760 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-23 02:58 . 2007-12-05 18:36 -------- d-----w- c:\documents and settings\Andrew Lawrence\Application Data\uTorrent
2010-03-23 02:32 . 2007-12-05 18:54 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-03-23 02:05 . 2008-12-19 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-03-22 21:07 . 2010-01-02 03:36 7631232 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.823.0-static-A.exe
2010-03-21 02:15 . 2009-07-09 00:25 -------- d-----w- c:\documents and settings\Andrew Lawrence\Application Data\Any Video Converter
2010-03-20 12:24 . 2010-03-11 15:24 439816 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\setup.exe
2010-03-18 23:26 . 2010-03-18 23:24 20841968 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-18 14:50 . 2008-06-18 14:46 -------- d-----w- c:\program files\Verizon
2010-03-18 14:49 . 2009-03-01 04:37 -------- d-----w- c:\program files\Common Files\Motive
2010-03-11 23:26 . 2010-03-11 23:26 8405312 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-11 23:25 . 2010-03-11 23:25 149000 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-11 23:25 . 2010-03-11 23:25 10309448 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-11 23:24 . 2010-03-11 23:24 181768 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-11 23:24 . 2010-03-11 23:24 283280 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-11 23:24 . 2010-03-11 23:24 79368 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-11 23:24 . 2010-03-11 23:24 64000 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-11 23:24 . 2010-03-11 23:24 52288 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-11 23:24 . 2010-03-11 23:24 50688 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-11 23:24 . 2010-03-11 23:24 118784 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-11 23:24 . 2010-03-11 23:24 49152 ----a-w- c:\documents and settings\Andrew Lawrence\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-02 15:15 . 2008-07-18 02:06 -------- d-----w- c:\program files\uTorrent
2010-02-13 01:29 . 2007-12-07 00:40 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-04 15:53 . 2010-03-23 02:06 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-03 17:38 . 2009-06-25 07:10 -------- d-----w- c:\program files\Ricochet Xtreme
2009-12-31 16:50 . 2004-08-04 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2007-07-15 03:26 . 2008-07-18 03:58 53248 ----a-w- c:\program files\Armaccess.dll
2007-07-15 03:26 . 2008-07-18 03:58 1630208 ----a-w- c:\program files\FP3D.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate "= "c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-24 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB "= "c:\windows\READREG" [X]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2005-04-05 94208]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2005-04-05 77824]
"AsioReg "= "CTASIO.DLL" [2003-11-13 126976]
"CTHelper "= "CTHELPER.EXE" [2004-03-11 28672]
"PWRISOVM.EXE "= "c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-12-31 185632]
"LVCOMSX "= "c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair "= "c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray "= "c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SmartSoft PDF Printer (demo) Agent "= "c:\program files\Smart PDF Converter\sspdfagentd.exe" [2007-10-22 94208]
"SmartSoft PDF Printer (demo) virtual printer agent "= "c:\program files\Smart PDF Converter\sspdfagentd.exe" [2007-10-22 94208]
"ZoneAlarm Client "= "c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-08-22 981904]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM "= "c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost "= "c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 18:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 03:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-17 05:26 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHider]
2008-07-14 14:56 1048576 ----a-w- c:\program files\IP Hider\IP Hider.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 18:11 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 20:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2008-02-13 17:03 2065648 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6 "= "c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"SetDefaultMIDI "=MIDIDef.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"ArcSoft Connection Service "=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe "
"RIPPopUps "=c:\program files\RIPPopUps\RIPPopUps.exe
"88fb7389 "=rundll32.exe "c:\windows\system32\huyerifi.dll ",b
"Verizon_McciTrayApp "= "c:\program files\Verizon\McciTrayApp.exe "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications "= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\AIM6\\aim6.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Opera\\Opera.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe "=
"c:\\Program Files\\IP Hider\\IP Hider.exe "=
"c:\\WINDOWS\\system32\\LVCOMSX.EXE "=
"c:\\WINDOWS\\system32\\igfxtray.exe "=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe "=

R0 Achernar;Achernar - SCSI Command Filter Drivers;c:\windows\system32\drivers\Achernar.sys [12/24/2008 10:10 PM 18432]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/5/2009 7:43 PM 108289]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2/25/2010 10:59 AM 1047880]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2/25/2010 10:18 AM 10064]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 5:24 PM 135664]
S3 Aldebaran;Aldebaran - Storage Filter Drivers;\??\c:\windows\system32\Drivers\Aldebaran.sys --> c:\windows\system32\Drivers\Aldebaran.sys [?]
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);c:\windows\system32\drivers\ctlsb16.sys [12/5/2007 3:04 AM 96256]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 01:51]

2010-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-29 07:55]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:23]

2010-03-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
uInternet Settings,ProxyServer = 200.171.104.234:8080->Brazil(high-anonymous) <supports POST>
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Andrew Lawrence\Application Data\Mozilla\Firefox\Profiles\9wyxdvwm.default\
FF - prefs.js: browser.search.selectedEngine - MySpace.com
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft Research\HDView for Firefox\nphdview.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -

Notify-avgrsstarter - avgrsstx.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 21:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3200)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\HPZipm12.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2010-03-24 21:31:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-25 01:31
ComboFix2.txt 2010-03-25 00:02

Pre-Run: 48,918,409,216 bytes free
Post-Run: 48,876,093,440 bytes free

- - End Of File - - 61B3A0542C27BBB072AD84B451B42FC0

broni · 2010/03/24

I still need fresh HJT log.

mclovin · 2010/03/24

here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:46 PM, on 3/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Smart PDF Converter\sspdfagentd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_central
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61008
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61008
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.171.104.234:8080->Brazil(high-anonymous) <supports POST>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: PopupBlockerBHO.CPopupBlockerBHO - {0D929918-C804-4756-B0AC-640EF3F061E9} - C:\Program Files\SmartPopupBlocker\PopupBlockerBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32 /S CTASIO.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SmartSoft PDF Printer (demo) Agent] "C:\Program Files\Smart PDF Converter\sspdfagentd.exe "
O4 - HKLM\..\Run: [SmartSoft PDF Printer (demo) virtual printer agent] "C:\Program Files\Smart PDF Converter\sspdfagentd.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon High Speed Internet Installer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8868 bytes

broni · 2010/03/24

Looks much better

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

================================================================

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***

STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 2.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

mclovin · 2010/03/24

so i'm good now?

broni · 2010/03/24

Did you read my last reply?
When you're good, I'll surely tell you

mclovin · 2010/03/24

sorry missed the other reply:
Here it is

Malwarebytes' Anti-Malware 1.44
Database version: 3910
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

3/24/2010 10:11:32 PM
mbam-log-2010-03-24 (22-11-32).txt

Scan type: Quick Scan
Objects scanned: 134326
Time elapsed: 8 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{480098c6-f6ad-4c61-9b5c-2bae228a34d1} (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Adware_Pro (Rogue.AdwarePro) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{5617eca9-488d-4ba2-8562-9710b9ab78d2} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ( "C:\Documents and Settings\Andrew Lawrence\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\WinZix (Trojan.Swizzor) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)

broni · 2010/03/24

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

mclovin · 2010/03/24

what do u mean files of type

broni · 2010/03/24

http://209.85.48.8/228/109/upload/p4445590.gif

Log in or Sign up

Active I need help!!!

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Active I need help!!!

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

mclovin Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches