Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

vundo infection [Closed]

Started by ouroboros , Dec 28 2008 01:21 PM

  • This topic is locked This topic is locked

#1
ouroboros
Posted 28 December 2008 - 01:21 PM

ouroboros

    Member

  • Member
  • PipPip
  • 11 posts
Hi, been working on removing this nasty bug with malwarebyte's antimalware prog, seems to work but the problem slowly returns. got hijackthis to produce this logfile, any help is appreciated. thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:10 AM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\SYSTEM32\WINMINE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {4109d563-3816-d70b-9884-04f96200e9ef} - {fe9e0026-9f40-4889-b07d-6183365d9014} - C:\WINDOWS\system32\klpdxl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\NPSWF32_FlashUtil.exe -p (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.c...oad/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1217809037250
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll klpdxl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 10939 bytes
  • 0

Advertisements

#2
andrewuk
Posted 28 December 2008 - 01:28 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hello ouroboros

welcome to geekstogo :)

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
andrewuk
  • 0

#3
ouroboros
Posted 28 December 2008 - 02:13 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK, here are the results from SDFix and a new hijackthis log respectively. so far nothing has returned. still would appreciate a quickcheck of the logs. thanks again.



SDFix: Version 1.240
Run by Yvonne Negron on Sun 12/28/2008 at 11:51 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP14.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP1A.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP1B.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP20.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP25.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP28.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP3E.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP40.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP41.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\TMP46.tmp - Deleted
C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp\tmp99.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 12:04:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Yvonne Negron\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1146964500\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1146964500\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1146966756\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1146966756\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1146966756\\EE\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1146966756\\EE\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1146966756\\EE\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1146966756\\EE\\aim6.exe:*:Enabled:AIM"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:M5Shell"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\WINDOWS\\SYSTEM32\\mshta.exe"="C:\\WINDOWS\\SYSTEM32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe:*:Disabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe:*:Disabled:IncrediMail"
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"="C:\\Program Files\\IncrediMail\\bin\\IMApp.exe:*:Disabled:IncrediMail"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Disabled:LimeWire"
"C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"="C:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe:*:Enabled:Spybot - Search & Destroy"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:America Online 9.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\VXBLOCK.DLL"
Sat 6 May 2006 6,604 A..H. --- "C:\TEMP\t4.bak"
Mon 26 Nov 2007 31 A..H. --- "C:\WINDOWS\uccspecc.sys"
Tue 24 Aug 2004 155,648 A..H. --- "C:\DELL\MEDIAEXE\PRIMOSDK.DLL"
Tue 24 Aug 2004 360,448 A..H. --- "C:\DELL\MEDIAEXE\PX.DLL"
Tue 27 Jul 2004 56,832 A..H. --- "C:\DELL\MEDIAEXE\PXCPYA64.EXE"
Tue 27 Jul 2004 108,544 A..H. --- "C:\DELL\MEDIAEXE\PXCPYI64.EXE"
Tue 17 Aug 2004 389,120 A..H. --- "C:\DELL\MEDIAEXE\PXDRV.DLL"
Sun 1 Aug 2004 20,576 A..H. --- "C:\DELL\MEDIAEXE\PXHELP20.SYS"
Sun 1 Aug 2004 54,976 A..H. --- "C:\DELL\MEDIAEXE\PXHELP64.SYS"
Sun 1 Aug 2004 32,272 A..H. --- "C:\DELL\MEDIAEXE\PXHELPER.SYS"
Sun 1 Aug 2004 26,720 A..H. --- "C:\DELL\MEDIAEXE\PXHLPA64.SYS"
Sun 1 Aug 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXHPINST.EXE"
Sun 1 Aug 2004 53,760 A..H. --- "C:\DELL\MEDIAEXE\PXINSA64.EXE"
Sun 1 Aug 2004 104,960 A..H. --- "C:\DELL\MEDIAEXE\PXINSI64.EXE"
Tue 24 Aug 2004 159,744 A..H. --- "C:\DELL\MEDIAEXE\PXMAS.DLL"
Tue 27 Jul 2004 57,344 A..H. --- "C:\DELL\MEDIAEXE\PXSETUP.EXE"
Tue 24 Aug 2004 339,968 A..H. --- "C:\DELL\MEDIAEXE\PXWAVE.DLL"
Wed 19 May 2004 28,672 A..H. --- "C:\DELL\MEDIAEXE\VXBLOCK.DLL"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Thu 21 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 12 Feb 2007 3,096,576 A..H. --- "C:\Documents and Settings\Yvonne Negron\Application Data\U3\temp\Launchpad Removal.exe"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Yvonne Negron\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Yvonne Negron\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Yvonne Negron\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 10 Apr 2007 8 A..H. --- "C:\Documents and Settings\Yvonne Negron\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:07 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: {4109d563-3816-d70b-9884-04f96200e9ef} - {fe9e0026-9f40-4889-b07d-6183365d9014} - C:\WINDOWS\system32\klpdxl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\NPSWF32_FlashUtil.exe -p (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\PROGRA~1\MOZILL~1\plugins\NPSWF32_FlashUtil.exe -p (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.c...oad/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1217809037250
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll klpdxl.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 10947 bytes
  • 0

#4
ouroboros
Posted 28 December 2008 - 02:27 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok so now, after about 30 seconds or so, i get ie popups which culminate in eventual crash. and anitvirus2009 installer is back, so.... problem is as yet unsolved unfortunately. what to do now?
  • 0

#5
andrewuk
Posted 28 December 2008 - 02:32 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
ok, lets go this route:

Please visit this webpage for download links, and instructions for running the combofix tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review and a new hijackthis log

andrewuk
  • 0

#6
ouroboros
Posted 28 December 2008 - 03:03 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok heres the combofix log, didnt take as long as i had expected, dont know if that means anything.

ComboFix 08-12-28.01 - user 2008-12-28 12:53:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.590 [GMT -8:00]
Running from: c:\documents and settings\Yvonne Negron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yvonne Negron\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Yvonne Negron\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\IE4 Error Log.txt
c:\windows\system32\avewemuk.ini
c:\windows\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\fulefoze.dll
c:\windows\system32\klpdxl.dll
c:\windows\system32\kumeweva.dll
c:\windows\system32\vebimayo.dll
c:\windows\system32\xerjgwqq.dll
c:\windows\system32\yayyvTlL.dll
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-28 11:49 . 2008-12-28 11:49 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-28 11:43 . 2008-12-28 11:43 <DIR> d-------- c:\windows\ERUNT
2008-12-28 11:33 . 2008-12-28 12:04 <DIR> d-------- C:\SDFix
2008-12-28 10:05 . 2008-12-28 12:37 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 10:01 . 2008-12-28 10:01 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_
2008-12-28 10:01 . 2008-12-28 10:06 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\Rapid Antivirus
2008-12-27 22:49 . 2008-12-27 22:49 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Malwarebytes
2008-12-27 22:48 . 2008-12-27 22:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 22:48 . 2008-12-27 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 22:48 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-27 22:48 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-27 22:19 . 2008-12-27 22:19 <DIR> d-------- c:\program files\Lavasoft
2008-12-27 22:19 . 2008-12-27 22:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 22:18 . 2008-12-27 22:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-19 10:18 . 2008-12-28 10:23 <DIR> d-------- c:\program files\Trillian
2008-12-17 08:54 . 2008-12-17 08:54 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Printer Info Cache
2008-12-14 18:32 . 2008-12-14 18:32 <DIR> d-------- c:\program files\Costco
2008-12-14 18:32 . 2008-12-21 11:05 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Costco Photo Organizer
2008-12-14 17:32 . 2008-12-15 09:23 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Costco Photo Viewer US
2008-12-09 09:34 . 2008-12-09 09:34 7,680 --ahs---- c:\windows\Thumbs.db
2008-12-07 13:15 . 2008-12-07 13:15 <DIR> d-------- c:\program files\TextPad 5
2008-12-07 13:10 . 2008-12-07 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-12-07 13:03 . 2008-12-09 09:25 <DIR> d-------- C:\_marcus
2008-12-01 19:12 . 2008-12-01 19:13 <DIR> d-------- c:\program files\iTunes
2008-12-01 19:12 . 2008-12-01 19:12 <DIR> d-------- c:\program files\iPod
2008-12-01 19:12 . 2008-12-01 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 20:45 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-28 03:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-24 01:02 --------- d-----w c:\documents and settings\Yvonne Negron\Application Data\Apple Computer
2008-12-23 03:46 43,276 ----a-w c:\documents and settings\Yvonne Negron\Application Data\wklnhst.dat
2008-12-18 01:56 --------- d-----w c:\program files\Norton PC Checkup
2008-12-15 02:32 --------- d-----w c:\program files\Common Files\HP
2008-12-08 18:22 --------- d-----w c:\program files\Yahoo!
2008-12-08 18:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 22:43 --------- d-----w c:\program files\Citrix
2008-12-05 09:43 --------- d--h--r c:\documents and settings\Yvonne Negron\Application Data\yahoo!
2008-12-02 03:08 --------- d-----w c:\program files\QuickTime
2008-12-02 03:07 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 02:53 --------- d-----w c:\program files\Safari
2008-11-17 17:56 --------- d-----w c:\program files\Rhapsody
2008-09-30 01:42 73,816 ----a-w c:\documents and settings\Yvonne Negron\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 05:46 13,624 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 05:46 87,360 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 05:46 91,448 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 05:46 21,824 ----a-w c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 05:46 206,136 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 05:46 31,544 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 05:46 40,248 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 01:27 479,232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 01:27 548,864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 01:27 626,688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 20:47 981,170 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 05:46 24,384 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c619b1f6-1727-46c1-8843-0a0bfe5f3130}]
2008-09-28 12:17 64000 --ahs---- c:\windows\system32\kawenola.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-31 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"sovugipadu"="c:\windows\system32\vetuyija.dll" [2008-09-28 64000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-21 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\vebimayo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\explorer.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-03 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-03 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-03 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-03 76040]
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\DRIVERS\CamDrL20.sys [2007-04-22 245760]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2008-09-27 39048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16026b0a-8d1a-11dd-aa35-0013200211bb}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc3b5b28-94b3-11db-a840-001180c8903e}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-25 c:\windows\Tasks\Norton PC Checkup WeekDay Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-17 17:56]

2008-12-28 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-17 17:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{fe9e0026-9f40-4889-b07d-6183365d9014} - c:\windows\system32\klpdxl.dll
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKU-Default-RunOnce-FlashPlayerUpdate - c:\progra~1\MOZILL~1\plugins\NPSWF32_FlashUtil.exe
MSConfigStartUp-DXDllRegExe - dxdllreg.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Yvonne Negron\Application Data\Mozilla\Firefox\Profiles\r53hbem1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Yvonne Negron\Application Data\Mozilla\Firefox\Profiles\r53hbem1.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 12:57:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka]
"imagepath"="\systemroot\system32\drivers\senekatuuetarg.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-12-28 12:59:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-28 20:59:17

Pre-Run: 2,167,562,240 bytes free
Post-Run: 2,153,816,064 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

232 --- E O F --- 2008-12-18 08:56:14





And here is the new hijack this file


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:02 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {c619b1f6-1727-46c1-8843-0a0bfe5f3130} - C:\WINDOWS\system32\kawenola.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sovugipadu] Rundll32.exe "C:\WINDOWS\system32\vetuyija.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.c...oad/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1217809037250
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\vebimayo.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 10006 bytes
  • 0

#7
andrewuk
Posted 28 December 2008 - 04:03 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\kawenola.dll
C:\WINDOWS\system32\vetuyija.dll
C:\WINDOWS\system32\vebimayo.dll

Folder::
C:\Program Files\Rapid Antivirus
c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\Rapid Antivirus

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c619b1f6-1727-46c1-8843-0a0bfe5f3130}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sovugipadu"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16026b0a-8d1a-11dd-aa35-0013200211bb}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc3b5b28-94b3-11db-a840-001180c8903e}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka]


DirLook::
c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_
c:\documents and settings\Yvonne Negron\Application Data\Printer Info Cache

Extra::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




====STEP 3====
i am pretty sure this file is ok, but i just want to scan it all the same:

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe

Click on the submit button

Please post the results of the scan in your next reply.

If Jotti is busy, try the same atVirustotal



In your next reply could i see:
1. the combofix log
2. a new hijackthis log
3. the jotti log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#8
ouroboros
Posted 28 December 2008 - 08:34 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok sorry it took me so long to reply, but heres the jotti scan you asked for, it didnt find anything, will fit the hijackthis and combofix log into the next reply to be safe. thanks again, havent had any recurrances yet (finegrs crossed)

Scan taken on 29 Dec 2008 02:30:19 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
  • 0

#9
ouroboros
Posted 28 December 2008 - 08:35 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ComboFix 08-12-28.01 - user 2008-12-28 18:21:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.608 [GMT -8:00]
Running from: c:\documents and settings\Yvonne Negron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yvonne Negron\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

FILE ::
c:\windows\system32\kawenola.dll
c:\windows\system32\vebimayo.dll
c:\windows\system32\vetuyija.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\Rapid Antivirus
c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\Rapid Antivirus\Rapid Antivirus.ini
c:\windows\system32\kawenola.dll
c:\windows\system32\vetuyija.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 11:49 . 2008-12-28 11:49 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-28 11:43 . 2008-12-28 11:43 <DIR> d-------- c:\windows\ERUNT
2008-12-28 11:33 . 2008-12-28 12:04 <DIR> d-------- C:\SDFix
2008-12-28 10:05 . 2008-12-28 12:37 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 10:01 . 2008-12-28 10:01 <DIR> d-------- c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_
2008-12-27 22:49 . 2008-12-27 22:49 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Malwarebytes
2008-12-27 22:48 . 2008-12-27 22:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 22:48 . 2008-12-27 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 22:48 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-27 22:48 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-27 22:19 . 2008-12-27 22:19 <DIR> d-------- c:\program files\Lavasoft
2008-12-27 22:19 . 2008-12-27 22:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 22:18 . 2008-12-27 22:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-19 10:18 . 2008-12-28 10:23 <DIR> d-------- c:\program files\Trillian
2008-12-17 08:54 . 2008-12-17 08:54 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Printer Info Cache
2008-12-14 18:32 . 2008-12-14 18:32 <DIR> d-------- c:\program files\Costco
2008-12-14 18:32 . 2008-12-21 11:05 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Costco Photo Organizer
2008-12-14 17:32 . 2008-12-15 09:23 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Costco Photo Viewer US
2008-12-09 09:34 . 2008-12-09 09:34 7,680 --ahs---- c:\windows\Thumbs.db
2008-12-07 13:15 . 2008-12-07 13:15 <DIR> d-------- c:\program files\TextPad 5
2008-12-07 13:10 . 2008-12-07 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-12-07 13:03 . 2008-12-09 09:25 <DIR> d-------- C:\_marcus
2008-12-01 19:12 . 2008-12-01 19:13 <DIR> d-------- c:\program files\iTunes
2008-12-01 19:12 . 2008-12-01 19:12 <DIR> d-------- c:\program files\iPod
2008-12-01 19:12 . 2008-12-01 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-28 22:19 43,362 ----a-w c:\documents and settings\Yvonne Negron\Application Data\wklnhst.dat
2008-12-28 03:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-24 01:02 --------- d-----w c:\documents and settings\Yvonne Negron\Application Data\Apple Computer
2008-12-18 01:56 --------- d-----w c:\program files\Norton PC Checkup
2008-12-15 02:32 --------- d-----w c:\program files\Common Files\HP
2008-12-08 18:22 --------- d-----w c:\program files\Yahoo!
2008-12-08 18:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 22:43 --------- d-----w c:\program files\Citrix
2008-12-05 09:43 --------- d--h--r c:\documents and settings\Yvonne Negron\Application Data\yahoo!
2008-12-02 03:08 --------- d-----w c:\program files\QuickTime
2008-12-02 03:07 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 02:53 --------- d-----w c:\program files\Safari
2008-11-17 17:56 --------- d-----w c:\program files\Rhapsody
2008-09-30 01:42 73,816 ----a-w c:\documents and settings\Yvonne Negron\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 05:46 13,624 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 05:46 87,360 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 05:46 91,448 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 05:46 21,824 ----a-w c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 05:46 206,136 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 05:46 31,544 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 05:46 40,248 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 01:27 479,232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 01:27 548,864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 01:27 626,688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 20:47 981,170 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 05:46 24,384 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\Yvonne Negron\Application Data\Printer Info Cache ----

c:\documents and settings\Yvonne Negron\Application Data\Printer Info Cache\

---- Directory of c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_ ----

2008-12-28 10:01 4400 --a------ c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_\spl.ini


((((((((((((((((((((((((((((( snapshot@2008-12-28_12.58.50.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 20:22:22 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-12-28 20:56:47 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-12-28 20:22:22 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-28 20:56:47 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-28 20:22:22 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-28 20:56:47 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-31 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-21 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-03 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-03 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-03 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-03 76040]
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\DRIVERS\CamDrL20.sys [2007-04-22 245760]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2008-09-27 39048]
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-25 c:\windows\Tasks\Norton PC Checkup WeekDay Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-17 17:56]

2008-12-28 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-17 17:56]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Yvonne Negron\Application Data\Mozilla\Firefox\Profiles\r53hbem1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Yvonne Negron\Application Data\Mozilla\Firefox\Profiles\r53hbem1.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 18:25:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\seneka]
"imagepath"="\systemroot\system32\drivers\senekakrdltapu.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\HP\hpcoretech\comp\hpdarc.exe
.
**************************************************************************
.
Completion time: 2008-12-28 18:28:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-29 02:27:59
ComboFix2.txt 2008-12-28 20:59:22

Pre-Run: 2,237,022,208 bytes free
Post-Run: 2,164,928,512 bytes free

221 --- E O F --- 2008-12-18 08:56:14


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:35:12 PM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.c...oad/tgctlcm.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....fishActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1217809037250
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectk...flowActiveX.CAB
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/...all/Crusher.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\SYSTEM32\IcdSptSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9537 bytes
  • 0

#10
andrewuk
Posted 28 December 2008 - 08:48 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

ok sorry it took me so long to reply,

no problem, it is not a race :)


====STEP 1====
Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)


====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



In your next reply could i see:
1. the lopR.txt
2. the combofix log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

Advertisements

#11
ouroboros
Posted 28 December 2008 - 09:04 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
ok, heres combofix log followed by S&D log

ComboFix 08-12-28.01 - user 2008-12-28 18:59:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.632 [GMT -8:00]
Running from: c:\documents and settings\Yvonne Negron\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yvonne Negron\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_
c:\windows\SYSTEM32\CONFIG\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDMxMjM5NjF8_\spl.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-28 18:56 . 2008-12-28 18:58 <DIR> d-------- C:\Lop SD
2008-12-28 11:49 . 2008-12-28 11:49 578,560 --a------ c:\windows\SYSTEM32\DLLCACHE\user32.dll
2008-12-28 11:43 . 2008-12-28 11:43 <DIR> d-------- c:\windows\ERUNT
2008-12-28 11:33 . 2008-12-28 12:04 <DIR> d-------- C:\SDFix
2008-12-28 10:05 . 2008-12-28 12:37 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-27 22:49 . 2008-12-27 22:49 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Malwarebytes
2008-12-27 22:48 . 2008-12-27 22:48 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 22:48 . 2008-12-27 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 22:48 . 2008-12-03 19:52 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-12-27 22:48 . 2008-12-03 19:52 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-12-27 22:19 . 2008-12-27 22:19 <DIR> d-------- c:\program files\Lavasoft
2008-12-27 22:19 . 2008-12-27 22:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-27 22:18 . 2008-12-27 22:18 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-19 10:18 . 2008-12-28 18:59 <DIR> d-------- c:\program files\Trillian
2008-12-17 08:54 . 2008-12-17 08:54 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Printer Info Cache
2008-12-14 18:32 . 2008-12-14 18:32 <DIR> d-------- c:\program files\Costco
2008-12-14 18:32 . 2008-12-21 11:05 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Costco Photo Organizer
2008-12-14 17:32 . 2008-12-15 09:23 <DIR> d-------- c:\documents and settings\Yvonne Negron\Application Data\Costco Photo Viewer US
2008-12-09 09:34 . 2008-12-09 09:34 7,680 --ahs---- c:\windows\Thumbs.db
2008-12-07 13:15 . 2008-12-07 13:15 <DIR> d-------- c:\program files\TextPad 5
2008-12-07 13:10 . 2008-12-07 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-12-07 13:03 . 2008-12-09 09:25 <DIR> d-------- C:\_marcus
2008-12-01 19:12 . 2008-12-01 19:13 <DIR> d-------- c:\program files\iTunes
2008-12-01 19:12 . 2008-12-01 19:12 <DIR> d-------- c:\program files\iPod
2008-12-01 19:12 . 2008-12-01 19:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-29 02:20 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2008-12-28 22:19 43,362 ----a-w c:\documents and settings\Yvonne Negron\Application Data\wklnhst.dat
2008-12-28 03:35 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-24 01:02 --------- d-----w c:\documents and settings\Yvonne Negron\Application Data\Apple Computer
2008-12-18 01:56 --------- d-----w c:\program files\Norton PC Checkup
2008-12-15 02:32 --------- d-----w c:\program files\Common Files\HP
2008-12-13 06:40 3,593,216 ----a-w c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
2008-12-08 18:22 --------- d-----w c:\program files\Yahoo!
2008-12-08 18:22 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 22:43 --------- d-----w c:\program files\Citrix
2008-12-05 09:43 --------- d--h--r c:\documents and settings\Yvonne Negron\Application Data\yahoo!
2008-12-02 03:08 --------- d-----w c:\program files\QuickTime
2008-12-02 03:07 --------- d-----w c:\program files\Common Files\Apple
2008-12-02 02:53 --------- d-----w c:\program files\Safari
2008-11-17 17:56 --------- d-----w c:\program files\Rhapsody
2008-10-24 11:21 455,296 ------w c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\SYSTEM32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\SYSTEM32\DLLCACHE\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\SYSTEM32\wuweb.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\SYSTEM32\wuapi.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\SYSTEM32\wucltui.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\SYSTEM32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 22:09 51,224 ----a-w c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\SYSTEM32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\SYSTEM32\wups.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\SYSTEM32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\SYSTEM32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\SYSTEM32\DLLCACHE\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-15 07:06 633,632 ----a-w c:\windows\SYSTEM32\DLLCACHE\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\SYSTEM32\DLLCACHE\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\SYSTEM32\strmdll.dll
2008-10-03 10:02 247,326 ------w c:\windows\SYSTEM32\DLLCACHE\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\SYSTEM32\msxml4.dll
2008-09-30 01:42 73,816 ----a-w c:\documents and settings\Yvonne Negron\Application Data\GDIPFONTCACHEV1.DAT
2008-02-08 05:46 13,624 ----a-w c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 05:46 87,360 ----a-w c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 05:46 91,448 ----a-w c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 05:46 21,824 ----a-w c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 05:46 206,136 ----a-w c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 05:46 31,544 ----a-w c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 05:46 40,248 ----a-w c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 01:27 479,232 ----a-w c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 01:27 548,864 ----a-w c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 01:27 626,688 ----a-w c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 20:47 981,170 ----a-w c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 05:46 24,384 ----a-w c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_12.58.50.95 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 20:22:22 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2008-12-29 02:25:19 16,384 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2008-12-28 20:22:22 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-29 02:25:19 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-28 20:22:22 32,768 ----a-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-29 02:25:19 32,768 --sha-w c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2004-06-01 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-06 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2004-05-21 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-06-01 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-06-01 217088]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-12-05 50688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-31 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-05-21 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-12 83360]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-09-10 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\mshta.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\SYSTEM32\\dla\\tfswctrl.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-03 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-03 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-03 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-08-03 76040]
R3 PhilCam8116_XP;Logitech QuickCam Pro 3000(PID_08B1);c:\windows\system32\DRIVERS\CamDrL20.sys [2007-04-22 245760]
S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\Drivers\ICDUSB2.sys [2008-09-27 39048]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-25 c:\windows\Tasks\Norton PC Checkup WeekDay Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-17 17:56]

2008-12-28 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\norton pc checkup\PC_Checkup.exe [2008-12-17 17:56]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.aol.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Yvonne Negron\Application Data\Mozilla\Firefox\Profiles\r53hbem1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Yvonne Negron\Application Data\Mozilla\Firefox\Profiles\r53hbem1.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 19:01:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\seneka]
"imagepath"="\systemroot\system32\drivers\senekaotmhwjal.sys"
.
Completion time: 2008-12-28 19:01:47
ComboFix-quarantined-files.txt 2008-12-29 03:01:44
ComboFix2.txt 2008-12-29 02:28:04
ComboFix3.txt 2008-12-28 20:59:22

Pre-Run: 2,231,169,024 bytes free
Post-Run: 2,217,578,496 bytes free

225 --- E O F --- 2008-12-18 08:56:14


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Uniprocessor Free : Intel® Pentium® 4 CPU 2.80GHz )
BIOS : Phoenix ROM BIOS PLUS Version 1.10 A02
USER : Yvonne Negron ( Administrator )
BOOT : Normal boot
Antivirus : AVG Anti-Virus Free 8.0 (Activated)
C:\ (Local Disk) - NTFS - Total:33 Go (Free:2 Go)
D:\ (CD or DVD) - CDFS - Total:0 Go (Free:0 Go)
E:\ (Local Disk) - NTFS - Total:698 Go (Free:662 Go)
F:\ (USB)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Sun 12/28/2008|18:56 )

--------------------\\ Listing folders in APPLIC~1

[12/01/2008|07:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[02/22/2008|06:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[08/05/2008|05:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[05/01/2007|09:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads
[07/01/2007|09:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[03/14/2007|11:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[12/28/2008|06:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> avg8
[02/25/2008|10:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Dell
[02/26/2008|11:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Downloaded Installations
[08/03/2008|12:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[03/01/2005|08:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> GTek
[11/17/2007|10:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> HP
[03/01/2005|08:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[12/02/2007|09:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Knowledge Adventure
[12/27/2008|10:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[05/01/2007|09:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Macromedia
[12/27/2008|10:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[09/10/2005|04:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee.com
[04/18/2005|06:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee.com Personal Firewall
[10/23/2007|03:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[08/02/2005|08:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> MotiveSysIDs
[02/26/2008|11:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ParetoLogic
[05/21/2005|08:02] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Pure Networks
[03/01/2005|08:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[03/01/2005|07:41] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI
[08/03/2008|07:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Seagate
[05/27/2008|11:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Skype
[08/03/2008|04:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy
[05/27/2008|08:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SupportSoft
[12/28/2008|12:37] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[08/03/2008|09:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Viewpoint
[09/10/2005|04:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[12/07/2008|01:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WinZip
[12/27/2006|08:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> yahoo!

[03/01/2005|07:41] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[03/01/2005|08:28] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Jasc Software Inc
[03/01/2005|08:25] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[03/01/2005|08:37] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sonic
[03/01/2005|08:17] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun

[04/04/2005|01:37] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Macromedia
[03/18/2005|09:39] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> McAfee.com Personal Firewall
[12/28/2008|06:20] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft
[11/13/2007|07:59] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Mozilla
[11/13/2007|07:59] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Talkback

[09/06/2008|10:30] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Adobe
[09/06/2008|10:30] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Macromedia
[12/28/2008|06:20] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[09/02/2006|07:40] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> acccore
[04/21/2008|05:56] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Adobe
[01/22/2007|06:36] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> AdobeUM
[08/05/2008|05:22] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> AOL
[12/23/2008|05:02] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Apple Computer
[04/12/2007|10:03] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Common Files
[12/21/2008|11:05] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Costco Photo Organizer
[12/15/2008|09:23] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Costco Photo Viewer US
[03/15/2007|12:00] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Creative
[11/24/2005|01:15] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> CyberLink
[04/08/2005|10:11] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Earthlink
[04/08/2005|08:03] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> EarthLink Toolbar
[04/22/2007|10:05] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> FotoWire
[10/01/2006|10:11] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Google
[04/10/2007|11:36] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Gtek
[07/17/2005|07:28] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Help
[11/17/2007|10:39] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> HP
[12/23/2006|03:27] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> ICAClient
[01/21/2006|08:44] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Identities
[08/03/2008|12:39] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> InstallShield
[03/01/2005|08:28] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Jasc Software Inc
[08/03/2008|12:28] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Lavasoft
[06/06/2005|01:14] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Leadertech
[01/01/2008|02:23] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> LimeWire
[11/23/2007|02:30] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Macromedia
[12/27/2008|10:49] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Malwarebytes
[03/25/2005|06:30] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> McAfee.com
[03/20/2005|10:47] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> McAfee.com Personal Firewall
[12/28/2008|06:20] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Microsoft
[08/14/2006|09:14] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Mozilla
[10/21/2007|03:38] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> MSNInstaller
[12/17/2008|08:54] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Printer Info Cache
[03/25/2008|03:04] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Real
[10/23/2007|12:35] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Skype
[04/12/2006|07:31] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Snapfish
[06/06/2005|01:15] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Sonic
[03/01/2005|08:17] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Sun
[07/25/2006|06:54] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Talkback
[08/20/2008|08:27] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> U3
[03/19/2008|07:15] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> Viewpoint
[12/05/2008|01:43] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> yahoo!
[05/21/2005|08:02] C:\DOCUME~1\YVONNE~1\APPLIC~1\<DIR> You've Got Pictures Screensaver

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[12/27/2008 07:33 PM][--a------] C:\WINDOWS\tasks\Norton PC Checkup Weekend Scanner.job
[12/24/2008 06:58 PM][--a------] C:\WINDOWS\tasks\Norton PC Checkup WeekDay Scanner.job
[12/22/2008 01:30 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[12/28/2008 06:25 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/04/2004 03:00 AM][-r-h-----] C:\WINDOWS\tasks\DESKTOP.INI

--------------------\\ Listing Folders in C:\Program Files

[07/14/2008|07:08] C:\Program Files\<DIR> Adobe
[03/01/2005|08:05] C:\Program Files\<DIR> Analog Devices
[09/14/2006|06:21] C:\Program Files\<DIR> AOD
[08/05/2008|05:25] C:\Program Files\<DIR> AOL
[09/06/2008|04:51] C:\Program Files\<DIR> Apple Software Update
[11/05/2007|11:13] C:\Program Files\<DIR> Audible
[08/03/2008|12:05] C:\Program Files\<DIR> AVG
[04/23/2005|08:56] C:\Program Files\<DIR> BigIdea
[09/22/2008|10:31] C:\Program Files\<DIR> Bonjour
[12/06/2008|02:43] C:\Program Files\<DIR> Citrix
[12/28/2008|06:23] C:\Program Files\<DIR> Common Files
[12/14/2008|06:32] C:\Program Files\<DIR> Costco
[05/10/2008|11:57] C:\Program Files\<DIR> Coupons
[05/10/2007|09:33] C:\Program Files\<DIR> Creative
[03/14/2007|10:46] C:\Program Files\<DIR> Creative Installation Information
[03/01/2005|08:19] C:\Program Files\<DIR> CyberLink
[10/21/2007|03:42] C:\Program Files\<DIR> Dell
[03/01/2005|08:29] C:\Program Files\<DIR> Dell Inc
[05/27/2008|08:07] C:\Program Files\<DIR> Dell Support Center
[04/10/2007|11:14] C:\Program Files\<DIR> DellSupport
[05/02/2006|05:49] C:\Program Files\<DIR> Disney Interactive
[08/03/2008|01:06] C:\Program Files\<DIR> Google
[08/03/2008|07:10] C:\Program Files\<DIR> Grisoft
[02/05/2007|09:30] C:\Program Files\<DIR> HP
[06/20/2006|09:19] C:\Program Files\<DIR> IncrediMail
[10/05/2005|05:56] C:\Program Files\<DIR> Infogrames Interactive
[09/27/2008|08:37] C:\Program Files\<DIR> InstallShield Installation Information
[05/23/2005|07:26] C:\Program Files\<DIR> Intel
[12/12/2008|07:21] C:\Program Files\<DIR> Internet Explorer
[12/01/2008|07:12] C:\Program Files\<DIR> iPod
[12/01/2008|07:13] C:\Program Files\<DIR> iTunes
[05/23/2005|07:35] C:\Program Files\<DIR> Jasc Software Inc
[07/14/2008|07:12] C:\Program Files\<DIR> Java
[12/27/2008|10:19] C:\Program Files\<DIR> Lavasoft
[01/01/2008|08:46] C:\Program Files\<DIR> LimeWire
[04/22/2007|10:05] C:\Program Files\<DIR> Logitech
[12/27/2008|10:48] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[09/29/2008|08:32] C:\Program Files\<DIR> Messenger
[03/01/2005|08:21] C:\Program Files\<DIR> Microsoft ActiveSync
[08/03/2008|10:01] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2
[03/01/2005|08:23] C:\Program Files\<DIR> Microsoft Encarta
[03/01/2005|07:41] C:\Program Files\<DIR> microsoft frontpage
[05/23/2005|07:02] C:\Program Files\<DIR> Microsoft Office
[03/01/2005|08:23] C:\Program Files\<DIR> Microsoft Picture It! 9
[03/01/2005|08:26] C:\Program Files\<DIR> Microsoft Plus! Digital Media Edition
[03/01/2005|08:21] C:\Program Files\<DIR> Microsoft Works
[03/01/2005|08:20] C:\Program Files\<DIR> Microsoft Works Suite 2004
[05/23/2005|07:26] C:\Program Files\<DIR> Modem Helper
[03/01/2005|08:18] C:\Program Files\<DIR> Modem On Hold
[09/29/2008|08:25] C:\Program Files\<DIR> Movie Maker
[12/28/2008|06:28] C:\Program Files\<DIR> Mozilla Firefox
[10/21/2007|03:38] C:\Program Files\<DIR> MSN
[03/01/2005|07:41] C:\Program Files\<DIR> MSN Gaming Zone
[11/17/2006|02:20] C:\Program Files\<DIR> MSXML 4.0
[08/03/2008|07:02] C:\Program Files\<DIR> MSXML 6.0
[05/06/2008|07:50] C:\Program Files\<DIR> MUSICMATCH
[09/29/2008|08:22] C:\Program Files\<DIR> NetMeeting
[12/17/2008|05:56] C:\Program Files\<DIR> Norton PC Checkup
[03/01/2005|07:41] C:\Program Files\<DIR> Online Services
[09/29/2008|08:21] C:\Program Files\<DIR> Outlook Express
[06/08/2007|07:12] C:\Program Files\<DIR> Overland
[08/03/2008|10:03] C:\Program Files\<DIR> Pure Networks
[12/01/2008|07:08] C:\Program Files\<DIR> QuickTime
[05/27/2008|11:05] C:\Program Files\<DIR> Real
[11/17/2008|09:56] C:\Program Files\<DIR> Rhapsody
[12/01/2008|06:53] C:\Program Files\<DIR> Safari
[08/03/2008|07:03] C:\Program Files\<DIR> Seagate
[05/27/2008|11:06] C:\Program Files\<DIR> Skype
[03/25/2005|10:39] C:\Program Files\<DIR> Sonic
[09/27/2008|08:39] C:\Program Files\<DIR> Sony
[12/08/2008|10:22] C:\Program Files\<DIR> Spybot - Search & Destroy
[06/30/2006|08:47] C:\Program Files\<DIR> Stentor
[05/27/2007|11:27] C:\Program Files\<DIR> Taomedic
[12/07/2008|01:15] C:\Program Files\<DIR> TextPad 5
[08/03/2008|01:01] C:\Program Files\<DIR> Trend Micro
[12/28/2008|10:23] C:\Program Files\<DIR> Trillian
[12/23/2006|04:47] C:\Program Files\<DIR> Uninstall Information
[08/03/2008|09:43] C:\Program Files\<DIR> Viewpoint
[12/21/2006|10:08] C:\Program Files\<DIR> Windows Media Connect 2
[09/29/2008|08:21] C:\Program Files\<DIR> Windows Media Player
[09/29/2008|08:21] C:\Program Files\<DIR> Windows NT
[07/07/2005|06:36] C:\Program Files\<DIR> WindowsUpdate
[12/07/2008|01:10] C:\Program Files\<DIR> WinZip
[03/01/2005|07:41] C:\Program Files\<DIR> XEROX
[12/08/2008|10:22] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[02/22/2008|06:46] C:\Program Files\Common Files\<DIR> Adobe
[08/05/2008|05:26] C:\Program Files\Common Files\<DIR> AOL
[05/06/2006|05:18] C:\Program Files\Common Files\<DIR> aolback
[12/01/2008|07:07] C:\Program Files\Common Files\<DIR> Apple
[03/01/2005|08:21] C:\Program Files\Common Files\<DIR> Designer
[04/22/2007|10:05] C:\Program Files\Common Files\<DIR> FotoWire
[02/05/2007|09:29] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[12/14/2008|06:32] C:\Program Files\Common Files\<DIR> HP
[03/01/2005|08:28] C:\Program Files\Common Files\<DIR> InstallShield
[03/01/2005|08:17] C:\Program Files\Common Files\<DIR> Java
[06/20/2005|07:58] C:\Program Files\Common Files\<DIR> Knowledge Adventure
[04/22/2007|10:02] C:\Program Files\Common Files\<DIR> Logitech
[08/25/2008|11:37] C:\Program Files\Common Files\<DIR> Microsoft Shared
[03/01/2005|07:41] C:\Program Files\Common Files\<DIR> MSSoap
[05/25/2005|06:49] C:\Program Files\Common Files\<DIR> NSV
[03/01/2005|08:35] C:\Program Files\Common Files\<DIR> Nullsoft
[05/27/2005|07:44] C:\Program Files\Common Files\<DIR> ODBC
[03/31/2008|07:43] C:\Program Files\Common Files\<DIR> Real
[05/13/2007|06:59] C:\Program Files\Common Files\<DIR> Scanner
[03/01/2005|07:41] C:\Program Files\Common Files\<DIR> Services
[03/01/2005|08:27] C:\Program Files\Common Files\<DIR> Sonic
[03/01/2005|07:41] C:\Program Files\Common Files\<DIR> SpeechEngines
[12/27/2008|07:35] C:\Program Files\Common Files\<DIR> Symantec Shared
[09/29/2008|08:21] C:\Program Files\Common Files\<DIR> System
[12/27/2008|10:18] C:\Program Files\Common Files\<DIR> Wise Installation Wizard
[03/31/2008|07:44] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 53 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\YVONNE~1\Cookies\[email protected][2].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-28 18:57:56
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
disk error: C:\WINDOWS\System32\
please note that you need administrator rights to perform deep scan

--------------------\\ Searching for other infections


No other infections found !

[F:2][D:1]-> C:\DOCUME~1\YVONNE~1\LOCALS~1\Temp
[F:333][D:0]-> C:\DOCUME~1\YVONNE~1\Cookies
[F:6][D:2]-> C:\DOCUME~1\YVONNE~1\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sun 12/28/2008|18:58 - Option : [1]

--------------------\\ Scan completed at 18:58:41
  • 0

#12
andrewuk
Posted 28 December 2008 - 09:15 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
looking good

in this post we will do some general scans to clear out the remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.


====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
we will update and re-run your malwarebytes

double click the malwarebytes icon on your desktop to open the program
  • on the tabs at the top, select Update and then press the Check for Updates button on that page. If an update is found, it will download and install the latest version.
  • once complete (a new version of malwarebytes may download) select the tab Scanner
  • select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 3====
Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.





In your next reply could i see:
1. the malwarebytes log
2. the kaspersky log
3. and some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#13
ouroboros
Posted 28 December 2008 - 09:16 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
will do. will have to wait for morning though. thank you very much for all your help.
  • 0

#14
andrewuk
Posted 31 December 2008 - 09:05 PM

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
still with us?
  • 0

#15
ouroboros
Posted 02 January 2009 - 10:41 PM

ouroboros

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
im still with you, but i havent been in town and i havent had the time. 3 hour scans are difficult with a family computer so... will get it when i can.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP