Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google/Yahoo Redirect Virus

Started by paltan , Aug 09 2010 08:48 AM

  • This topic is locked This topic is locked

#1
paltan
Posted 09 August 2010 - 08:48 AM

paltan

    Member

  • Member
  • PipPip
  • 50 posts
Hello Geeks to Go. My Dell Dimension 8400 picked up a redirect virus and I just can't get rid of it. I have tried the following fixes: AVG, Hitman Pro, Kaspersky, Malwarebytes, ComboFix, and Hijackthis. These programs found all kinds of stuff, but still have the virus. Here is the latest Hijackthis log and thanks in advance for any help. This virus is a pain.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:26:09 AM, on 8/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OpenVPN\bin\openvpnserv.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Nichesoft\TanTrack\TanTrack.exe
C:\Program Files\PCCW\pccw.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?r998=1239739352
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\system32\dxdllreg.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab34120.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1263315487656
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.h...tDetection2.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.h...nosticsxp2k.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/...ol.cab36107.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/...xy.cab35645.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://myspace.obero...sh.1.0.0.80.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://myspace.obero...ploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: EPSON ESC/POS Status Service (EPSON ESCPOS Status Service) - SEIKO EPSON Corp. - C:\WINDOWS\SYSTEM32\EpStsSrv.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe (file missing)

--
End of file - 9410 bytes
  • 0

Advertisements

#2
SweetTech
Posted 09 August 2010 - 09:40 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems.

If you have already received help elsewhere please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 3 days) and you need an explanation. If that's the case, just send me a message to me on here. :)
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

Please post the ComboFix log for me.

Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Look for ComboFix.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.
  • 0

#3
paltan
Posted 09 August 2010 - 11:12 AM

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems.

If you have already received help elsewhere please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 3 days) and you need an explanation. If that's the case, just send me a message to me on here. :)
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

Please post the ComboFix log for me.

Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Look for ComboFix.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.

Thank you for the help. I will try to follow instructions to the letter because I have no clue when it comes to this stuff.

ComboFix 10-08-08.03 - Palladium Tan 08/09/2010 11:22:36.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2001 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log
.
---- Previous Run -------
.
c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-08-07 01:34 . 2010-08-07 01:34 -------- d-----w- c:\program files\CCleaner
2010-08-06 22:27 . 2010-08-09 15:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 16:19 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-05 13:43 . 2008-06-11 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-08-04 14:01 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-11 18:46 . 2007-12-29 15:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 18:20 . 2010-06-11 18:20 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\ElevatedDiagnostics
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2005-01-08 03:10 . 2004-08-25 18:52 339968 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2004-05-28 02:05 . 2005-10-14 04:26 69632 c:\program files\Common Files\Dell\EUSW\bak\Support.exe

2004-01-07 07:01 . 2004-01-07 07:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\program files\Grisoft\AVG7\bak\avgemc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2005-01-08 03:10 . 2004-06-29 17:23 135168 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

2007-07-22 14:30 . 2007-07-12 09:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2002-08-14 20:21 . 2002-08-14 20:21 94208 c:\program files\Symantec\Norton Ghost 2003\bak\GhostStartTrayApp.exe

2004-06-21 02:45 . 2005-08-07 01:45 974848 c:\program files\UltraVNC\bak\WinVNC.exe

2004-08-04 11:00 . 2004-08-04 11:00 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2004-08-04 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2005-02-27 23:49 . 2004-08-03 22:06 188416 c:\windows\SYSTEM32\bak\ESDUSBMon.exe

2005-01-08 03:13 . 2004-08-13 07:05 122939 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"DXDllRegExe"="c:\windows\system32\dxdllreg.exe" [N/A]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-06 6289216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 11:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\program files\OpenVPN\bin\openvpn.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\fxssvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-09 11:32:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 16:32
ComboFix2.txt 2010-08-07 02:10
ComboFix3.txt 2010-08-07 00:56
ComboFix4.txt 2010-08-05 23:14

Pre-Run: 57,212,403,712 bytes free
Post-Run: 57,249,284,096 bytes free

- - End Of File - - 11B65E136948F60757738BD92A1EF86A
  • 0

#4
SweetTech
Posted 10 August 2010 - 09:40 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

Locating ComboFix Log
  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Click on Qoobox in the left-hand window pane
  • Look for ComboFix2.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.

Repeat the above process for locating ComboFix2.txt, ComboFix3.txt, and ComboFix4.txt logs, and attach them in your next reply.



NEXT:



Add/Remove Programs
I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Post the contents of that file in your next reply.
  • 0

#5
SweetTech
Posted 10 August 2010 - 09:43 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Folder::
c:\program files\Grisoft\AVG7
DirLook::
c:\temp\FixEngine

AWF::
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
c:\program files\Common Files\Dell\EUSW\bak\Support.exe
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe
c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
c:\program files\Symantec\Norton Ghost 2003\bak\GhostStartTrayApp.exe
c:\program files\UltraVNC\bak\WinVNC.exe
c:\windows\SYSTEM32\bak\ctfmon.exe
c:\windows\SYSTEM32\bak\ESDUSBMon.exe
c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  • 0

#6
paltan
Posted 10 August 2010 - 11:20 AM

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

Locating ComboFix Log

  • Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
  • Click on Explore
  • Click on Local Disk (C:) in the left-hand window pane
  • Click on Qoobox in the left-hand window pane
  • Look for ComboFix2.txt in the right-hand window pane and right click on it
  • Put your cursor (arrow) on Open With
  • Move your cursor to the new menu that opens and click on Choose Program...
  • Click on Notepad

When file opens, Copy/Paste text here.

Repeat the above process for locating ComboFix2.txt, ComboFix3.txt, and ComboFix4.txt logs, and attach them in your next reply.



NEXT:



Add/Remove Programs
I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Post the contents of that file in your next reply.

ComboFix 10-08-08.03 - Palladium Tan 08/09/2010 11:22:36.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2001 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log
.
---- Previous Run -------
.
c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-08-07 01:34 . 2010-08-07 01:34 -------- d-----w- c:\program files\CCleaner
2010-08-06 22:27 . 2010-08-09 15:00 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 16:19 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-05 13:43 . 2008-06-11 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-08-04 14:01 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-11 18:46 . 2007-12-29 15:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 18:20 . 2010-06-11 18:20 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\ElevatedDiagnostics
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2005-01-08 03:10 . 2004-08-25 18:52 339968 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2004-05-28 02:05 . 2005-10-14 04:26 69632 c:\program files\Common Files\Dell\EUSW\bak\Support.exe

2004-01-07 07:01 . 2004-01-07 07:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\program files\Grisoft\AVG7\bak\avgemc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2005-01-08 03:10 . 2004-06-29 17:23 135168 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

2007-07-22 14:30 . 2007-07-12 09:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2002-08-14 20:21 . 2002-08-14 20:21 94208 c:\program files\Symantec\Norton Ghost 2003\bak\GhostStartTrayApp.exe

2004-06-21 02:45 . 2005-08-07 01:45 974848 c:\program files\UltraVNC\bak\WinVNC.exe

2004-08-04 11:00 . 2004-08-04 11:00 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2004-08-04 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2005-02-27 23:49 . 2004-08-03 22:06 188416 c:\windows\SYSTEM32\bak\ESDUSBMon.exe

2005-01-08 03:13 . 2004-08-13 07:05 122939 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"DXDllRegExe"="c:\windows\system32\dxdllreg.exe" [N/A]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-06 6289216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 11:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3344)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\program files\OpenVPN\bin\openvpn.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\fxssvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-09 11:32:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 16:32
ComboFix2.txt 2010-08-07 02:10
ComboFix3.txt 2010-08-07 00:56
ComboFix4.txt 2010-08-05 23:14

Pre-Run: 57,212,403,712 bytes free
Post-Run: 57,249,284,096 bytes free

- - End Of File - - 11B65E136948F60757738BD92A1EF86A
ComboFix 10-08-06.01 - Palladium Tan 08/06/2010 21:00:26.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2032 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-07 01:34 . 2010-08-07 01:34 -------- d-----w- c:\program files\CCleaner
2010-08-06 22:27 . 2010-08-07 00:17 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ----a-r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ----a-r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 01:59 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-05 13:43 . 2008-06-11 13:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-08-04 14:01 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-11 18:46 . 2007-12-29 15:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 18:20 . 2010-06-11 18:20 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\ElevatedDiagnostics
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2005-01-08 03:10 . 2004-08-25 18:52 339968 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2004-05-28 02:05 . 2005-10-14 04:26 69632 c:\program files\Common Files\Dell\EUSW\bak\Support.exe

2004-01-07 07:01 . 2004-01-07 07:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\program files\Grisoft\AVG7\bak\avgemc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2005-01-08 03:10 . 2004-06-29 17:23 135168 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

2007-07-22 14:30 . 2007-07-12 09:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2002-08-14 20:21 . 2002-08-14 20:21 94208 c:\program files\Symantec\Norton Ghost 2003\bak\GhostStartTrayApp.exe

2004-06-21 02:45 . 2005-08-07 01:45 974848 c:\program files\UltraVNC\bak\WinVNC.exe

2004-08-04 11:00 . 2004-08-04 11:00 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2004-08-04 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2005-02-27 23:49 . 2004-08-03 22:06 188416 c:\windows\SYSTEM32\bak\ESDUSBMon.exe

2005-01-08 03:13 . 2004-08-13 07:05 122939 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"DXDllRegExe"="c:\windows\system32\dxdllreg.exe" [N/A]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-06 6289216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 21:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\program files\OpenVPN\bin\openvpn.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\fxssvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-06 21:10:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 02:10
ComboFix2.txt 2010-08-07 00:56
ComboFix3.txt 2010-08-05 23:14

Pre-Run: 57,444,413,440 bytes free
Post-Run: 57,457,930,240 bytes free

- - End Of File - - EFD475ECCDE6FD378884086400679808
ComboFix 10-08-06.01 - Palladium Tan 08/06/2010 19:46:00.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2033 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-06 22:27 . 2010-08-07 00:17 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ----a-r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ----a-w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ----a-r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 00:37 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-05 13:43 . 2008-06-11 13:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-08-04 14:01 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-11 18:46 . 2007-12-29 15:39 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-11 18:20 . 2010-06-11 18:20 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\ElevatedDiagnostics
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2005-01-08 03:10 . 2004-08-25 18:52 339968 c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2004-05-28 02:05 . 2005-10-14 04:26 69632 c:\program files\Common Files\Dell\EUSW\bak\Support.exe

2004-01-07 07:01 . 2004-01-07 07:01 110592 c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\program files\Grisoft\AVG7\bak\avgemc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2005-01-08 03:10 . 2004-06-29 17:23 135168 c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe

2007-07-22 14:30 . 2007-07-12 09:00 132496 c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe

2002-08-14 20:21 . 2002-08-14 20:21 94208 c:\program files\Symantec\Norton Ghost 2003\bak\GhostStartTrayApp.exe

2004-06-21 02:45 . 2005-08-07 01:45 974848 c:\program files\UltraVNC\bak\WinVNC.exe

2004-08-04 11:00 . 2004-08-04 11:00 15360 c:\windows\SYSTEM32\bak\ctfmon.exe
2004-08-04 11:00 . 2008-04-14 00:12 15360 c:\windows\SYSTEM32\ctfmon.exe

2005-02-27 23:49 . 2004-08-03 22:06 188416 c:\windows\SYSTEM32\bak\ESDUSBMon.exe

2005-01-08 03:13 . 2004-08-13 07:05 122939 c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"DXDllRegExe"="c:\windows\system32\dxdllreg.exe" [N/A]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-06 6289216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 19:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(1036)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\netdde.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\OpenVPN\bin\openvpn.exe
c:\windows\system32\fxssvc.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-06 19:56:27 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-07 00:56
ComboFix2.txt 2010-08-05 23:14

Pre-Run: 57,376,219,136 bytes free
Post-Run: 57,397,305,344 bytes free

- - End Of File - - 0418D29E1A29B43F5EAB84618C4848CA
5500
5500_Help
5500Tour
5500Trb
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
AiO_Scan
AiOSoftware
ATI Control Panel
ATI Display Driver
AVG Free 9.0
Banctec Service Agreement
Broadcom Advanced Control Suite 2
Broadcom Gigabit Integrated Controller
BufferChm
CCleaner
Citrix ICA Web Client
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Dell Driver Download Manager
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
Dell Networking Guide
Dell Support
Dell Support 5.0.0 (766)
Dell System Restore
Destinations
Director
DocProc
DocumentViewer
DynDNS Updater 3.0
EPSON Advanced Printer Driver 3
Fax
FormViewer
GCalc 3 Beta
GdiplusUpgrade
GoToMyPC
HiJackThis
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Diagnostic Assistant
HP Driver Diagnostics
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
HPODiscovery
HPSystemDiagnostics
InstantShare
Intel Application Accelerator
Intellisync® for Yahoo!
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_06
Java Auto Updater
Java™ 6 Update 21
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Tools for Office Runtime
Move Networks Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Need2Find Bar
NETGEAR ProSafe Firewall Router
Norton Ghost
OGA Notifier 2.0.0048.0
OpenVPN 2.0.7
overland
PCCharge Pro
PhotoGallery
PokerStars
PrintScreen
ProductContext
QFolder
QuickProjects
Readme
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SkinsHP1
SkinsHP2
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
SupportSoft Assisted Service
TrayApp
UltraVNC v1.0.1
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows PowerShell™ 1.0
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Browser Services
Yahoo! Toolbar
Yontoo Layers Client for Internet Explorer 1.02.04
  • 0

#7
paltan
Posted 10 August 2010 - 11:35 AM

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts
I hope I got it correct for you. As I said, I have no clue......I'm just learning how to navigate this forum too. Thanks again for the help.
  • 0

#8
paltan
Posted 10 August 2010 - 11:41 AM

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts
5500
5500_Help
5500Tour
5500Trb
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
AiO_Scan
AiOSoftware
ATI Control Panel
ATI Display Driver
AVG Free 9.0
Banctec Service Agreement
Broadcom Advanced Control Suite 2
Broadcom Gigabit Integrated Controller
BufferChm
CCleaner
Citrix ICA Web Client
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Dell Driver Download Manager
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
Dell Networking Guide
Dell Support
Dell Support 5.0.0 (766)
Dell System Restore
Destinations
Director
DocProc
DocumentViewer
DynDNS Updater 3.0
EPSON Advanced Printer Driver 3
Fax
FormViewer
GCalc 3 Beta
GdiplusUpgrade
GoToMyPC
HiJackThis
Hitman Pro 3.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Diagnostic Assistant
HP Driver Diagnostics
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
HPODiscovery
HPSystemDiagnostics
InstantShare
Intel Application Accelerator
Intellisync® for Yahoo!
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_06
Java Auto Updater
Java™ 6 Update 21
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Tools for Office Runtime
Move Networks Player for Internet Explorer
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Need2Find Bar
NETGEAR ProSafe Firewall Router
Norton Ghost
OGA Notifier 2.0.0048.0
OpenVPN 2.0.7
overland
PCCharge Pro
PhotoGallery
PokerStars
PrintScreen
ProductContext
QFolder
QuickProjects
Readme
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SkinsHP1
SkinsHP2
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
SupportSoft Assisted Service
TrayApp
UltraVNC v1.0.1
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual Studio 2005 Tools for Office Second Edition Runtime
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows PowerShell™ 1.0
Windows XP Service Pack 3
WordPerfect Office 12
Yahoo! Browser Services
Yahoo! Toolbar
Yontoo Layers Client for Internet Explorer 1.02.04
  • 0

#9
SweetTech
Posted 10 August 2010 - 09:19 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Have you had a chance to run the instructions in this post here: http://www.geekstogo...ost__p__1884284 ?
  • 0

#10
paltan
Posted 11 August 2010 - 08:27 AM

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

ComboFix Script

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Folder::
c:\program files\Grisoft\AVG7
DirLook::
c:\temp\FixEngine

AWF::
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
c:\program files\Common Files\Dell\EUSW\bak\Support.exe
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
c:\program files\Intel\Intel Application Accelerator\bak\iaanotif.exe
c:\program files\Java\jre1.6.0_02\bin\bak\jusched.exe
c:\program files\Symantec\Norton Ghost 2003\bak\GhostStartTrayApp.exe
c:\program files\UltraVNC\bak\WinVNC.exe
c:\windows\SYSTEM32\bak\ctfmon.exe
c:\windows\SYSTEM32\bak\ESDUSBMon.exe
c:\windows\SYSTEM32\dla\bak\tfswctrl.exe

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

ComboFix 10-08-10.06 - Palladium Tan 08/11/2010 9:06.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1861 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Palladium Tan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-07 01:34 . 2010-08-07 01:34 -------- d-----w- c:\program files\CCleaner
2010-08-06 22:27 . 2010-08-10 15:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 14:02 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-10 17:54 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-08-10 16:45 . 2005-02-07 15:44 -------- d-----w- c:\program files\UltraVNC
2010-08-05 13:43 . 2008-06-11 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-21 15:27 . 2004-08-04 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\temp\FixEngine ----

2010-07-28 16:44 . 2010-07-28 16:44 182 ----a-w- c:\temp\FixEngine\{927E0FA8-14AF-4CDB-89F0-6BEEAD671095}\gc_w01_ENU_NB.fbs
2010-07-28 16:23 . 2010-07-28 16:44 359953472 ----a-w- c:\temp\FixEngine\{927E0FA8-14AF-4CDB-89F0-6BEEAD671095}\gc_w01_ENU_NB.exe


((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgcc.exe.vir

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgemc.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"DXDllRegExe"="c:\windows\system32\dxdllreg.exe" [N/A]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-06 6289216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(2756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\netdde.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\program files\OpenVPN\bin\openvpn.exe
c:\windows\system32\ESDUSBMon.EXE
c:\program files\UltraVNC\WinVNC.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\fxssvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-11 09:15:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-11 14:15
ComboFix2.txt 2010-08-10 16:50
ComboFix3.txt 2010-08-09 16:32
ComboFix4.txt 2010-08-07 02:10
ComboFix5.txt 2010-08-11 14:05

Pre-Run: 56,306,245,632 bytes free
Post-Run: 56,344,145,920 bytes free

- - End Of File - - FAC09B79D47407D00C29FD1991111E0A
  • 0

Advertisements

#11
SweetTech
Posted 11 August 2010 - 08:39 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
AWF::
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DXDllRegExe"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.


NEXT:



Kaspersky Online Scanner
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

  • 0

#12
paltan
Posted 11 August 2010 - 01:02 PM

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

Hello,

ComboFix Script

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
AWF::
c:\program files\Analog Devices\Core\bak\smax4pnp.exe
c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DXDllRegExe"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.


NEXT:



Kaspersky Online Scanner
Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Hello and thanks again. Here are the results:

ComboFix 10-08-10.06 - Palladium Tan 08/11/2010 9:49.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1888 [GMT -5:00]
Running from: c:\documents and settings\Palladium Tan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Palladium Tan\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gotomon.log

.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-07 01:34 . 2010-08-07 01:34 -------- d-----w- c:\program files\CCleaner
2010-08-06 22:27 . 2010-08-10 15:40 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-08-06 22:26 . 2010-08-07 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-08-06 22:26 . 2010-08-06 22:26 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-06 20:26 . 2010-08-06 21:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-06 20:26 . 2010-08-06 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-06 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-06 16:51 . 2010-08-06 16:51 388096 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-05 23:43 . 2010-08-05 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\FrontLine Registry Cleaner
2010-08-05 23:42 . 2010-08-06 15:44 -------- d-----w- c:\program files\Frontline Registry Cleaner
2010-08-05 14:30 . 2010-08-05 14:30 -------- d-----w- c:\program files\Trend Micro
2010-08-05 02:40 . 2010-08-05 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-08-05 02:35 . 2010-08-05 02:39 -------- d-----w- c:\documents and settings\Palladium Tan\Application Data\GetRightToGo
2010-08-05 01:23 . 2010-08-05 01:23 503808 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcp71.dll
2010-08-05 01:23 . 2010-08-05 01:23 499712 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\jmc.dll
2010-08-05 01:23 . 2010-08-05 01:23 348160 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-56bf27ec-n\msvcr71.dll
2010-08-05 01:23 . 2010-08-05 01:23 61440 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-sse.dll
2010-08-05 01:23 . 2010-08-05 01:23 12800 ------w- c:\documents and settings\Palladium Tan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3fc3e528-n\decora-d3d.dll
2010-08-05 01:23 . 2010-07-17 10:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 16:53 . 2010-07-28 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-07-28 16:46 . 2010-07-28 17:34 104247 ----a-w- c:\windows\hpoins04.dat
2010-07-28 16:46 . 2004-06-22 15:04 17176 ------w- c:\windows\hpomdl04.dat
2010-07-28 16:45 . 2004-06-22 15:05 90112 ----a-w- c:\windows\system32\hpovst08.dll
2010-07-28 16:45 . 2004-06-22 15:05 581632 ----a-w- c:\windows\system32\hpotscl.dll
2010-07-28 16:23 . 2010-07-28 16:23 -------- d-----w- c:\temp\FixEngine
2010-07-28 16:23 . 2010-07-28 16:23 10134 ------r- c:\documents and settings\Palladium Tan\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2010-07-28 16:10 . 2010-07-28 16:10 -------- d-----w- c:\program files\Common Files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 14:44 . 2005-02-27 23:58 -------- d-----w- c:\program files\PCCW
2010-08-10 17:54 . 2006-11-17 20:04 -------- d-----w- c:\program files\PokerStars
2010-08-10 16:45 . 2005-02-07 15:44 -------- d-----w- c:\program files\UltraVNC
2010-08-05 13:43 . 2008-06-11 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Common Files\Java
2010-08-05 01:23 . 2005-01-08 03:09 -------- d-----w- c:\program files\Java
2010-07-28 16:53 . 2005-01-22 03:54 -------- d-----w- c:\program files\HP
2010-07-07 19:38 . 2010-07-07 19:38 137216 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll
2010-07-07 19:38 . 2010-07-07 19:38 339968 ------w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll
2010-07-07 19:38 . 2010-07-07 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner
2010-07-01 02:59 . 2009-10-27 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 14:38 . 2009-05-08 16:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 14:38 . 2010-06-22 14:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 14:37 . 2009-05-08 16:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-21 15:27 . 2004-08-04 11:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-31 14:49 . 2008-05-25 15:09 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
1998-05-15 05:00 . 2005-02-27 23:58 73184 -c--a-w- c:\program files\Common Files\dao2535.tlb
1998-04-27 05:00 . 2005-02-27 23:58 570128 ----a-w- c:\program files\Common Files\Dao350.dll
2002-08-01 00:55 . 2009-10-16 20:39 108 -csh--w- c:\windows\WSYS049.SYS
2005-04-10 17:36 . 2005-02-01 02:30 848 -csha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-08-11_14.11.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 14:53 . 2010-08-11 14:53 16384 c:\windows\temp\Perflib_Perfdata_50c.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-03-24 22:05 . 2004-10-14 19:42 1404928 c:\program files\Analog Devices\Core\bak\smax4pnp.exe
2007-03-24 22:05 . 2004-10-14 20:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

2007-01-30 21:57 . 2007-01-12 23:45 249904 c:\program files\Citrix\GoToMyPC\bak\g2svc.exe
2008-04-09 12:43 . 2007-06-20 16:09 258856 c:\program files\Citrix\GoToMyPC\g2svc.exe

2007-05-08 21:24 . 2007-05-08 21:24 54840 c:\program files\HP\HP Software Update\bak\HPWuSchd2.exe
2004-02-12 18:38 . 2004-02-12 18:38 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

2006-03-08 17:23 . 2007-12-20 04:06 579072 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgcc.exe.vir

2005-12-05 17:23 . 2007-12-20 04:06 406528 c:\qoobox\Quarantine\C\Program Files\Grisoft\AVG7\bak\avgemc.exe.vir

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-08-06 6289216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2007-06-20 16:09 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\PCCW\\Pccw.exe"=
"c:\\WINDOWS\\SYSTEM32\\FTP.EXE"=
"c:\\Program Files\\Nichesoft\\TanTrack\\TanTrack.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:VNC
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 1 (0x1)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/8/2009 11:00 AM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [5/8/2009 11:00 AM 243024]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [8/14/2002 3:11 PM 5632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 9:37 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 9:38 AM 308136]
R2 EPSON ESCPOS Status Service;EPSON ESC/POS Status Service;EpStsSrv.exe --> EpStsSrv.exe [?]
R2 Esdpdx01;Esdpdx01;c:\windows\SYSTEM32\DRIVERS\ESDPDX01.SYS [12/25/2003 1:00 PM 95485]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\SYSTEM32\DRIVERS\tap0801.sys [4/12/2006 4:36 AM 23552]
R3 TMUSB;EPSON USB Device Driver for TM/BA/EU Printers;c:\windows\SYSTEM32\DRIVERS\TMUSBXP.SYS [12/27/2003 1:00 AM 40320]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 MagEpNt;MagEpNt;c:\windows\SYSTEM32\DRIVERS\magepnt.sys [2/27/2005 6:58 PM 26304]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-08-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?r998=1239739352
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} - hxxp://myspace.oberon-media.com/gameshell/games/channel--110343720/lc--en/room--fd864c10-f423-45bb-8447-230cc71ef3c3/online/diner_dash/en/DinerDash.1.0.0.80.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\system32\netdde.exe
c:\windows\system32\EpStsSrv.exe
c:\program files\Symantec\Norton Ghost 2003\GhostStartService.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\OpenVPN\bin\openvpnserv.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\OpenVPN\bin\openvpn.exe
c:\windows\system32\ESDUSBMon.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\UltraVNC\WinVNC.exe
c:\windows\system32\fxssvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-11 09:57:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-11 14:57
ComboFix2.txt 2010-08-11 14:15
ComboFix3.txt 2010-08-10 16:50
ComboFix4.txt 2010-08-09 16:32
ComboFix5.txt 2010-08-11 14:48

Pre-Run: 56,311,193,600 bytes free
Post-Run: 56,335,986,688 bytes free

- - End Of File - - 7D135A8D46B89C391BB8A6CD536964CF


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4419

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/11/2010 10:07:12 AM
mbam-log-2010-08-11 (10-07-12).txt

Scan type: Quick scan
Objects scanned: 155364
Time elapsed: 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Aug 11 10:24:08 2010

Found and removed: C:\Program Files\Java\j2re1.4.2_06

Found and removed: C:\Program Files\Java\jre1.6.0_02

Found and removed: C:\Documents and Settings\Palladium Tan\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\Palladium Tan\Application Data\Sun\Java\jre1.6.0_12

Found and removed: C:\Documents and Settings\Palladium Tan\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Documents and Settings\Palladium Tan\Application Data\Sun\Java\jre1.6.0_15

Found and removed: C:\Documents and Settings\Palladium Tan\Application Data\Sun\Java\jre1.6.0_17

Found and removed: C:\Documents and Settings\Palladium Tan\Application Data\Sun\Java\jre1.6.0_20

Found and removed: C:\WINDOWS\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142060}

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

Found and removed: Software\JavaSoft\Java2D\1.5.0_04

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_08

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: SOFTWARE\Classes\JavaPlugin.150_04

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_08

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142060}

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D410206

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410206

Found and removed: SOFTWARE\Classes\JavaPlugin.142_06

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2_06

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2_06

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2_06

Found and removed: Software\Classes\JavaPlugin.142_06

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_02\bin\

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB9B14518A96D117A58000B0D410206

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Aug 11 10:25:16 2010

------------------------------------

Finished reporting.



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 11, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 11, 2010 12:42:51
Records in database: 4128448
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 77791
Threats found: 2
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 02:36:05


File name / Threat / Threats count
C:\Program Files\UltraVNC\WinVNC.exe/C:\Program Files\UltraVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1
C:\Program Files\UltraVNC\vnchooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.c 1
C:\Program Files\UltraVNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.e 1

Selected area has been scanned.


Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG Free 9.0
NETGEAR ProSafe Firewall Router
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 21
Adobe Flash Player
Adobe Reader 9.3.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
  • 0

#13
SweetTech
Posted 11 August 2010 - 10:41 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
How are things running?
  • 0

#14
paltan
Posted 12 August 2010 - 07:50 AM

paltan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 50 posts

How are things running?


Hello, it's still redirecting when I click on a site. It works fine if I [Ctrl + click]. What a pain! Thanks for helping SweetTech.
  • 0

#15
SweetTech
Posted 12 August 2010 - 09:12 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Lets see if this helps with the redirects:

Router Reset
  • Please read this: Malware Silently Alters Wireless Router Settings

  • Consult this link to find out what is the default username and password of your router and note down them: Route Passwords

  • Then rest your router to it's factory default settings:

    "If your machine has been infected by one of these Zlob/DNSchanger Trojans, and your router settings have been altered, I would strongly recommend that you reset the router to its default configuration. Usually, this can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds)"


  • This is the difficult part.
    First get to the routers server. To do that type http:\\192.168.1.1 in the address bar and click Enter. You get the log in window.
    Fill in the password you have already found and you will get the configuration page.
    Configure the router to allow you to connect to your ISP server. In some routers it is done by a setup wizard. But you have to fill in the log in password your ISP has initially given to you.
    You can also call your ISP if you don't have your initial password.
    Don't forget to change the routers default password and set a strong password. Note down the password and keep it somewhere for future reference.

  • Please make sure of the following settings:
  • Go to Start -> Control Panel -> Double click on Network Connections.
  • Right click on your default connection (usually Local Area Connection or Wireless Network Connection) and select Properties.
  • Select the General tab.
  • Double click on Internet Protocol (TCP/IP).
  • Under General tab:
  • Select "Obtain an IP address automatically".
  • Select "Obtain DNS server address automatically".

[*]Click OK twice to save the settings.
[*]Reboot if you had to change any setting.[/list][/list]

NEXT:



Flush the DNS cache
  • Click the Start logo in the bottom left corner of the screen
  • Click on Run
  • In the command window copy/paste the following
ipconfig /flushdns
  • then hit enter
  • Exit the command window.

After that, Reboot
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP