Keep on getting trojans & Automatic Updates Turned off [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Keep on getting trojans & Automatic Updates Turned off [Solved]

#1 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 25 January 2009 - 04:29 PM

It seems like every few days my avir picks up some sort of trojan
my automatic updates have also randomly turned off

I have ran ad aware malwarebytes and avir antivirus

here is my hijackthis log
ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:47 PM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG7\setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101676&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1394DA19-E970-43D5-A1E0-A85E6876867C} - C:\WINDOWS\system32\khfCuRhf.dll (file missing)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {51A122C1-63EE-4547-9BDA-9CFAAB6898B9} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-4092056663-3362789689-998092790-1008\..\Run: [Power2GoExpress] NA (User 'kenny G')
O4 - HKUS\S-1-5-21-4092056663-3362789689-998092790-1008\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'kenny G')
O4 - HKUS\S-1-5-21-4092056663-3362789689-998092790-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'kenny G')
O4 - HKUS\S-1-5-21-4092056663-3362789689-998092790-500\..\Run: [Power2GoExpress] NA (User 'Administrator')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9321 bytes

Please help

#2 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 30 January 2009 - 09:44 PM

can anyone help my avir antivirus also detects
WORM/IrcBot
TR/Trash.Gen' [trojan]
TR/Crypt.XPACK.Gen'

#3 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 30 January 2009 - 09:57 PM

The Malware Removal forum has been very busy lately and your topic may have been overlooked.

Seeing that your topic has gone more than three days without a reply, post a link to your original topic in The Waiting Room and a staff member will pick it up as soon as they can.

#4 emeraldnzl

Group: GeekU Moderator
Posts: 14,630
Joined: 19-November 07

Posted 02 February 2009 - 08:43 PM

Hello Justin_G,

Your Java is out of date, older versions are vunerable to attack.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Next

Download Lop S&D by Eric_71 and save it to your desktop.

Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and anti-malware programs so they do not interfere with the running of Lop S&D. You can usually do this via a right click on the System Tray icon.

Double-click LopSD.exe
If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.
Choose the language by typing of the corresponding letter and press Enter
Click OK at the informative window
Type 2 to choose Option 2 (Fix + Hosts), then press Enter
Wait until the end of the scan
A report will be generated, post the contents of it in your next reply.

(Copy of the report can be found at this location: %SystemDrive%\lopR.txt, in most cases C:\lopR.txt)

#5 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 03 February 2009 - 12:34 AM

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [2] ( Tue 02/03/2009| 0:26 )

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ FIX

-
[ Hosts file ] .. Restored!

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Deleted! - C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\Viewpoint
Deleted! - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

--------------------\\ Listing folders in APPLIC~1

[09/04/2006|11:32] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> ATI
[06/17/2006|03:41] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[01/25/2009|04:22] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[09/04/2006|11:09] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> SampleView
[09/04/2006|11:07] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> You've Got Pictures Screensaver

[12/05/2008|12:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[09/06/2007|04:46] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[02/18/2008|10:16] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[02/18/2008|10:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL Downloads
[12/19/2006|06:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP
[10/06/2007|11:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[09/25/2006|10:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[01/25/2009|04:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avg7
[01/24/2009|07:38] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Avira
[10/15/2006|07:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink
[02/18/2008|07:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[11/17/2008|10:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft
[12/23/2008|11:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[12/12/2007|12:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> McAfee
[01/23/2009|06:43] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[01/24/2009|06:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft Help
[01/14/2008|10:03] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Napster
[10/15/2007|09:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Office Genuine Advantage
[06/19/2006|12:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Prism Deploy
[09/04/2006|11:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Pure Networks
[09/04/2006|11:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> QuickTime
[12/11/2007|08:48] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> scar5
[12/20/2008|03:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Skype
[10/23/2006|08:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trymedia
[10/30/2006|03:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TuneUp Software
[09/22/2008|11:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> VanDyke
[09/25/2006|10:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WildTangent
[09/26/2006|03:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[12/23/2008|02:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! Companion

[09/04/2006|11:32] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> ATI
[06/17/2006|03:41] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[09/04/2006|11:05] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[09/04/2006|11:09] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> SampleView
[09/04/2006|11:07] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> You've Got Pictures Screensaver

[12/12/2007|12:08] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> AVG7
[01/25/2009|04:22] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[01/25/2009|04:22] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

[09/30/2008|02:45] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Adobe
[05/06/2008|10:50] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> AdobeUM
[10/02/2006|09:24] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Ahead
[01/24/2009|05:35] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Aim
[09/23/2008|05:24] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Apple Computer
[09/04/2006|11:32] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> ATI
[01/25/2009|04:21] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> AVG7
[08/05/2008|09:59] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Azureus
[12/17/2006|04:57] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> CyberLink
[10/23/2008|09:20] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> GetRightToGo
[10/15/2006|09:05] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Google
[06/17/2006|03:41] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Identities
[11/17/2008|10:03] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Lavasoft
[01/20/2009|10:58] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> LimeWire
[05/07/2008|10:35] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Macromedia
[12/23/2008|11:51] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Malwarebytes
[11/03/2008|11:51] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Microsoft
[11/04/2008|04:14] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Microsoft Games
[06/06/2008|11:49] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Mozilla
[09/29/2006|04:05] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Red Chair Software
[09/04/2006|11:09] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> SampleView
[12/11/2007|08:48] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> scar5
[01/24/2009|05:21] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Skype
[01/24/2009|05:21] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> skypePM
[09/25/2006|10:50] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Sun
[09/25/2006|02:57] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Talkback
[10/30/2006|03:35] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> TuneUp Software
[04/08/2008|10:04] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> U3
[02/03/2009|12:27] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> uTorrent
[09/22/2008|11:11] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> VanDyke
[09/11/2007|02:53] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> VideoReDoPlus
[11/19/2007|09:46] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> vlc
[02/02/2009|08:08] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Vso
[03/16/2008|04:12] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> Wildfire
[09/25/2006|03:05] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> WinPatrol
[09/04/2006|11:07] C:\DOCUME~1\OWNER~1.MEG\APPLIC~1\<DIR> You've Got Pictures Screensaver

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[02/03/2009 12:20 AM][--a------] C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-4092056663-3362789689-998092790-1006.job
[01/31/2009 11:00 PM][--a------] C:\WINDOWS\tasks\ngqfiyjx.job
[01/30/2009 10:16 AM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[01/28/2009 01:33 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/10/2004 01:00 PM][-r-h-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[01/01/2007|06:02] C:\Program Files\<DIR> 3ivx
[09/04/2006|11:04] C:\Program Files\<DIR> Adobe
[01/24/2009|05:35] C:\Program Files\<DIR> AIM
[02/11/2008|10:27] C:\Program Files\<DIR> AnGo's Game Collection
[12/11/2007|11:43] C:\Program Files\<DIR> AOD
[08/07/2008|09:34] C:\Program Files\<DIR> Apple Software Update
[01/20/2009|11:00] C:\Program Files\<DIR> AskBarDis
[09/04/2006|11:14] C:\Program Files\<DIR> ATI Technologies
[09/11/2007|02:44] C:\Program Files\<DIR> AutoGK
[01/24/2009|07:38] C:\Program Files\<DIR> Avira
[09/11/2007|02:43] C:\Program Files\<DIR> AviSynth 2.5
[08/05/2008|10:00] C:\Program Files\<DIR> Azureus
[09/11/2007|02:41] C:\Program Files\<DIR> BeLight 0.21
[09/04/2006|11:00] C:\Program Files\<DIR> BigFix
[09/25/2006|03:05] C:\Program Files\<DIR> BillP Studios
[09/16/2008|05:02] C:\Program Files\<DIR> Bonjour
[10/02/2007|07:25] C:\Program Files\<DIR> Broadcom
[01/24/2009|05:26] C:\Program Files\<DIR> CCleaner
[08/28/2008|11:47] C:\Program Files\<DIR> Cisco Systems
[12/20/2008|03:01] C:\Program Files\<DIR> Common Files
[06/17/2006|03:37] C:\Program Files\<DIR> ComPlus Applications
[09/04/2006|10:59] C:\Program Files\<DIR> CyberLink
[10/01/2006|03:38] C:\Program Files\<DIR> [bleep] NFO Viewer
[09/04/2006|10:52] C:\Program Files\<DIR> DIFX
[10/30/2007|09:26] C:\Program Files\<DIR> DivX
[10/09/2006|08:58] C:\Program Files\<DIR> DVD Decrypter
[10/17/2006|09:45] C:\Program Files\<DIR> DVDFab Decrypter 3
[10/15/2006|07:13] C:\Program Files\<DIR> DVDFab Platinum 3
[02/02/2009|08:07] C:\Program Files\<DIR> DVDFab Platinum 4
[09/29/2006|05:21] C:\Program Files\<DIR> EphPod
[01/14/2008|10:02] C:\Program Files\<DIR> Feudalism_at
[09/11/2007|02:41] C:\Program Files\<DIR> Gabest
[02/11/2008|10:59] C:\Program Files\<DIR> GameHouse Games Collection
[12/10/2008|09:46] C:\Program Files\<DIR> GameSpy Arcade
[02/18/2008|07:25] C:\Program Files\<DIR> Gateway Games
[02/18/2008|09:54] C:\Program Files\<DIR> Google
[09/15/2008|07:55] C:\Program Files\<DIR> HP
[10/05/2006|08:24] C:\Program Files\<DIR> IGN
[09/04/2006|11:17] C:\Program Files\<DIR> InstallShield Installation Information
[02/02/2009|08:07] C:\Program Files\<DIR> Internet Explorer
[12/05/2008|12:26] C:\Program Files\<DIR> iPod
[12/20/2006|12:15] C:\Program Files\<DIR> iTube
[12/05/2008|12:27] C:\Program Files\<DIR> iTunes
[02/03/2009|12:23] C:\Program Files\<DIR> Java
[11/17/2008|10:05] C:\Program Files\<DIR> Lavasoft
[01/20/2009|11:00] C:\Program Files\<DIR> LimeWire
[12/16/2008|02:13] C:\Program Files\<DIR> Magic MP3 Tagger
[01/04/2007|10:20] C:\Program Files\<DIR> Makayama Interactive
[12/23/2008|11:51] C:\Program Files\<DIR> Malwarebytes' Anti-Malware
[08/23/2008|10:39] C:\Program Files\<DIR> Messenger
[10/04/2006|09:41] C:\Program Files\<DIR> Microsoft ActiveSync
[10/24/2008|02:03] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2
[09/04/2006|11:04] C:\Program Files\<DIR> Microsoft Digital Image 2006
[06/17/2006|03:41] C:\Program Files\<DIR> microsoft frontpage
[11/04/2008|04:05] C:\Program Files\<DIR> Microsoft Games
[11/11/2008|11:01] C:\Program Files\<DIR> Microsoft Money 2006
[10/23/2008|09:12] C:\Program Files\<DIR> Microsoft Office
[10/24/2008|04:25] C:\Program Files\<DIR> Microsoft Silverlight
[11/04/2008|12:25] C:\Program Files\<DIR> Microsoft SQL Server
[08/30/2008|10:55] C:\Program Files\<DIR> Microsoft Visual Studio 8
[10/23/2008|09:12] C:\Program Files\<DIR> Microsoft Works
[08/30/2008|11:01] C:\Program Files\<DIR> Microsoft.NET
[01/03/2007|01:25] C:\Program Files\<DIR> mIRC
[09/04/2006|11:18] C:\Program Files\<DIR> Motorola
[08/23/2008|01:24] C:\Program Files\<DIR> Movie Maker
[02/03/2009|12:20] C:\Program Files\<DIR> Mozilla Firefox
[09/11/2007|02:56] C:\Program Files\<DIR> Mpeg2Schnitt 0.8.7
[09/30/2006|01:23] C:\Program Files\<DIR> MSN
[09/04/2006|11:07] C:\Program Files\<DIR> MSN Encarta Plus
[06/17/2006|03:35] C:\Program Files\<DIR> MSN Gaming Zone
[11/05/2008|03:27] C:\Program Files\<DIR> MSXML 4.0
[10/30/2008|11:46] C:\Program Files\<DIR> MSXML 6.0
[12/13/2008|10:33] C:\Program Files\<DIR> MusicBrainz Picard
[01/14/2008|10:03] C:\Program Files\<DIR> Napster
[10/01/2006|08:45] C:\Program Files\<DIR> Nero
[08/23/2008|01:20] C:\Program Files\<DIR> NetMeeting
[10/02/2006|01:53] C:\Program Files\<DIR> Network Stumbler
[06/17/2006|03:36] C:\Program Files\<DIR> Online Services
[10/06/2006|03:05] C:\Program Files\<DIR> OpenSource AVI Splitter
[08/23/2008|01:20] C:\Program Files\<DIR> Outlook Express
[01/24/2009|06:45] C:\Program Files\<DIR> PeerGuardian2
[01/28/2008|09:42] C:\Program Files\<DIR> PokerStars
[10/15/2007|08:56] C:\Program Files\<DIR> PowerISO
[02/18/2008|07:25] C:\Program Files\<DIR> ProcessGuard
[09/11/2007|02:42] C:\Program Files\<DIR> Project X 0.90.4.00
[09/25/2006|01:54] C:\Program Files\<DIR> Pure Networks
[12/05/2008|12:24] C:\Program Files\<DIR> QuickTime
[09/04/2006|11:06] C:\Program Files\<DIR> Real
[12/05/2008|12:08] C:\Program Files\<DIR> Safari
[12/11/2007|08:48] C:\Program Files\<DIR> scar5
[11/11/2008|06:00] C:\Program Files\<DIR> Scrapboy Digital Media Corporation
[09/04/2006|11:24] C:\Program Files\<DIR> SIFXINST
[09/04/2006|11:17] C:\Program Files\<DIR> SigmaTel
[12/20/2008|03:01] C:\Program Files\<DIR> Skype
[12/18/2007|10:07] C:\Program Files\<DIR> SpywareBlaster
[09/04/2006|11:01] C:\Program Files\<DIR> Synaptics
[05/20/2007|09:43] C:\Program Files\<DIR> TI Education
[01/24/2009|05:37] C:\Program Files\<DIR> Total Seminars
[01/25/2009|04:21] C:\Program Files\<DIR> Trend Micro
[10/30/2006|03:38] C:\Program Files\<DIR> TuneUp Utilities 2006
[09/28/2006|08:55] C:\Program Files\<DIR> TVUPlayer
[06/17/2006|03:46] C:\Program Files\<DIR> Uninstall Information
[09/22/2008|02:03] C:\Program Files\<DIR> Universal
[08/05/2008|10:00] C:\Program Files\<DIR> uTorrent
[11/11/2008|10:55] C:\Program Files\<DIR> VanDyke Software
[12/13/2008|09:07] C:\Program Files\<DIR> VB Decompiler Lite
[10/28/2008|03:06] C:\Program Files\<DIR> VBReFormer
[09/22/2008|02:03] C:\Program Files\<DIR> VersalSoft
[11/12/2007|05:20] C:\Program Files\<DIR> VideoLAN
[09/11/2007|02:42] C:\Program Files\<DIR> VideoReDoPlus
[02/03/2009|12:27] C:\Program Files\<DIR> Viewpoint
[01/04/2007|10:18] C:\Program Files\<DIR> wifi hacks
[09/04/2006|11:02] C:\Program Files\<DIR> WildTangent
[01/07/2007|10:55] C:\Program Files\<DIR> Windows Media Connect 2
[08/23/2008|01:20] C:\Program Files\<DIR> Windows Media Player
[08/23/2008|01:20] C:\Program Files\<DIR> Windows NT
[06/17/2006|03:36] C:\Program Files\<DIR> Windows Plus
[10/15/2007|08:30] C:\Program Files\<DIR> Windows X
[06/17/2006|03:39] C:\Program Files\<DIR> WindowsUpdate
[09/29/2006|03:55] C:\Program Files\<DIR> WinRAR
[06/17/2006|03:41] C:\Program Files\<DIR> xerox
[09/01/2008|05:52] C:\Program Files\<DIR> Xilisoft
[11/17/2008|10:04] C:\Program Files\<DIR> Yahoo!
[02/18/2008|07:25] C:\Program Files\<DIR> Yahoo! Games
[02/18/2008|06:56] C:\Program Files\<DIR> Your Company Name

--------------------\\ Listing Folders in C:\Program Files\Common Files

[09/06/2007|04:46] C:\Program Files\Common Files\<DIR> Adobe
[10/01/2006|08:45] C:\Program Files\Common Files\<DIR> Ahead
[12/23/2006|04:55] C:\Program Files\Common Files\<DIR> AOL
[12/05/2008|12:26] C:\Program Files\Common Files\<DIR> Apple
[11/10/2008|04:57] C:\Program Files\Common Files\<DIR> DESIGNER
[08/28/2008|11:47] C:\Program Files\Common Files\<DIR> Deterministic Networks
[10/10/2006|11:52] C:\Program Files\Common Files\<DIR> Hewlett-Packard
[09/04/2006|11:05] C:\Program Files\Common Files\<DIR> InstallShield
[09/04/2006|11:01] C:\Program Files\Common Files\<DIR> Java
[11/10/2008|04:58] C:\Program Files\Common Files\<DIR> Microsoft Shared
[06/17/2006|03:38] C:\Program Files\Common Files\<DIR> MSSoap
[06/19/2006|12:36] C:\Program Files\Common Files\<DIR> New Boundary
[10/23/2006|01:09] C:\Program Files\Common Files\<DIR> NSV
[09/04/2006|11:07] C:\Program Files\Common Files\<DIR> Nullsoft
[06/16/2006|08:31] C:\Program Files\Common Files\<DIR> ODBC
[09/04/2006|11:06] C:\Program Files\Common Files\<DIR> Real
[09/04/2006|11:05] C:\Program Files\Common Files\<DIR> Roxio Shared
[06/17/2006|03:38] C:\Program Files\Common Files\<DIR> Services
[12/20/2008|03:01] C:\Program Files\Common Files\<DIR> Skype
[06/16/2006|08:31] C:\Program Files\Common Files\<DIR> SpeechEngines
[08/23/2008|01:20] C:\Program Files\Common Files\<DIR> System
[05/20/2007|09:43] C:\Program Files\Common Files\<DIR> TI Shared
[11/17/2008|10:02] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 61 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 00:28:38
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Suspect ..

C:\WINDOWS\system32\TDSSdoly.dat

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\OWNER~1.MEG\Application Data\Azureus\torrents\iPodRip3.9.1___Crack.3522976.TPB.torrent
C:\DOCUME~1\OWNER~1.MEG\Desktop\ripped\Crack A Head.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\Patching KeyGenMe with OllyDbg.htm
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Apps\iPodRip3.9.1+Serial\iPodRip 3.9.1 + Crack.dmg
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Apps\Nero 7 Lite v7.5.1.1\keygen.exe
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Bob_and_Tom-Donkey_Show-2006-DH\204-bob_and_tom-sandy_crack_shack.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Lil Wayne\Juelz Santana & Lil Wayne - From 911 To Katrina [2006]\26_juelz_santana_-_crack.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Lil Wayne\Lil Wayne - Waynes World [2005]\lil_wayne-17-crack_the_bottle.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Pictures\IEFD Ep. 2 - Wireless Hacking - Cracking WEP.avi
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Videos\Jenna Haze - FastTimes at Deep Crack High #4 porn flatrix young teen hustler [bleep] playboy asian comedy preteen raped sister britney spears naked xxx [bleep] [bleep] .mpg
C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Bubble Golden Pack 3 Keygen.lnk
C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Clash N Slash Keygen.lnk
C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Digi Pool Keygen.lnk

[F:37][D:5]-> C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp
[F:12][D:0]-> C:\DOCUME~1\OWNER~1.MEG\Cookies
[F:56][D:4]-> C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Tue 02/03/2009| 0:29 - Option : [2]

--------------------\\ Scan completed at 0:29:25

#6 emeraldnzl

Group: GeekU Moderator
Posts: 14,630
Joined: 19-November 07

Posted 03 February 2009 - 01:37 AM

Cracks and Keygens inevitable lead to infection. If you persist in there use you will no longer receive help at this site.

Now

Please download the OTMoveIt3 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:processes
explorer.exe

:files
C:\WINDOWS\system32\TDSSdoly.dat
C:\DOCUME~1\OWNER~1.MEG\Application Data\Azureus\torrents\iPodRip3.9.1___Crack.3522976.TPB.torrent
C:\DOCUME~1\OWNER~1.MEG\Desktop\ripped\Crack A Head.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\Patching KeyGenMe with OllyDbg.htm
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Apps\iPodRip3.9.1+Serial\iPodRip 3.9.1 + Crack.dmg
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Apps\Nero 7 Lite v7.5.1.1\keygen.exe
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Bob_and_Tom-Donkey_Show-2006-DH\204-bob_and_tom-sandy_crack_shack.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Lil Wayne\Juelz Santana & Lil Wayne - From 911 To Katrina [2006]\26_juelz_santana_-_crack.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Lil Wayne\Lil Wayne - Waynes World [2005]\lil_wayne-17-crack_the_bottle.mp3
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Pictures\IEFD Ep. 2 - Wireless Hacking - Cracking WEP.avi
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Videos\Jenna Haze - FastTimes at Deep Crack High #4 porn flatrix young teen hustler [bleep] playboy asian comedy preteen raped sister britney spears naked xxx [bleep] [bleep] .mpg
C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Bubble Golden Pack 3 Keygen.lnk
C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Clash N Slash Keygen.lnk
C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Digi Pool Keygen.lnk

:commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next

Please download ComboFix from one of these locations:

NOTE: If you are guest watching this topic. ComboFix is a very powerful tool. The disclaimer clearly states that you should not use it without supervision. There is good reason for this as ComboFix can, and sometimes does, run into conflict on a computer and render it unusable.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.

#7 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 03 February 2009 - 01:49 AM

rocess explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\TDSSdoly.dat moved successfully.
C:\DOCUME~1\OWNER~1.MEG\Application Data\Azureus\torrents\iPodRip3.9.1___Crack.3522976.TPB.torrent moved successfully.
C:\DOCUME~1\OWNER~1.MEG\Desktop\ripped\Crack A Head.mp3 moved successfully.
C:\DOCUME~1\OWNER~1.MEG\My Documents\Patching KeyGenMe with OllyDbg.htm moved successfully.
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Apps\iPodRip3.9.1+Serial\iPodRip 3.9.1 + Crack.dmg moved successfully.
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Apps\Nero 7 Lite v7.5.1.1\keygen.exe moved successfully.
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Bob_and_Tom-Donkey_Show-2006-DH\204-bob_and_tom-sandy_crack_shack.mp3 moved successfully.
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Lil Wayne\Juelz Santana & Lil Wayne - From 911 To Katrina [2006]\26_juelz_santana_-_crack.mp3 moved successfully.
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Music\downloadedmusic\Lil Wayne\Lil Wayne - Waynes World [2005]\lil_wayne-17-crack_the_bottle.mp3 moved successfully.
C:\DOCUME~1\OWNER~1.MEG\My Documents\My Pictures\IEFD Ep. 2 - Wireless Hacking - Cracking WEP.avi moved successfully.
File/Folder C:\DOCUME~1\OWNER~1.MEG\My Documents\My Videos\Jenna Haze - FastTimes at Deep Crack High #4 porn flatrix young teen hustler [bleep] playboy asian comedy preteen raped sister britney spears naked xxx [bleep] [bleep] .mpg not found.
File/Folder C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Bubble Golden Pack 3 Keygen.lnk not found.
File/Folder C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Clash N Slash Keygen.lnk not found.
File/Folder C:\DOCUME~1\OWNER~1.MEG\Start Menu\Programs\Ango's Game Collection\Digi Pool Keygen.lnk not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\etilqs_6ocTRtmYXf0IO4hR0BVh scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\Perflib_Perfdata_6d4.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\Perflib_Perfdata_c58.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\Perflib_Perfdata_fdc.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\~DFD9B3.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_a78.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_f6c.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02032009_014259

Files moved on Reboot...
File C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\etilqs_6ocTRtmYXf0IO4hR0BVh not found!
File C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\Perflib_Perfdata_6d4.dat not found!
File C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\Perflib_Perfdata_c58.dat not found!
File C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\Perflib_Perfdata_fdc.dat not found!
C:\DOCUME~1\OWNER~1.MEG\LOCALS~1\Temp\~DFD9B3.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_a78.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_f6c.dat not found!
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\XUL.mfl moved successfully.

#8 emeraldnzl

Group: GeekU Moderator
Posts: 14,630
Joined: 19-November 07

Posted 03 February 2009 - 01:52 AM

Looking good.

I guess the ComboFix one is on the way.

#9 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 03 February 2009 - 02:05 AM

ComboFix 09-02-02.04 - Owner 2009-02-03 1:54:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.382 [GMT -6:00]
Running from: c:\documents and settings\Owner.MEGA-Notebook\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.MEGA-Notebook\Application Data\inst.exe
c:\windows\system32\ckqyhb.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\giiyjops.dll
c:\windows\system32\jfbigvfu.dll
c:\windows\system32\Packet.dll
c:\windows\system32\rlwdrmgi.dll
c:\windows\system32\tojykw.dll
c:\windows\system32\vwqhqlvo.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wjnqhi.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xhohgp.dll
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 01:42 . 2009-02-03 01:42 <DIR> d-------- C:\_OTMoveIt
2009-02-03 00:26 . 2009-02-03 00:29 <DIR> d-------- C:\Lop SD
2009-02-03 00:24 . 2009-02-03 00:24 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-02 20:07 . 2009-02-02 20:07 <DIR> d-------- c:\program files\DVDFab Platinum 4
2009-01-25 16:21 . 2009-01-25 16:21 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 19:38 . 2009-01-24 19:38 <DIR> d-------- c:\program files\Avira
2009-01-24 19:38 . 2009-01-24 19:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-24 18:52 . 2009-01-24 18:53 <DIR> d-------- C:\IPhoneTemp
2009-01-20 11:14 . 2009-02-03 00:24 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-20 11:00 . 2009-01-20 11:00 <DIR> d-------- c:\program files\AskBarDis
2009-01-13 14:34 . 2009-01-13 14:34 127 --a------ c:\windows\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 07:44 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\uTorrent
2009-02-03 06:27 --------- d-----w c:\program files\Viewpoint
2009-02-03 06:23 --------- d-----w c:\program files\Java
2009-02-03 02:08 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-03 02:08 47,360 ----a-w c:\documents and settings\Owner.MEGA-Notebook\Application Data\pcouffin.sys
2009-02-03 02:08 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Vso
2009-01-25 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-25 22:21 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\AVG7
2009-01-25 22:21 --------- d-----w c:\documents and settings\kenny G\Application Data\AVG7
2009-01-25 00:45 --------- d-----w c:\program files\PeerGuardian2
2009-01-25 00:36 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-24 23:37 --------- d-----w c:\program files\Total Seminars
2009-01-24 23:35 --------- d-----w c:\program files\AIM
2009-01-24 23:35 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Aim
2009-01-24 23:26 --------- d-----w c:\program files\CCleaner
2009-01-24 23:21 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\skypePM
2009-01-24 23:21 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Skype
2009-01-20 17:00 --------- d-----w c:\program files\LimeWire
2009-01-20 16:58 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\LimeWire
2008-12-24 05:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-24 05:51 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Malwarebytes
2008-12-24 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 08:31 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-20 09:01 --------- d-----w c:\program files\Skype
2008-12-20 09:01 --------- d-----w c:\program files\Common Files\Skype
2008-12-20 09:01 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-16 20:13 --------- d-----w c:\program files\Magic MP3 Tagger
2008-12-14 04:33 --------- d-----w c:\program files\MusicBrainz Picard
2008-12-13 15:07 --------- d-----w c:\program files\VB Decompiler Lite
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 03:46 --------- d-----w c:\program files\GameSpy Arcade
2008-12-05 18:27 --------- d-----w c:\program files\iTunes
2008-12-05 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-05 18:26 --------- d-----w c:\program files\iPod
2008-12-05 18:26 --------- d-----w c:\program files\Common Files\Apple
2008-12-05 18:24 --------- d-----w c:\program files\QuickTime
2008-12-05 18:08 --------- d-----w c:\program files\Safari
2008-12-04 01:58 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 01:58 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-08 04:36 39,880 ----a-w c:\documents and settings\Owner.MEGA-Notebook\Application Data\GDIPFONTCACHEV1.DAT
2006-10-16 01:13 81,920 ----a-w c:\documents and settings\Owner.MEGA-Notebook\Application Data\ezpinst.exe
2006-12-13 16:51 38,912 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2006-12-13 16:51 96,330 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-08-23 18:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082320080824\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-08 22:08 279944 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Google Update"="c:\documents and settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-11 1236992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 148888]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-09-04 2168360]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2006-09-04 729088]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-08-28 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-30 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\AutoRun.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a3449ea-9434-11db-9ddd-0014a5e502c0}]
\Shell\AutoRun\command - f:\system\viewer\Viewer.exe
\Shell\View your videos\command - f:\system\viewer\Viewer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d83f74-99f4-11db-9dde-0014a5e502c0}]
\Shell\AutoRun\command - f:\system\viewer\Viewer.exe
\Shell\View your videos\command - f:\system\viewer\Viewer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4092056663-3362789689-998092790-1006.job
- c:\documents and settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-22 03:51]

2009-02-03 c:\windows\Tasks\ngqfiyjx.job
- c:\windows\system32\opnmMdDt.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{1394DA19-E970-43D5-A1E0-A85E6876867C} - c:\windows\system32\khfCuRhf.dll
BHO-{51A122C1-63EE-4547-9BDA-9CFAAB6898B9} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101676&l=dis
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.MEGA-Notebook\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 01:59:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-03 2:03:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-03 08:03:45

Pre-Run: 10,387,423,232 bytes free
Post-Run: 10,459,566,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

249 --- E O F --- 2009-01-13 20:36:13

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:37 AM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101676&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8854 bytes

#10 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 03 February 2009 - 02:06 AM

#11 emeraldnzl

Group: GeekU Moderator
Posts: 14,630
Joined: 19-November 07

Posted 03 February 2009 - 11:36 AM

Hello Justin_G,

Firstly, please go to Start > Control Panel >Add or Remove Programs (Programs and Features if you are a Vista user) and uninstall the following if they exist:

Viewpoint, Viewpoint Manager, Viewpoint Media Player.:

Viewpoint Manager is considered to be foistware. You can go to the link below to read about it.

http://www.clickz.com/news/article.php/3561546

Step 2

Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to update.

http://www.adobe.com.../readstep2.html

Now

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101676&l=dis
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

Close all windows other than HiJackThis, then click Fix Checked.

Close HiJackThis.

Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

KillAll::

File::
c:\windows\Tasks\ngqfiyjx.job
c:\windows\system32\khfCuRhf.dll
c:\documents and settings\Owner.MEGA-Notebook\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\
c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
c:\program files\AskBarDis\bar\bin\askBar.dll

Folder::
c:\program files\AskBarDis

Firefox::
FF - ProfilePath - c:\documents and settings\Owner.MEGA-Notebook\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require together with a new HijackThis log in your next reply.

#12 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 03 February 2009 - 04:31 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:25 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8389 bytes

ComboFix 09-02-02.04 - Owner 2009-02-03 16:20:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.468 [GMT -6:00]
Running from: c:\documents and settings\Owner.MEGA-Notebook\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.MEGA-Notebook\Desktop\cfscript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
AV: McAfee VirusScan Online *On-access scanning disabled* (Outdated)
* Created a new restore point

FILE ::
c:\documents and settings\Owner.MEGA-Notebook\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
c:\windows\system32\khfCuRhf.dll
c:\windows\Tasks\ngqfiyjx.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Cache\0014C707
c:\program files\AskBarDis\bar\Cache\0014CA44
c:\program files\AskBarDis\bar\Cache\0014CED7
c:\program files\AskBarDis\bar\Cache\0014D446
c:\program files\AskBarDis\bar\Cache\0014D8CA
c:\program files\AskBarDis\bar\Cache\0014E703
c:\program files\AskBarDis\bar\Cache\0014EDC9
c:\program files\AskBarDis\bar\Cache\0014EE75.bin
c:\program files\AskBarDis\bar\Cache\0014EF50.bin
c:\program files\AskBarDis\bar\Cache\0014F05A.bin
c:\program files\AskBarDis\bar\Cache\0014F0C7.bin
c:\program files\AskBarDis\bar\Cache\0014F134.bin
c:\program files\AskBarDis\bar\Cache\0014F192.bin
c:\program files\AskBarDis\bar\Cache\0014F1F0.bin
c:\program files\AskBarDis\bar\Cache\0014F26D.bin
c:\program files\AskBarDis\bar\Cache\0014F2CB.bin
c:\program files\AskBarDis\bar\Cache\0014F328.bin
c:\program files\AskBarDis\bar\Cache\0014F3E4.bin
c:\program files\AskBarDis\bar\Cache\0014F451.bin
c:\program files\AskBarDis\bar\Cache\0014F4AF.bin
c:\program files\AskBarDis\bar\Cache\0014F51C.bin
c:\program files\AskBarDis\bar\Cache\0014F57A.bin
c:\program files\AskBarDis\bar\Cache\0014F5D8.bin
c:\program files\AskBarDis\bar\Cache\0014F664.bin
c:\program files\AskBarDis\bar\Cache\0014F76E
c:\program files\AskBarDis\bar\Cache\files.ini
c:\program files\AskBarDis\bar\History\search
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\bar\Settings\prevcfg.htm
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe
c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
c:\windows\Tasks\ngqfiyjx.job

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 16:12 . 2009-02-03 16:12 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-02-03 16:10 . 2009-02-03 16:11 <DIR> d-------- c:\program files\Common Files\Adobe
2009-02-03 01:42 . 2009-02-03 01:42 <DIR> d-------- C:\_OTMoveIt
2009-02-03 00:26 . 2009-02-03 00:29 <DIR> d-------- C:\Lop SD
2009-02-03 00:24 . 2009-02-03 00:24 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-02 20:07 . 2009-02-02 20:07 <DIR> d-------- c:\program files\DVDFab Platinum 4
2009-01-25 16:21 . 2009-01-25 16:21 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 19:38 . 2009-01-24 19:38 <DIR> d-------- c:\program files\Avira
2009-01-24 19:38 . 2009-01-24 19:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2009-01-24 18:52 . 2009-01-24 18:53 <DIR> d-------- C:\IPhoneTemp
2009-01-20 11:14 . 2009-02-03 00:24 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-13 14:34 . 2009-01-13 14:34 127 --a------ c:\windows\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 07:44 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\uTorrent
2009-02-03 06:27 --------- d-----w c:\program files\Viewpoint
2009-02-03 06:23 --------- d-----w c:\program files\Java
2009-02-03 02:08 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-03 02:08 47,360 ----a-w c:\documents and settings\Owner.MEGA-Notebook\Application Data\pcouffin.sys
2009-02-03 02:08 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Vso
2009-01-25 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-25 22:21 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\AVG7
2009-01-25 22:21 --------- d-----w c:\documents and settings\kenny G\Application Data\AVG7
2009-01-25 00:45 --------- d-----w c:\program files\PeerGuardian2
2009-01-25 00:36 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-24 23:37 --------- d-----w c:\program files\Total Seminars
2009-01-24 23:35 --------- d-----w c:\program files\AIM
2009-01-24 23:35 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Aim
2009-01-24 23:26 --------- d-----w c:\program files\CCleaner
2009-01-24 23:21 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\skypePM
2009-01-24 23:21 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Skype
2009-01-20 17:00 --------- d-----w c:\program files\LimeWire
2009-01-20 16:58 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\LimeWire
2008-12-24 05:51 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-24 05:51 --------- d-----w c:\documents and settings\Owner.MEGA-Notebook\Application Data\Malwarebytes
2008-12-24 05:51 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 08:31 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-12-20 09:01 --------- d-----w c:\program files\Skype
2008-12-20 09:01 --------- d-----w c:\program files\Common Files\Skype
2008-12-20 09:01 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2008-12-16 20:13 --------- d-----w c:\program files\Magic MP3 Tagger
2008-12-14 04:33 --------- d-----w c:\program files\MusicBrainz Picard
2008-12-13 15:07 --------- d-----w c:\program files\VB Decompiler Lite
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 03:46 --------- d-----w c:\program files\GameSpy Arcade
2008-12-05 18:27 --------- d-----w c:\program files\iTunes
2008-12-05 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-05 18:26 --------- d-----w c:\program files\iPod
2008-12-05 18:26 --------- d-----w c:\program files\Common Files\Apple
2008-12-05 18:24 --------- d-----w c:\program files\QuickTime
2008-12-05 18:08 --------- d-----w c:\program files\Safari
2008-12-04 01:58 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 01:58 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-08 04:36 39,880 ----a-w c:\documents and settings\Owner.MEGA-Notebook\Application Data\GDIPFONTCACHEV1.DAT
2006-10-16 01:13 81,920 ----a-w c:\documents and settings\Owner.MEGA-Notebook\Application Data\ezpinst.exe
2006-12-13 16:51 38,912 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2006-12-13 16:51 96,330 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-08-23 18:09 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082320080824\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-03_ 2.02.42.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 21:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2009-02-03 22:24:18 16,384 ----atw c:\windows\temp\Perflib_Perfdata_564.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Google Update"="c:\documents and settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-11-11 1236992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 148888]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SigmatelSysTrayApp"="stsystra.exe" [2005-12-27 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-09-04 2168360]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2006-09-04 729088]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-08-28 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.3IV2"= 3ivxVfWCodec_dec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-30 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\AUTORUN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\AutoRun.Exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a3449ea-9434-11db-9ddd-0014a5e502c0}]
\Shell\AutoRun\command - f:\system\viewer\Viewer.exe
\Shell\View your videos\command - f:\system\viewer\Viewer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d83f74-99f4-11db-9dde-0014a5e502c0}]
\Shell\AutoRun\command - f:\system\viewer\Viewer.exe
\Shell\View your videos\command - f:\system\viewer\Viewer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4092056663-3362789689-998092790-1006.job
- c:\documents and settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-22 03:51]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.MEGA-Notebook\Application Data\Mozilla\Firefox\Profiles\fvpt7wjh.default\
FF - plugin: c:\documents and settings\Owner.MEGA-Notebook\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 16:24:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(984)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-03 16:29:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-03 22:29:38
ComboFix2.txt 2009-02-03 08:03:50

Pre-Run: 10,157,522,944 bytes free
Post-Run: 10,139,770,880 bytes free

260 --- E O F --- 2009-01-13 20:36:13

#13 emeraldnzl

Group: GeekU Moderator
Posts: 14,630
Joined: 19-November 07

Posted 03 February 2009 - 05:10 PM

Hello again Justin_G,

In this post I have included Viewpoint for removal. If you don't want it removed then don't run the ComboFix.txt and we will amend it for running with just the mountpoints key deletion next time.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

Close all windows other than HiJackThis, then click Fix Checked.

Close HiJackThis.

Now

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote

KillAll::

Folder::
c:\program files\Viewpoint

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a3449ea-9434-11db-9ddd-0014a5e502c0}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53d83f74-99f4-11db-9dde-0014a5e502c0}]

Driver::
Viewpoint Manager Service

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Finally in this post

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Copy and paste that information in your next post.

So when you return please post
ComboFix.txt
MBAM report
Kaspersky scan results
a new HijackThis log
and tell me how your computer is performing now

#14 Justin_G

Group: Member
Posts: 30
Joined: 26-November 05

Posted 04 February 2009 - 01:01 PM

should i let the kasperky keep going? its only at 41% and its been 19 hours.
and it has detected 2 things so far

#15 emeraldnzl

Group: GeekU Moderator
Posts: 14,630
Joined: 19-November 07

Posted 04 February 2009 - 01:14 PM

Wow that is a long time for it.

It does take a long time especially on the first run through but I don't recall one quite that long.

One thing that does slow it down a heck of a lot is if you have not disabled you anti-virus security programs.

Otherwise I guess it is up to you. I would be inclined to let it finish it's job. The aim is to make sure we get you machine clean so if Kaspersky is finding things then best let it do its job. Staying off you machine might help it work a bit better too.

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Keep on getting trojans & Automatic Updates Turned off [Solved] - Geeks to Go Forums