Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AntivirusGT infection

Started by Bulldog04 , Sep 03 2010 07:17 AM

  • This topic is locked This topic is locked

#16
Bulldog04
Posted 05 September 2010 - 02:17 PM

Bulldog04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Sorry it took so long to get back to you. Our internet provider was down last night.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 115):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xB9EA1000 hwgxf.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9E82000 ftdisk.sys
0xBA330000 PartMgr.sys
0xBA338000 pavboot.sys
0xBA0C8000 VolSnap.sys
0xB9E6A000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9E4A000 fltmgr.sys
0xB9E38000 sr.sys
0xBA0F8000 PxHelp20.sys
0xB9E21000 KSecDD.sys
0xB9E0E000 WudfPf.sys
0xB9D81000 Ntfs.sys
0xB9D54000 NDIS.sys
0xB9D3A000 Mup.sys
0xBA268000 \SystemRoot\system32\DRIVERS\processr.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9213000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3F0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB91DF000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xB91BC000 \SystemRoot\system32\DRIVERS\ks.sys
0xB90BD000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xB9016000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA3F8000 \SystemRoot\System32\Drivers\Modem.SYS
0xB8FEE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA278000 \SystemRoot\system32\drivers\nvnetbus.sys
0xB8F15000 \SystemRoot\system32\drivers\NVNRM.SYS
0xBA288000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA298000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8895000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8881000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA679000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA598000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB886A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA400000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8859000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA408000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA410000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA418000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA420000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5E4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB87FB000 \SystemRoot\system32\DRIVERS\update.sys
0xB9D0E000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA308000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA318000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5E8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA128000 \SystemRoot\system32\drivers\NVENETFD.sys
0xB5CA3000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB5C7F000 \SystemRoot\system32\drivers\portcls.sys
0xBA148000 \SystemRoot\system32\drivers\drmk.sys
0xB9CF2000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xBA544000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xBA54C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA168000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA430000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA448000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xBA5EC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA76D000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5EE000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA458000 \SystemRoot\System32\drivers\vga.sys
0xBA5F0000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5F2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA460000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA468000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA554000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB5C24000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB5BCB000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB5BB2000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB5B8A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB5B68000 \SystemRoot\System32\drivers\afd.sys
0xBA188000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB5B3D000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB5AA5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1A8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB5A7F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA1B8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA578000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA470000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB5A06000 \SystemRoot\System32\Drivers\avgldx86.sys
0xBA1E8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB59EE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA600000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB5C63000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA4A0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA77D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xB5279000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB5028000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB5125000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB4EB9000 \SystemRoot\system32\DRIVERS\srv.sys
0xB497C000 \SystemRoot\system32\drivers\wdmaud.sys
0xB4E59000 \SystemRoot\system32\drivers\sysaudio.sys
0xB4373000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 50):
0 System Idle Process
4 System
572 C:\WINDOWS\system32\smss.exe
636 csrss.exe
660 C:\WINDOWS\system32\winlogon.exe
704 C:\WINDOWS\system32\services.exe
716 C:\WINDOWS\system32\lsass.exe
872 C:\WINDOWS\system32\svchost.exe
932 svchost.exe
1068 C:\WINDOWS\system32\svchost.exe
1128 C:\WINDOWS\system32\svchost.exe
1312 svchost.exe
1416 svchost.exe
1552 C:\WINDOWS\system32\spoolsv.exe
1640 svchost.exe
1672 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
1684 C:\Program Files\Bonjour\mDNSResponder.exe
1732 C:\Program Files\Canon\IJPLM\ijplmsvc.exe
1768 C:\Program Files\Java\jre6\bin\jqs.exe
1820 C:\WINDOWS\system32\nvsvc32.exe
1868 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
204 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
256 C:\WINDOWS\system32\svchost.exe
300 C:\Program Files\AVG\AVG8\avgrsx.exe
308 C:\PROGRA~1\AVG\AVG8\avgnsx.exe
496 C:\Program Files\AVG\AVG8\avgcsrvx.exe
404 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
784 C:\PROGRA~1\AVG\AVG8\avgemc.exe
844 C:\WINDOWS\system32\wuauclt.exe
1884 C:\Program Files\AVG\AVG8\avgcsrvx.exe
1944 C:\WINDOWS\system32\svchost.exe
2400 C:\WINDOWS\explorer.exe
3828 alg.exe
2368 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
1064 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
1152 C:\Program Files\QuickTime\QTTask.exe
2320 C:\Program Files\Common Files\AOL\1208701829\EE\AOLHostManager.exe
2920 C:\PROGRA~1\COMMON~1\AOL\120870~1\EE\AOLServiceHost.exe
2360 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
2976 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
768 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
3388 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3452 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3460 C:\Program Files\AVG\AVG8\avgtray.exe
3620 C:\Documents and Settings\Dana\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2516 C:\WINDOWS\system32\ctfmon.exe
1908 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
2488 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
3724 C:\WINDOWS\system32\notepad.exe
892 C:\Documents and Settings\Dana\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: ST3160815AS, Rev: 4.ADA

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!





Combofix Log:

ComboFix 10-09-03.01 - Dana 2010-09-05 15:07:49.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1505 [GMT -5:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-08-05 to 2010-09-05 )))))))))))))))))))))))))))))))
.

2010-09-05 19:11 . 2009-11-25 18:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-09-03 14:23 . 2010-09-03 14:24 -------- d-----w- c:\program files\ERUNT
2010-09-02 15:35 . 2010-09-02 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-02 14:24 . 2010-09-02 14:27 -------- d-----w- c:\documents and settings\Dana\Local Settings\Application Data\Trend Micro
2010-09-02 00:04 . 2010-09-02 00:04 -------- d-----w- c:\documents and settings\Dana\Local Settings\Application Data\AVG Security Toolbar
2010-09-01 02:38 . 2010-07-09 14:26 475136 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-31 04:25 . 2010-09-05 18:26 -------- d-----w- c:\windows\system32\drivers\Avg
2010-08-31 02:57 . 2010-09-01 04:50 -------- d-----w- c:\documents and settings\Dana\Application Data\AVGTOOLBAR
2010-08-31 01:36 . 2010-08-31 01:36 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-08-31 01:36 . 2010-08-31 01:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2010-08-31 01:36 . 2010-08-31 01:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-08-31 01:35 . 2010-08-31 01:35 120 ----a-w- c:\windows\Mhenu.dat
2010-08-31 01:35 . 2010-08-31 01:35 0 ----a-w- c:\windows\Awutawevanuzafa.bin
2010-08-31 01:33 . 2010-09-05 20:13 786432 ----a-w- c:\windows\system32\drivers\hwgxf.sys
2010-08-31 01:33 . 2010-09-01 09:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\snkfdqgjp
2010-08-26 12:44 . 2010-09-02 14:22 -------- d-----r- c:\program files\Skype
2010-08-18 22:38 . 2010-08-18 22:38 -------- d-----w- c:\program files\Common Files\Java
2010-08-07 11:45 . 2010-08-07 11:45 503808 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7f180116-n\msvcp71.dll
2010-08-07 11:45 . 2010-08-07 11:45 499712 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7f180116-n\jmc.dll
2010-08-07 11:45 . 2010-08-07 11:45 348160 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7f180116-n\msvcr71.dll
2010-08-07 11:44 . 2010-08-07 11:44 12800 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-725f55e7-n\decora-d3d.dll
2010-08-07 11:44 . 2010-08-07 11:44 61440 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-725f55e7-n\decora-sse.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 19:11 . 2010-09-01 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-09-04 17:30 . 2010-04-17 13:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-04 13:52 . 2008-04-20 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 13:04 . 2008-08-19 18:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-03 13:03 . 2008-12-21 08:45 -------- d-----w- c:\program files\LimeWire
2010-09-03 12:36 . 2008-12-21 08:46 -------- d-----w- c:\documents and settings\Dana\Application Data\LimeWire
2010-09-02 14:28 . 2008-12-24 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-09-02 14:27 . 2008-11-15 23:08 -------- d-----w- c:\program files\Trend Micro
2010-08-31 05:26 . 2010-08-31 04:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-31 04:30 . 2010-08-31 04:30 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2010-08-31 04:30 . 2010-08-31 04:30 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2010-08-31 04:30 . 2010-08-31 04:30 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2010-08-31 04:30 . 2010-08-31 04:30 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2010-08-31 04:25 . 2010-08-31 05:26 76040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys
2010-08-31 04:25 . 2010-08-31 05:26 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2010-08-31 04:25 . 2010-08-31 05:26 97928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2010-08-31 04:25 . 2010-08-31 05:26 26824 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2010-08-31 04:25 . 2010-08-31 05:26 287000 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2010-08-31 04:25 . 2010-09-01 23:38 2075416 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2010-08-31 01:34 . 2009-10-30 21:04 -------- d-----w- c:\documents and settings\Dana\Application Data\Efviuk
2010-08-30 20:35 . 2008-05-02 18:07 -------- d-----w- c:\documents and settings\Dana\Application Data\skypePM
2010-08-29 23:24 . 2009-03-25 07:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-26 12:44 . 2008-05-02 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-18 22:38 . 2008-04-20 14:20 -------- d-----w- c:\program files\Java
2010-08-16 14:09 . 2008-08-04 21:51 144 ----a-w- c:\documents and settings\Dana\Application Data\wklnhst.dat
2010-08-12 08:03 . 2008-04-20 14:26 -------- d-----w- c:\program files\Microsoft Works
2010-08-03 10:10 . 2010-08-03 10:10 503808 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e68102a-n\msvcp71.dll
2010-08-03 10:10 . 2010-08-03 10:10 499712 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e68102a-n\jmc.dll
2010-08-03 10:10 . 2010-08-03 10:10 348160 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e68102a-n\msvcr71.dll
2010-08-03 10:10 . 2010-08-03 10:10 61440 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-23dab621-n\decora-sse.dll
2010-08-03 10:10 . 2010-08-03 10:10 12800 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-23dab621-n\decora-d3d.dll
2010-07-19 13:45 . 2008-12-25 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-07-17 10:00 . 2010-07-02 14:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-05 06:10 . 2010-07-05 06:10 503808 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-155ab09f-n\msvcp71.dll
2010-07-05 06:10 . 2010-07-05 06:10 499712 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-155ab09f-n\jmc.dll
2010-07-05 06:10 . 2010-07-05 06:10 348160 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-155ab09f-n\msvcr71.dll
2010-07-05 06:10 . 2010-07-05 06:10 61440 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4c996ae9-n\decora-sse.dll
2010-07-05 06:10 . 2010-07-05 06:10 12800 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4c996ae9-n\decora-d3d.dll
2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 07:25 . 2010-06-24 07:25 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-24 07:25 . 2010-06-24 07:25 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-24 07:25 . 2010-06-24 07:25 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-24 07:25 . 2010-06-24 07:25 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-24 07:25 . 2010-06-24 07:25 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-24 07:24 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-23 13:44 . 2004-08-10 17:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 17:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 17:51 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-11-28 06:40 . 2009-11-28 06:40 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-09-04_14.35.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-05 18:20 . 2010-09-05 18:20 16384 c:\windows\temp\Perflib_Perfdata_98.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"SansaDispatch"="c:\documents and settings\Dana\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-05 79872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-08 39408]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"HostManager"="c:\program files\Common Files\AOL\1208701829\EE\AOLHostManager.exe" [2004-11-03 125528]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-24 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-09-01 2048352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-09-29 9347072]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-31 05:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1208701829\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-19 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-08-30 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-08-30 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2010-08-31 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2010-08-31 297752]
S2 TabQuery Service;TabQuery Service;c:\documents and settings\All Users\Application Data\TabQuery\tabquery131.exe [2010-05-20 61696]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?]
S3 nenum13E;nenum13E;\??\c:\docume~1\Logan\LOCALS~1\Temp\nenum13E.sys --> c:\docume~1\Logan\LOCALS~1\Temp\nenum13E.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - hwgxf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-09-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3721676869-1185760579-3692694581-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3721676869-1185760579-3692694581-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3721676869-1185760579-3692694581-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3721676869-1185760579-3692694581-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3721676869-1185760579-3692694581-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3721676869-1185760579-3692694581-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Dana\Application Data\Mozilla\Firefox\Profiles\fdp9zge9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-05 15:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Dana\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hwgxf]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(904)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'explorer.exe'(216)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-05 15:14:48
ComboFix-quarantined-files.txt 2010-09-05 20:14
ComboFix2.txt 2010-09-04 14:38
ComboFix3.txt 2010-09-03 19:57

Pre-Run: 107,995,844,608 bytes free
Post-Run: 108,018,106,368 bytes free

- - End Of File - - FEEEE404D43B8FAE350C649219B1CCFE
  • 0

Advertisements

#17
heir
Posted 06 September 2010 - 01:44 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

Sorry it took so long to get back to you. Our internet provider was down last night.

That's OK. Happens now and then.

Step 1.
CFScript:

Open notepad and copy/paste the text in the codebox below into it:

http://www.geekstogo.com/forum/topic/285748-antivirusgt-infection/

Collect::
c:\windows\Mhenu.dat
c:\windows\Awutawevanuzafa.bin
c:\windows\system32\drivers\hwgxf.sys
c:\documents and settings\NetworkService\Local Settings\Application Data\snkfdqgjp
Driver::
nenum13E

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Step 2.
Things I would like to see in your reply:

  • The content of C:\ComboFix.txt from step 1.
  • Information on how your computer is running after those steps

  • 0

#18
Bulldog04
Posted 06 September 2010 - 08:51 AM

Bulldog04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
It seems to be running normally now.


ComboFix 10-09-03.01 - Dana 2010-09-06 9:37.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1345 [GMT -5:00]
Running from: c:\documents and settings\Dana\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dana\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

file zipped: c:\windows\Awutawevanuzafa.bin
file zipped: c:\windows\Mhenu.dat
file zipped: c:\windows\system32\drivers\hwgxf.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Awutawevanuzafa.bin
c:\windows\Mhenu.dat
c:\windows\system32\drivers\hwgxf.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NENUM13E
-------\Service_nenum13E
-------\Legacy_hwgxf
-------\Service_hwgxf


((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))
.

2010-09-05 19:11 . 2009-11-25 18:01 1230080 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-09-03 14:23 . 2010-09-03 14:24 -------- d-----w- c:\program files\ERUNT
2010-09-02 15:35 . 2010-09-02 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-02 14:24 . 2010-09-02 14:27 -------- d-----w- c:\documents and settings\Dana\Local Settings\Application Data\Trend Micro
2010-09-02 00:04 . 2010-09-02 00:04 -------- d-----w- c:\documents and settings\Dana\Local Settings\Application Data\AVG Security Toolbar
2010-09-01 02:38 . 2010-07-09 14:26 475136 ------w- c:\documents and settings\All Users\Application Data\Dell\RMC\RMCCreationInfo.exe
2010-09-01 02:38 . 2010-07-02 14:25 60416 ----a-w- c:\documents and settings\All Users\Application Data\Dell\RMC\ZLib1.dll
2010-09-01 02:37 . 2010-08-17 18:10 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-31 04:25 . 2010-09-05 21:35 -------- d-----w- c:\windows\system32\drivers\Avg
2010-08-31 02:57 . 2010-09-01 04:50 -------- d-----w- c:\documents and settings\Dana\Application Data\AVGTOOLBAR
2010-08-31 01:36 . 2010-08-31 01:36 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-08-31 01:36 . 2010-08-31 01:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2010-08-31 01:36 . 2010-08-31 01:36 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
2010-08-31 01:33 . 2010-09-01 09:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\snkfdqgjp
2010-08-26 12:44 . 2010-09-02 14:22 -------- d-----r- c:\program files\Skype
2010-08-18 22:38 . 2010-08-18 22:38 -------- d-----w- c:\program files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-05 19:11 . 2010-09-01 23:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-09-04 17:30 . 2010-04-17 13:06 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-04 13:52 . 2008-04-20 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-03 13:04 . 2008-08-19 18:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-03 13:03 . 2008-12-21 08:45 -------- d-----w- c:\program files\LimeWire
2010-09-03 12:36 . 2008-12-21 08:46 -------- d-----w- c:\documents and settings\Dana\Application Data\LimeWire
2010-09-02 14:28 . 2008-12-24 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-09-02 14:27 . 2008-11-15 23:08 -------- d-----w- c:\program files\Trend Micro
2010-08-31 05:26 . 2010-08-31 04:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-31 04:30 . 2010-08-31 04:30 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2010-08-31 04:30 . 2010-08-31 04:30 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2010-08-31 04:30 . 2010-08-31 04:30 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2010-08-31 04:30 . 2010-08-31 04:30 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2010-08-31 04:25 . 2010-08-31 05:26 76040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys
2010-08-31 04:25 . 2010-08-31 05:26 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2010-08-31 04:25 . 2010-08-31 05:26 97928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2010-08-31 04:25 . 2010-08-31 05:26 26824 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys
2010-08-31 04:25 . 2010-08-31 05:26 287000 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2010-08-31 04:25 . 2010-09-01 23:38 2075416 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2010-08-31 01:34 . 2009-10-30 21:04 -------- d-----w- c:\documents and settings\Dana\Application Data\Efviuk
2010-08-30 20:35 . 2008-05-02 18:07 -------- d-----w- c:\documents and settings\Dana\Application Data\skypePM
2010-08-29 23:24 . 2009-03-25 07:09 -------- d-----w- c:\program files\Windows Live Safety Center
2010-08-26 12:44 . 2008-05-02 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-18 22:38 . 2008-04-20 14:20 -------- d-----w- c:\program files\Java
2010-08-16 14:09 . 2008-08-04 21:51 144 ----a-w- c:\documents and settings\Dana\Application Data\wklnhst.dat
2010-08-12 08:03 . 2008-04-20 14:26 -------- d-----w- c:\program files\Microsoft Works
2010-08-07 11:45 . 2010-08-07 11:45 503808 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7f180116-n\msvcp71.dll
2010-08-07 11:45 . 2010-08-07 11:45 499712 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7f180116-n\jmc.dll
2010-08-07 11:45 . 2010-08-07 11:45 348160 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7f180116-n\msvcr71.dll
2010-08-07 11:44 . 2010-08-07 11:44 12800 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-725f55e7-n\decora-d3d.dll
2010-08-07 11:44 . 2010-08-07 11:44 61440 ----a-w- c:\documents and settings\Dana\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-725f55e7-n\decora-sse.dll
2010-08-03 10:10 . 2010-08-03 10:10 503808 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e68102a-n\msvcp71.dll
2010-08-03 10:10 . 2010-08-03 10:10 499712 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e68102a-n\jmc.dll
2010-08-03 10:10 . 2010-08-03 10:10 348160 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e68102a-n\msvcr71.dll
2010-08-03 10:10 . 2010-08-03 10:10 61440 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-23dab621-n\decora-sse.dll
2010-08-03 10:10 . 2010-08-03 10:10 12800 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-23dab621-n\decora-d3d.dll
2010-07-19 13:45 . 2008-12-25 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-07-17 10:00 . 2010-07-02 14:21 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-05 06:10 . 2010-07-05 06:10 503808 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-155ab09f-n\msvcp71.dll
2010-07-05 06:10 . 2010-07-05 06:10 499712 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-155ab09f-n\jmc.dll
2010-07-05 06:10 . 2010-07-05 06:10 348160 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-155ab09f-n\msvcr71.dll
2010-07-05 06:10 . 2010-07-05 06:10 61440 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4c996ae9-n\decora-sse.dll
2010-07-05 06:10 . 2010-07-05 06:10 12800 ----a-w- c:\documents and settings\Logan\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4c996ae9-n\decora-d3d.dll
2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 07:25 . 2010-06-24 07:25 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-06-24 07:25 . 2010-06-24 07:25 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-06-24 07:25 . 2010-06-24 07:25 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-06-24 07:25 . 2010-06-24 07:25 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-06-24 07:25 . 2010-06-24 07:25 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-06-24 07:25 . 2010-06-24 07:25 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-06-24 07:24 . 2003-08-13 01:17 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-23 13:44 . 2004-08-10 17:51 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 17:51 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 17:51 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-10 18:02 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 17:51 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-11-28 06:40 . 2009-11-28 06:40 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-09-04_14.35.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-06 14:45 . 2010-09-06 14:45 16384 c:\windows\temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"SansaDispatch"="c:\documents and settings\Dana\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-05 79872]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-08 39408]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"HostManager"="c:\program files\Common Files\AOL\1208701829\EE\AOLHostManager.exe" [2004-11-03 125528]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-24 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-09-01 2048352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-04-07 8466432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-09-29 9347072]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-08-31 05:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1208701829\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-19 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-08-30 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-08-30 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2010-08-31 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2010-08-31 297752]
S2 TabQuery Service;TabQuery Service;c:\documents and settings\All Users\Application Data\TabQuery\tabquery131.exe [2010-05-20 61696]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" --> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HTTPFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-09-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3721676869-1185760579-3692694581-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3721676869-1185760579-3692694581-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3721676869-1185760579-3692694581-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3721676869-1185760579-3692694581-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3721676869-1185760579-3692694581-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3721676869-1185760579-3692694581-1009.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\Dana\Application Data\Mozilla\Firefox\Profiles\fdp9zge9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-06 09:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\Dana\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\progra~1\COMMON~1\AOL\120870~1\EE\AOLHOS~1.EXE
c:\progra~1\COMMON~1\AOL\120870~1\EE\AOLServiceHost.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-06 09:49:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-06 14:49
ComboFix2.txt 2010-09-05 20:14
ComboFix3.txt 2010-09-04 14:38
ComboFix4.txt 2010-09-03 19:57

Pre-Run: 107,946,954,752 bytes free
Post-Run: 107,958,042,624 bytes free

- - End Of File - - BCBC7484CD7B8AC001E4535A32BED5A3
  • 0

#19
heir
Posted 06 September 2010 - 08:59 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

* Ensure you are connected to the internet and click OK on the message box.


Was the files submitted?
  • 0

#20
Bulldog04
Posted 06 September 2010 - 11:29 AM

Bulldog04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
How can I tell?
  • 0

#21
heir
Posted 06 September 2010 - 11:28 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
If it failed there should have been a Dialogbox with the message that the upload failed.

Posted Image

And it looks as it have. Let's upload it manually.

Goto Start -> Run... and copy and paste in the following:

C:\CF-Submit.htm



Click on OK.
  • 0

#22
Bulldog04
Posted 07 September 2010 - 02:45 PM

Bulldog04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I did not get that error message.

When I pasted "C:\CF-Submit.htm" after Run it said Windows could not find the file.

Edited by Bulldog04, 07 September 2010 - 04:00 PM.

  • 0

#23
heir
Posted 08 September 2010 - 12:16 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
PLease post the content of

C:\Qoobox\ComboFix-quarantined-files.txt
  • 0

#24
Bulldog04
Posted 08 September 2010 - 04:08 AM

Bulldog04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
2010-09-06 14:42:44 . 2010-09-06 14:42:44 781,893 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\_hwgxf_.sys.zip
2010-09-06 14:42:42 . 2010-09-06 14:42:42 74 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_hwgxf.reg.dat
2010-09-06 14:42:42 . 2010-09-06 14:42:42 1,234 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_hwgxf.reg.dat
2010-09-06 14:42:13 . 2010-09-06 14:42:13 2,660 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_nenum13E.reg.dat
2010-09-06 14:42:13 . 2010-09-06 14:42:13 1,334 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_NENUM13E.reg.dat
2010-09-06 14:37:12 . 2010-09-06 14:37:13 782,823 ----a-w- C:\Qoobox\Quarantine\[4]-Submit_2010-09-06_09.37.08.zip
2010-09-03 19:55:14 . 2010-09-03 19:55:14 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{196C3A46-4758-433D-A600-802C804AF39C}.reg.dat
2010-09-03 19:55:13 . 2010-09-03 19:55:13 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}.reg.dat
2010-09-03 19:44:32 . 2010-09-06 14:42:08 4,984 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-09-03 19:20:33 . 2010-09-06 14:42:45 528 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-08-31 01:35:26 . 2010-08-31 01:35:26 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Awutawevanuzafa.bin.vir
2010-08-31 01:35:26 . 2010-08-31 01:35:26 120 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Mhenu.dat.vir
2010-08-31 01:35:20 . 2010-08-31 01:35:20 5,954 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Local Settings\Application Data\{7FEEF892-33FC-424D-9A8A-7F2252BBEA45}\chrome\content\overlay.xul.vir
2010-08-31 01:35:20 . 2010-08-31 01:35:20 2,124 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Local Settings\Application Data\{7FEEF892-33FC-424D-9A8A-7F2252BBEA45}\chrome\content\_cfg.js.vir
2010-08-31 01:35:20 . 2010-08-31 01:35:20 764 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Local Settings\Application Data\{7FEEF892-33FC-424D-9A8A-7F2252BBEA45}\install.rdf.vir
2010-08-31 01:35:20 . 2010-08-31 01:35:20 122 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Local Settings\Application Data\{7FEEF892-33FC-424D-9A8A-7F2252BBEA45}\chrome.manifest.vir
2010-08-31 01:33:57 . 2010-09-06 14:44:06 786,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\hwgxf.sys.vir
2009-06-27 18:36:17 . 2009-12-04 21:58:15 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Application Data\inst.exe.vir
2008-11-15 15:20:12 . 2008-11-21 17:17:30 331 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Application Data\0200000087c083b9502O.manifest.vir
2008-11-15 15:20:12 . 2008-11-21 17:17:30 11 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Application Data\0200000087c083b9502S.manifest.vir
2008-11-15 15:20:12 . 2008-11-21 17:17:30 738 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Application Data\0200000087c083b9502C.manifest.vir
2008-11-15 15:20:12 . 2008-11-21 17:35:25 1,135 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Dana\Application Data\0200000087c083b9502P.manifest.vir
2007-09-07 20:16:28 . 2007-09-07 20:16:28 136,512 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir
2007-04-24 18:11:14 . 2007-04-24 18:11:14 365 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.0.inf.vir
2005-04-18 18:45:34 . 2005-04-18 18:45:34 242 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.inf.vir
  • 0

#25
heir
Posted 08 September 2010 - 04:14 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Please visit this site and follow the instructions for uploading the C:\Qoobox\Quarantine\[4]-Submit_2010-09-06_09.37.08.zip file.

Remember to give the link to this topic!
  • 0

Advertisements

#26
Bulldog04
Posted 10 September 2010 - 06:13 PM

Bulldog04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I uploaded the file over these this morning.

Should I monitor that site for directions?
  • 0

#27
heir
Posted 11 September 2010 - 03:21 PM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts

Should I monitor that site for directions?

No that's not needed.

We'll continue here. Late here though, time for some sleep. I'll be back tomorrow.
  • 0

#28
heir
Posted 12 September 2010 - 12:32 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Step 1.
Clean temp locations:

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
c:\documents and settings\NetworkService\Local Settings\Application Data\snkfdqgjp
:Commands
[purity]
[emptytemp]
[emptyflash]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog


Step 2.
Scan with MBAM:

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with Kaspersky Online Scanner:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Upgrading Java:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 20 .
  • Click the JDK 6 Update 20 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u20-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586.exe and select "Run as an Administrator.")
[/list]
Step 4.
Things I would like to see in your reply:

  • The content of the fixlog from OTL from Step 1.
  • The content of the report from MBAM from Step 2.
  • The content of the report from Kaspersky Online Scanner from Step 3.
  • Information on how your computer is running now.

  • 0

#29
Bulldog04
Posted 13 September 2010 - 07:13 PM

Bulldog04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
The computer seems to be acting normal again.


All processes killed
========== FILES ==========
c:\documents and settings\NetworkService\Local Settings\Application Data\snkfdqgjp folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Dana
->Temp folder emptied: 145806 bytes
->Temporary Internet Files folder emptied: 225447748 bytes
->Java cache emptied: 3492073 bytes
->FireFox cache emptied: 87613795 bytes
->Flash cache emptied: 16300 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Halla

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Logan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 299319 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 640 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 10812 bytes

User: Vincent

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1382964 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1544 bytes

Total Files Cleaned = 304.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Dana
->Flash cache emptied: 0 bytes

User: Default User

User: Halla

User: LocalService

User: Logan
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

User: Vincent

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.11.0 log created on 09132010_031106

Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_820.dat moved successfully.

Registry entries deleted on Reboot...




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4610

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-09-13 04:09:32
mbam-log-2010-09-13 (04-09-32).txt

Scan type: Quick scan
Objects scanned: 165425
Time elapsed: 40 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Kaspersky Scanner said no infection found. Log was empty.

Edited by Bulldog04, 13 September 2010 - 07:13 PM.

  • 0

#30
heir
Posted 14 September 2010 - 12:18 AM

heir

    Trusted Helper

  • Malware Removal
  • 5,427 posts
Hey there, Bulldog04 !

OK! Well done, your log is clean again! :)

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image

Second:

Double-click OTL.exe to run it.
Click the Clean Up button
Click Yes to the reboot.

Now delete any tools/logs that is left over after you ran OTL Clean Up.


Third:
Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.
System Restore will now be active again.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.


Second:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Third:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fourth:
On to personal Anti Virus programs.
There is a new version of AVG Free.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs
Fifth:
Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP