Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde/vundo infection [Solved]


  • This topic is locked This topic is locked

#1
codycjb

codycjb

    Member

  • Member
  • PipPip
  • 89 posts
I have went threw the tutorials on the forums and done all the scans recommended, plus a few more. All the scans tell me they have removed the viruses but the next day or so they keep coming back. some help would be greatly appreciated. From looking at other post with similar problems i figured you would ask me to run combofix and a hijackthis log so here they are.

ComboFix 09-02-01.01 - Owner 2009-02-01 13:45:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.659 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\windows\system32\taskkill.exe
c:\windows\Tasks\txbbxgwj.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-31 18:25 . 2009-01-31 18:25 <DIR> d-------- c:\program files\CCleaner
2009-01-31 11:25 . 2009-01-31 11:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-01-31 11:24 . 2009-01-31 11:24 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2009-01-31 11:20 . 2009-01-31 11:21 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.4
2009-01-31 11:19 . 2009-01-31 11:19 <DIR> d-------- c:\program files\GIMP-2.0
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 11:53 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 11:53 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-27 20:00 . 2009-01-27 20:00 <DIR> d-------- C:\VundoFix Backups
2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-25 08:54 . 2009-01-25 08:17 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-25 08:18 . 2009-01-25 08:17 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-25 08:16 . 2009-01-25 08:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 08:15 . 2009-01-25 08:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-22 16:39 . 2009-01-24 18:15 <DIR> d-------- c:\program files\PSP Grader
2009-01-20 18:16 . 2007-12-05 15:36 32,768 --a------ c:\documents and settings\Owner\msinst.exe
2009-01-20 18:11 . 2007-08-17 11:22 32,768 --a------ c:\documents and settings\Owner\mspformat.exe
2009-01-20 18:01 . 2009-01-20 18:01 <DIR> d-------- c:\documents and settings\Owner\88v3 id
2009-01-14 18:00 . 2009-01-14 18:00 <DIR> d-------- c:\program files\danny_kay1710
2009-01-12 14:27 . 2009-01-12 14:38 <DIR> d-------- c:\documents and settings\Owner\dwhelper
2009-01-05 18:11 . 2009-01-05 18:11 <DIR> d-------- c:\program files\Plato DVD to PSP Converter
2009-01-05 18:11 . 2004-07-03 07:59 524,288 --a------ c:\windows\system32\xvidcore.dll
2009-01-05 18:11 . 2004-07-03 08:08 139,264 --a------ c:\windows\system32\xvidvfw.dll
2009-01-05 18:11 . 2004-09-06 03:06 53,248 --a------ c:\windows\system32\xvid.ax
2009-01-05 00:32 . 2009-01-05 00:32 120,948 --a------ c:\windows\system32\rn.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 18:50 --------- d-----w c:\documents and settings\Owner\Application Data\WTablet
2009-02-01 18:49 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-02-01 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-25 13:15 --------- d-----w c:\program files\Lavasoft
2009-01-25 02:33 96,384 ----a-w c:\windows\system32\drivers\sptddrv1.sys
2009-01-25 01:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-22 20:59 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-20 00:22 --------- d-----w c:\program files\PeerGuardian2
2009-01-07 00:46 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2009-01-05 22:59 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-12-21 04:31 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2008-12-12 16:32 --------- d-----w c:\program files\Azureus
2008-12-12 15:21 --------- d-----w c:\program files\LimeWire
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 20:33 --------- d-----w c:\program files\LG Drivers
2008-12-08 20:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 20:16 --------- d-----w c:\program files\PC Drivers HeadQuarters
2008-12-08 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-06 22:44 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2005-09-07 15:04 476 -c-ha-w c:\documents and settings\Guest\hpothb07.dat
2005-09-07 15:03 497 -c-ha-w c:\documents and settings\Default User\hpothb07.dat
2004-09-20 21:52 56 -csh--r c:\windows\system32\F58A70CBD0.sys
2004-09-20 21:52 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-10-01 21:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100120081002\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-25 507224]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bftnmx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"msacm.fraunhoferacm"= l3codecp.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-08-22 08:52 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-06 23:23 90112 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
--a--c--- 2002-06-08 04:20 86016 c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-12-05 18:04 691200 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2007-07-19 08:02 2887680 c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-09-09 10:05 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2001-07-07 00:56 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-08-13 19:04 5562368 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2006-05-10 14:52 249856 c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 19:28 212992 c:\progra~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 19:39 81920 c:\hp\drivers\keyboard\PS2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 07:23 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 00:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 20:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 11:01 155648 c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-10-04 17:05 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-01-19 14:27 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-01-19 18:21 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosGbWatcher]
--a------ 2005-04-26 02:02 118837 c:\program files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
--------- 2006-03-07 00:52 36864 c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-01-30 13:11 3497984 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-28 20:24 28616 c:\program files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 09:59 224248 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2006-05-03 11:45 26112 c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2002-10-01 02:39 548933 c:\windows\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-10-01 02:39 372736 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-25 64160]
R0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys [2007-05-27 164256]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-07-17 66048]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-02 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 942416]
S3 Msilool;Msilool; [x]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38336552-cf74-11dd-a5a0-0040ca428ff2}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-25 08:17]

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2004-09-02 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1086211637.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]

2009-01-31 c:\windows\Tasks\User_Feed_Synchronization-{6DAD760A-BCBE-44D8-A722-041CA4380D6A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{4A37A658-615A-4A25-AC07-54F796E8A13D} - (no file)
BHO-{91758094-6538-4A3A-8F8B-ED9ECFDAE0FA} - (no file)
Notify-cbXPjGxx - cbXPjGxx.dll
MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-NBJ - c:\program files\Ahead\Nero BackItUp\NBJ.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
mSearch Bar = hxxp://srch-us7.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} - hxxp://www.keyboarding.emcp.com/Resources/Component/cads.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\imu1oltq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\imu1oltq.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 13:50:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Tablet.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-02-01 14:00:35 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-02-01 19:00:32

Pre-Run: 20,656,254,976 bytes free
Post-Run: 21,210,152,960 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

307 --- E O F --- 2009-01-14 11:32:35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:43 PM, on 2/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboardi...ponent/cads.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\Software\..\Telephony: DomainName = jacob
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jacob
O20 - AppInit_DLLs: bftnmx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10953 bytes

Edited by codycjb, 01 February 2009 - 01:12 PM.

  • 0

Advertisements


#2
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hello codycjb

welcome to geekstogo :) and sorry for the delay

two things:

1. could you confirm to me what antivirus program you have on your machine. as far as i can tell, you have norton, but i am wondering if it is up to date and running properly?

2. could you delete the current version of combofix you have and then please visit this webpage for download links, and instructions for running the tool - you will be downloading an updated version.

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review and a new hijackthis log

andrewuk
  • 0

#3
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
i have avast antivirus installed on my pc. i have not used norton, didnt know it was still on my machine.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:24 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboardi...ponent/cads.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\Software\..\Telephony: DomainName = jacob
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jacob
O20 - AppInit_DLLs: bftnmx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11577 bytes

ComboFix 09-02-05.01 - Owner 2009-02-05 17:34:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.539 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090205-1] *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-03 12:48 . 2009-02-03 12:48 <DIR> d-------- c:\program files\Alwil Software
2009-01-31 18:25 . 2009-01-31 18:25 <DIR> d-------- c:\program files\CCleaner
2009-01-31 11:25 . 2009-01-31 11:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-01-31 11:24 . 2009-01-31 11:24 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2009-01-31 11:20 . 2009-01-31 11:21 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.4
2009-01-31 11:19 . 2009-01-31 11:19 <DIR> d-------- c:\program files\GIMP-2.0
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 11:53 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 11:53 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-27 20:00 . 2009-01-27 20:00 <DIR> d-------- C:\VundoFix Backups
2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-25 08:54 . 2009-01-25 08:17 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-25 08:18 . 2009-01-25 08:17 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-25 08:16 . 2009-01-25 08:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 08:15 . 2009-01-25 08:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-22 16:39 . 2009-01-24 18:15 <DIR> d-------- c:\program files\PSP Grader
2009-01-20 18:16 . 2007-12-05 15:36 32,768 --a------ c:\documents and settings\Owner\msinst.exe
2009-01-20 18:11 . 2007-08-17 11:22 32,768 --a------ c:\documents and settings\Owner\mspformat.exe
2009-01-20 18:01 . 2009-01-20 18:01 <DIR> d-------- c:\documents and settings\Owner\88v3 id
2009-01-14 18:00 . 2009-01-14 18:00 <DIR> d-------- c:\program files\danny_kay1710
2009-01-12 14:27 . 2009-01-12 14:38 <DIR> d-------- c:\documents and settings\Owner\dwhelper
2009-01-05 18:11 . 2009-01-05 18:11 <DIR> d-------- c:\program files\Plato DVD to PSP Converter
2009-01-05 18:11 . 2004-07-03 07:59 524,288 --a------ c:\windows\system32\xvidcore.dll
2009-01-05 18:11 . 2004-07-03 08:08 139,264 --a------ c:\windows\system32\xvidvfw.dll
2009-01-05 18:11 . 2004-09-06 03:06 53,248 --a------ c:\windows\system32\xvid.ax
2009-01-05 00:32 . 2009-01-05 00:32 120,948 --a------ c:\windows\system32\rn.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 17:52 --------- d-----w c:\documents and settings\Owner\Application Data\WTablet
2009-02-02 18:30 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2009-02-01 18:49 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-02-01 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-31 23:04 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-25 13:15 --------- d-----w c:\program files\Lavasoft
2009-01-25 02:33 96,384 ----a-w c:\windows\system32\drivers\sptddrv1.sys
2009-01-25 01:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-22 20:59 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-20 00:22 --------- d-----w c:\program files\PeerGuardian2
2009-01-07 00:46 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2009-01-05 22:59 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-12-12 16:32 --------- d-----w c:\program files\Azureus
2008-12-12 15:21 --------- d-----w c:\program files\LimeWire
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 20:33 --------- d-----w c:\program files\LG Drivers
2008-12-08 20:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 20:16 --------- d-----w c:\program files\PC Drivers HeadQuarters
2008-12-08 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-06 22:44 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2005-09-07 15:04 476 -c-ha-w c:\documents and settings\Guest\hpothb07.dat
2005-09-07 15:03 497 -c-ha-w c:\documents and settings\Default User\hpothb07.dat
2004-09-20 21:52 56 -csh--r c:\windows\system32\F58A70CBD0.sys
2004-09-20 21:52 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-10-01 21:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100120081002\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.59.04.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
- 2008-10-15 07:15:11 459,640 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-03 17:51:11 469,192 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-03 17:51:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-25 507224]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bftnmx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"msacm.fraunhoferacm"= l3codecp.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-08-22 08:52 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-06 23:23 90112 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
--a--c--- 2002-06-08 04:20 86016 c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-12-05 18:04 691200 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2007-07-19 08:02 2887680 c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-09-09 10:05 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2001-07-07 00:56 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-08-13 19:04 5562368 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2006-05-10 14:52 249856 c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 19:28 212992 c:\progra~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 19:39 81920 c:\hp\drivers\keyboard\PS2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 07:23 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 00:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 20:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 11:01 155648 c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-10-04 17:05 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-01-19 14:27 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-01-19 18:21 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosGbWatcher]
--a------ 2005-04-26 02:02 118837 c:\program files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
--------- 2006-03-07 00:52 36864 c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-01-30 13:11 3497984 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-28 20:24 28616 c:\program files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 09:59 224248 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2006-05-03 11:45 26112 c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2002-10-01 02:39 548933 c:\windows\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-10-01 02:39 372736 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-25 64160]
R0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys [2007-05-27 164256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-03 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-03 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-07-17 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 942416]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-02 24652]
S3 Msilool;Msilool; [x]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38336552-cf74-11dd-a5a0-0040ca428ff2}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-25 08:17]

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2004-09-02 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1086211637.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]

2009-02-05 c:\windows\Tasks\User_Feed_Synchronization-{6DAD760A-BCBE-44D8-A722-041CA4380D6A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
mSearch Bar = hxxp://srch-us7.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} - hxxp://www.keyboarding.emcp.com/Resources/Component/cads.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\imu1oltq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\imu1oltq.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 17:40:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-05 17:44:22
ComboFix-quarantined-files.txt 2009-02-05 22:43:26
ComboFix2.txt 2009-02-01 19:00:36

Pre-Run: 20,855,836,672 bytes free
Post-Run: 20,852,146,176 bytes free

306 --- E O F --- 2009-01-14 11:32:35
  • 0

#4
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
seems you have remnants of norton and AVG on your machine. we will remove the remnants of Norton and the AVG now with the malware i can see.

first, some questions:

1. do you recognise this ActiveX component?
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll

2. do you recognise these DNS settings?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\Software\..\Telephony: DomainName = jacob
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jacob


3. do you recognise these folders?
2009-01-31 11:25 . 2009-01-31 11:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-01-31 11:24 . 2009-01-31 11:24 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2009-01-31 11:20 . 2009-01-31 11:21 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.4
2009-01-31 11:19 . 2009-01-31 11:19 <DIR> d-------- c:\program files\GIMP-2.0





and then........

====STEP 1====
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis



====STEP 2====
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\bftnmx.dll
c:\windows\bftnmx.dll
c:\windows\ALCXMNTR.EXE

Folder::
c:\documents and settings\All Users\Application Data\avg8

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38336552-cf74-11dd-a5a0-0040ca428ff2}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


====STEP 3====
Go HERE and choose the product that is installed and then download the removal tool.
Run it and reboot.
This should get rid of Norton.



In your next reply could i see:
1. the answers to the above questions
2. the combofix log
3. a new hijackthis log

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#5
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
1. do you recognise this ActiveX component?
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll

Well my internet provider is charter. that is the only connection i can think of for this one. other than that i have no idea what it could be.


2. do you recognise these DNS settings?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\Software\..\Telephony: DomainName = jacob
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jacob

Dont really no what this stuff is. only thing i can think of is my friend that i got this computer from, his last name is Jacobson.



3. do you recognise these folders?
2009-01-31 11:25 . 2009-01-31 11:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-01-31 11:24 . 2009-01-31 11:24 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2009-01-31 11:20 . 2009-01-31 11:21 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.4
2009-01-31 11:19 . 2009-01-31 11:19 <DIR> d-------- c:\program files\GIMP-2.0

I know what all these are except the top one. if its related to the other three then its just files from a program i use to make themes for my psp.

  • 0

#6
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
ComboFix 09-02-05.01 - Owner 2009-02-05 20:44:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.525 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090205-1] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\ALCXMNTR.EXE
c:\windows\bftnmx.dll
c:\windows\system32\bftnmx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\avg8
c:\documents and settings\All Users\Application Data\avg8\AvgAm\avgam.lck
c:\documents and settings\All Users\Application Data\avg8\Cfg\krnl.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\mail.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\scan.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\sched.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\update.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\updateall.cfg
c:\documents and settings\All Users\Application Data\avg8\Cfg\updatecomps.cfg.old
c:\documents and settings\All Users\Application Data\avg8\Cfg\user.cfg
c:\documents and settings\All Users\Application Data\avg8\cfgall\changecfgreg.cfg
c:\documents and settings\All Users\Application Data\avg8\cfgall\fw.cfg
c:\documents and settings\All Users\Application Data\avg8\Log\adminclilog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\amlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\avgam.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgam.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgcfg.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgcore.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgfrw.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgfrw.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgfw8u.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgldr.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgldr.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avglng.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgns.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgns.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgns.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgns.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.10
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.8
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.9
c:\documents and settings\All Users\Application Data\avg8\Log\avgrs.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgscan.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\avgsched.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgsrm.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgui.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avguilog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgupd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\avgwd.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log
c:\documents and settings\All Users\Application Data\avg8\Log\avgwdsvc.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\avildr.log
c:\documents and settings\All Users\Application Data\avg8\Log\cfglog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.1
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.2
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.3
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.4
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.5
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.6
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.7
c:\documents and settings\All Users\Application Data\avg8\Log\commonpriv.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\commonpub.log
c:\documents and settings\All Users\Application Data\avg8\Log\commonpub.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\corelog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\fixcfg.log
c:\documents and settings\All Users\Application Data\avg8\Log\fixcfg.log.lock
c:\documents and settings\All Users\Application Data\avg8\Log\history.xml
c:\documents and settings\All Users\Application Data\avg8\Log\lnglog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\nslog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\privlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\publog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\rslog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\scanlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\schedlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\srmlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\systoolslog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\updlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\vaultlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\wdlog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\Log\wdsvclog.cfg.install_backup
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000001.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000005.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000006.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000007.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000008.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000009.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000010.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000011.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000012.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000013.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000014.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000015.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000016.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000017.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000018.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000019.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000020.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000021.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000022.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000023.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000024.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000025.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000026.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000027.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000028.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000029.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000030.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000031.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000032.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000033.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000034.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000035.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000036.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\I_00000037.log
c:\documents and settings\All Users\Application Data\avg8\scanlogs\srm.idx
c:\documents and settings\All Users\Application Data\avg8\update\backup\avg7api.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avg8us.lng
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgamnot.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgapix.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgatend.stp
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgatupd.stp
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgbat.bav
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcclix.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgex.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgclitx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcmgr.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcrlpx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcsrvx.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgdumpx.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgf8us.chm
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmvflx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgnsx.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgoff2k.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgpp.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsched.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgse.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssff.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssie.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avguilog.cfg
c:\documents and settings\All Users\Application Data\avg8\update\backup\avguires.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgvvx.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdsvc.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxpl.dll
c:\documents and settings\All Users\Application Data\avg8\update\backup\cfgexlog.cfg
c:\documents and settings\All Users\Application Data\avg8\update\backup\cfglog.cfg
c:\documents and settings\All Users\Application Data\avg8\update\backup\contacts_us.html
c:\documents and settings\All Users\Application Data\avg8\update\backup\corelog.cfg
c:\documents and settings\All Users\Application Data\avg8\update\backup\dfncfg.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\fixcfg.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\install.rdf
c:\documents and settings\All Users\Application Data\avg8\update\backup\ldrlog.cfg
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb.dat.xcd
c:\documents and settings\All Users\Application Data\avg8\update\backup\sb2.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\sc.dat.xcd
c:\documents and settings\All Users\Application Data\avg8\update\backup\searchshield.jar
c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.dat
c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
c:\documents and settings\All Users\Application Data\avg8\update\backup\setupus.lns
c:\documents and settings\All Users\Application Data\avg8\update\backup\srmlog.cfg
c:\windows\ALCXMNTR.EXE

.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-03 12:48 . 2009-02-03 12:48 <DIR> d-------- c:\program files\Alwil Software
2009-01-31 18:25 . 2009-01-31 18:25 <DIR> d-------- c:\program files\CCleaner
2009-01-31 11:25 . 2009-01-31 11:28 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-01-31 11:24 . 2009-01-31 11:24 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2009-01-31 11:20 . 2009-01-31 11:21 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.4
2009-01-31 11:19 . 2009-01-31 11:19 <DIR> d-------- c:\program files\GIMP-2.0
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-29 11:53 . 2009-01-29 11:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 11:53 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 11:53 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-27 20:00 . 2009-01-27 20:00 <DIR> d-------- C:\VundoFix Backups
2009-01-27 19:57 . 2009-01-27 19:57 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-01-25 08:54 . 2009-01-25 08:17 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-01-25 08:18 . 2009-01-25 08:17 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-01-25 08:16 . 2009-01-25 08:16 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-25 08:15 . 2009-01-25 08:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-22 16:39 . 2009-01-24 18:15 <DIR> d-------- c:\program files\PSP Grader
2009-01-20 18:16 . 2007-12-05 15:36 32,768 --a------ c:\documents and settings\Owner\msinst.exe
2009-01-20 18:11 . 2007-08-17 11:22 32,768 --a------ c:\documents and settings\Owner\mspformat.exe
2009-01-20 18:01 . 2009-01-20 18:01 <DIR> d-------- c:\documents and settings\Owner\88v3 id
2009-01-14 18:00 . 2009-01-14 18:00 <DIR> d-------- c:\program files\danny_kay1710
2009-01-12 14:27 . 2009-01-12 14:38 <DIR> d-------- c:\documents and settings\Owner\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 17:52 --------- d-----w c:\documents and settings\Owner\Application Data\WTablet
2009-02-02 18:30 --------- d--h--w c:\documents and settings\Owner\Application Data\Move Networks
2009-02-01 18:49 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2009-02-01 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-25 13:15 --------- d-----w c:\program files\Lavasoft
2009-01-25 02:33 96,384 ----a-w c:\windows\system32\drivers\sptddrv1.sys
2009-01-25 01:10 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-22 20:59 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-20 00:22 --------- d-----w c:\program files\PeerGuardian2
2009-01-07 00:46 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2009-01-05 23:11 --------- d-----w c:\program files\Plato DVD to PSP Converter
2009-01-05 22:59 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2009-01-05 05:32 120,948 ----a-w c:\windows\system32\rn.tmp
2008-12-12 16:32 --------- d-----w c:\program files\Azureus
2008-12-12 15:21 --------- d-----w c:\program files\LimeWire
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-08 20:33 --------- d-----w c:\program files\LG Drivers
2008-12-08 20:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-08 20:16 --------- d-----w c:\program files\PC Drivers HeadQuarters
2008-12-08 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-06 22:44 47,360 ----a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2005-09-07 15:04 476 -c-ha-w c:\documents and settings\Guest\hpothb07.dat
2005-09-07 15:03 497 -c-ha-w c:\documents and settings\Default User\hpothb07.dat
2004-09-20 21:52 56 -csh--r c:\windows\system32\F58A70CBD0.sys
2004-09-20 21:52 1,682 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-10-01 21:04 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100120081002\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.59.04.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 12:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 13:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
- 2008-10-15 07:15:11 459,640 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-03 17:51:11 469,192 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-02-03 17:51:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-25 507224]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-13 5562368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll
"msacm.fraunhoferacm"= l3codecp.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2007-04-27 16:17 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-08-22 08:52 94208 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-10-06 23:23 90112 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DDCActiveMenu]
--a--c--- 2002-06-08 04:20 86016 c:\program files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-12-05 18:04 691200 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2007-07-19 08:02 2887680 c:\program files\Electronic Arts\EA Link\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-09-09 10:05 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2001-07-07 00:56 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-08-13 19:04 5562368 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2006-05-10 14:52 249856 c:\progra~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 19:28 212992 c:\progra~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
--a------ 2002-06-14 19:39 81920 c:\hp\drivers\keyboard\PS2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 07:23 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 00:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 20:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-06-18 11:01 155648 c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-10-04 17:05 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2006-01-19 14:27 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-01-19 18:21 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TosGbWatcher]
--a------ 2005-04-26 02:02 118837 c:\program files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
--------- 2006-03-07 00:52 36864 c:\program files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-01-30 13:11 3497984 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
--a------ 2005-03-28 20:24 28616 c:\program files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2007-06-08 09:59 224248 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2006-05-03 11:45 26112 c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2002-10-01 02:39 548933 c:\windows\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-10-01 02:39 372736 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-25 64160]
R0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys [2007-05-27 164256]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-02-03 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-02-03 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2008-07-17 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 942416]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-11-02 24652]
S3 Msilool;Msilool; [x]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-25 08:17]

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2004-09-02 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2100 series#1086211637.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 16:56]

2009-02-05 c:\windows\Tasks\User_Feed_Synchronization-{6DAD760A-BCBE-44D8-A722-041CA4380D6A}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 12:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} - hxxp://www.keyboarding.emcp.com/Resources/Component/cads.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\imu1oltq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\imu1oltq.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 20:47:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-05 20:51:21
ComboFix-quarantined-files.txt 2009-02-06 01:50:18
ComboFix2.txt 2009-02-05 22:44:24
ComboFix3.txt 2009-02-01 19:00:36

Pre-Run: 20,829,700,096 bytes free
Post-Run: 20,782,452,736 bytes free

533 --- E O F --- 2009-01-14 11:32:35
  • 0

#7
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
With the norton removal thing, im not sure which version it is. i believe it was off this computer before i got it from my friend.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:10 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboardi...ponent/cads.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\Software\..\Telephony: DomainName = jacob
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jacob
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11171 bytes
  • 0

#8
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
in this post we will do some general scans to clear out the remnants and ensure nothing else sneaked onto your machine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

we will also update your java and clear your DNS Resolver.

====STEP 1====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


====STEP 2====
Please download SmitfraudFix (by S!Ri) to your Desktop.

You should print out these instructions in this step, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #5 - Search and Clean DNS Hijack by typing 5 and press "Enter" to clean your DNS Resolver.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt


====STEP 3====
we will update and re-run your malwarebytes:

double click the malwarebytes icon on your desktop to open the program
  • on the tabs at the top, select Update and then press the Check for Updates button on that page. If an update is found, it will download and install the latest version.
  • once complete (a new version of malwarebytes may download) select the tab Scanner
  • select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


====STEP 4====
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
====STEP 5====
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
====STEP 6====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
In your next reply could i see:
1. the smitfraudfix log (if there is one)
2. the malwarebytes log
3. the superantispyware log
4. the kaspersky log
5. a new hijackthis log
6. some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk
  • 0

#9
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
I am on step number 2. i followed the instructions, went into safe mode, opened smitfraudfix and typed 5 then enter.
But this is the message i get.

"Mode normal seulement - Normal mode only
Press any key to continue..."

then i get taken back to the main menu of smitfraudfix.
  • 0

#10
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
that is my fault - run smitfraudfix in normal mode and select option 5 :)
  • 0

Advertisements


#11
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
SmitFraudFix v2.392

Scan done at 13:59:42.89, Fri 02/06/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.87.66.196
DNS Server Search Order: 68.87.64.196

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

»»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.87.66.196
DNS Server Search Order: 68.87.64.196

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CS2\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3FFEA2EE-EFE2-4F64-A23F-FD9CCE23FFD3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{F8EB0B90-2EB0-4305-B2A5-9CD5D491356C}: DhcpNameServer=68.87.66.196 68.87.64.196
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1




Malwarebytes' Anti-Malware 1.33
Database version: 1735
Windows 5.1.2600 Service Pack 3

2/6/2009 4:20:39 PM
mbam-log-2009-02-06 (16-20-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 258418
Time elapsed: 1 hour(s), 34 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#12
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/06/2009 at 05:38 PM

Application Version : 4.25.1012

Core Rules Database Version : 3745
Trace Rules Database Version: 1713

Scan type : Complete Scan
Total Scan Time : 01:12:37

Memory items scanned : 634
Memory threats detected : 0
Registry items scanned : 7305
Registry threats detected : 0
File items scanned : 34457
File threats detected : 2

Adware.IST/YourSiteBar
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf

Adware.FakeAlert-GetModule
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP8\A0000286.EXE





*KASPERSKY ONLINE SCANNER 7 REPORT*
Monday, February 9, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3
(build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 08, 2009 17:50:58
Records in database: 1769753

*Scan settings*
Scan using the following database extended
Scan archives yes
Scan mail databases yes
*Scan area* My Computer
A:\
C:\
D:\
E:\
F:\
*Scan statistics*
Files scanned 198348
Threat name 3
Infected objects 6
Suspicious objects 0
Duration of the scan 04:45:40


*File name* *Threat name* *Threats count*
C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\00AF0468.class Infected: Trojan.Java.ClassLoader.c 1
C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\130E7427.class Infected:
Trojan-Downloader.Java.OpenConnection.v 1
C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\203A4B46.class Infected: Exploit.Java.ByteVerify 1
C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\47D3360E.class Infected:
Trojan-Downloader.Java.OpenConnection.v 1
C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\58AC3EC6.class Infected: Trojan.Java.ClassLoader.c 1
C:\Program Files\Norton SystemWorks\Norton
Antivirus\Quarantine\7BDD3518.class Infected: Exploit.Java.ByteVerify 1
* The selected area was scanned.*
  • 0

#13
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:47:56, on 2/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.char...in/ssctlsma.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboardi...ponent/cads.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\Software\..\Telephony: DomainName = jacob
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jacob
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jacob
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11426 bytes




So far my computer has been running good the last few days. hopefully we are almost clean.
  • 0

#14
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
all looks good except you still have the norton remnants on your machine, which will take up system resources.

did you run the norton removal tool before (instructions are below again)?

Go HERE and choose the product that is installed and then download the removal tool.
Run it and reboot.
This should get rid of Norton.

andrewuk
  • 0

#15
codycjb

codycjb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 89 posts
Thank you very much for all your help. it is greatly appreciated. just one more question though. what combination of anti virus and spyware protection should i be running. right now i have avast on-access scanner, tea timer, and ad-aware watch live, running.

Edited by codycjb, 09 February 2009 - 12:55 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP