Find your solution!

aroha · 05-Jul-2009, 12:19 AM **#31**

Hi Flavelee,
I DID it.

I am on dialup. signal from station doesn't reach me. (down the hill no problem).
aroha.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:14 PM, on 7/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\FixCamera.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunServices: [Microsoft Lsass Center] Issass.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1201850888652
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201850854243
O17 - HKLM\System\CCS\Services\Tcpip\..\{C75B8FCE-0BF2-477D-B502-A066479831C8}: NameServer = 203.8.183.1 192.189.54.33
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/MYBITS~1/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

--
End of file - 6010 bytes

flavallee · 05-Jul-2009, 09:54 AM **#32**

aroha:

This log entry shows an infection. I've included a link below it so you can see what it is.

O4 - HKLM\..\RunServices: [Microsoft Lsass Center] Issass.exe

http://www.sysinfo.org/startuplist.p...t+Lsass+Center

I've reported your thread to the "Malware Removal & HijackThis Logs" section for assistance by a malware expert.

Don't make any changes in your computer until you're contacted and given instructions.

---------------------------------------------------------------

**Cookiegal** · 05-Jul-2009, 10:25 AM **#33**

As this is a malware issue, I don't recommend that you do any tweaks to the system until we see where you stand once the machine is clean. Note that this doesn't exclude the recommendations of our Trusted Advisor, flavallee, as we often work together and you can follow his instructions as well.

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

flavallee · 05-Jul-2009, 10:59 AM **#34**

aroha:

Follow Cookiegal's instructions from this point on.

We work together a lot, so you're in good hands.

-----------------------------------------------------------------

aroha · 05-Jul-2009, 09:06 PM **#35**

Dear Flavelee
Will do.
Thanks heaps for everything. I feel i am loosing a friend.

Aroha.

aroha · 05-Jul-2009, 09:53 PM **#36**

Hi Cookiegal,
I cannot find were to click on 'comboFix'. in "Bleepingcomputer.com/comboFix"
Sorry about that.
aroha.

**Cookiegal** · 05-Jul-2009, 10:14 PM **#37**

If you scroll down in the section called "Using ComboFix" you will see three places you can download it from. They are listed as follows and are clickable links.

BleepingComputer.com
ForoSpyware.com
GeeksTogo.com

aroha · 06-Jul-2009, 12:46 AM **#38**

Hi Cookiegal,
I did it

Thanks heaps.

ComboFix 09-07-05.01 - My bits and pieces 07/06/2009 14:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.232 [GMT 10:00]
Running from: c:\documents and settings\My bits and pieces\My Documents\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1390067357-1682526488-854245398-500
c:\windows\system32\ddpgdpqy.ini
c:\windows\system32\dfefe.bak2
c:\windows\system32\dfefe.ini
c:\windows\system32\gacfcjrn.ini
c:\windows\system32\i
c:\windows\system32\ncbgiiim.ini
c:\windows\system32\oqrqr.bak1
c:\windows\system32\oqrqr.bak2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DLLHOST32
-------\Legacy_MSHOST

((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-05 11:16 . 2009-07-05 11:16 -------- d-----w- c:\program files\Executive Software
2009-07-01 09:45 . 2009-06-17 01:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 09:45 . 2009-07-01 09:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 09:45 . 2009-06-17 01:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 04:44 . 2009-07-06 04:22 117760 ----a-w- c:\documents and settings\My bits and pieces\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 04:26 . 2009-06-23 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-23 04:25 . 2009-07-02 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 04:25 . 2009-06-23 04:25 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\SUPERAntiSpyware.com
2009-06-23 04:25 . 2009-06-23 04:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-23 02:26 . 2009-06-23 03:03 -------- d-----w- c:\documents and settings\All Users\AVP 2009
2009-06-21 01:57 . 2009-06-21 01:57 -------- d-----w- c:\program files\Registry Clean Expert
2009-06-21 01:50 . 2009-06-21 01:50 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\Auslogics
2009-06-21 01:47 . 2009-06-21 01:47 -------- d-----w- c:\program files\Auslogics
2009-06-21 01:26 . 2009-06-22 23:41 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\wsInspector
2009-06-21 00:09 . 2009-06-21 01:51 -------- d-----w- c:\program files\Startup Inspector for Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 03:13 . 2008-03-29 05:51 169936 -c--a-w- c:\documents and settings\My bits and pieces\Application Data\Mozilla\Firefox\Profiles\kqmqm7gf.default\FlashGot.exe
2009-07-05 11:09 . 2007-09-20 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-23 01:17 . 2007-03-24 03:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-23 01:14 . 2006-12-24 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-22 09:48 . 2008-02-09 20:17 -------- d-----w- c:\program files\Bonjour
2009-06-22 09:20 . 2008-03-29 08:45 -------- d-----w- c:\program files\CyberLink
2009-06-22 09:20 . 2004-04-10 07:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 02:20 . 2009-03-30 03:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-28 02:20 . 2009-03-30 03:39 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-28 02:20 . 2009-03-30 03:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-28 02:20 . 2009-03-30 03:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-27 01:58 . 2007-04-20 09:32 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\Canon
2009-05-07 15:32 . 2004-04-10 06:43 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-06-23 00:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-04-10 06:44 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-12 04:53 . 2005-01-05 23:57 54824 -c--a-w- c:\documents and settings\My bits and pieces\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-12-27 10:58 . 2006-12-27 10:58 5971432 -c--a-w- c:\program files\Firefox Setup 2.0.0.1.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-26 118843]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-02 172032]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-03 40960]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-28 1947928]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]

c:\documents and settings\My bits and pieces\Start Menu\Programs\Startup\
Diskeeper 9 Home Edition Registration.lnk - c:\program files\Executive Software\Diskeeper\ESIRegister.exe [2005-1-4 3674112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-4-10 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 05:49 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-28 02:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/30/2009 1:39 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/30/2009 1:39 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [4/10/2004 5:27 PM 5760]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/28/2009 12:20 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/28/2009 12:20 PM 298776]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [4/10/2004 9:50 AM 46108]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [6/22/2007 8:54 AM 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [12/13/2006 5:31 PM 87040]
S3 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [4/10/2004 5:27 PM 126976]
.
Contents of the 'Scheduled Tasks' folder

2009-07-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-30 08:12]

2009-05-28 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-07-06 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
TCP: {C75B8FCE-0BF2-477D-B502-A066479831C8} = 203.8.183.1 192.189.54.33
FF - ProfilePath - c:\documents and settings\My bits and pieces\Application Data\Mozilla\Firefox\Profiles\kqmqm7gf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Merriam-Webster Dictionary
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 14:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3092170582-3944574435-1440423449-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{847682DE-AF1A-58B6-B17F-B3D4CB77C9AC}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iapnhmbnppocdnclbg"=hex:6a,61,6f,65,6e,70,68,6c,66,61,65,64,69,65,6b,65,70 ,6a,
67,62,00,00
"hajofpciefkiklig"=hex:6a,61,6f,65,6e,70,68,6c,66,61,65,64,69,65,6b,65,70,6 a,
67,62,00,00
"eabmfcbmpj"=hex:61,61,00,00
"eahohccphk"=hex:61,61,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):96,d4,fa,15,19,7b,78,2f,e0,1d,2f,bf,c7,a0,52,85,3f,c5,90,10 ,d2,
31,b4,5a,c7,0b,a4,ce,ab,96,be,fb,b4,87,e2,06,a3,5c,4f,fd,00,00,00,00,00,00, \

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9aa176f6-b962-4b61-bafa-eb76cdd8dbc5}]
@Denied: (Full) (Everyone)
"Model"=dword:00000150
"Therad"=dword:0000002d
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81, 26,
38,95,44,70,ec,af,dd,17,24,ae,9d,52,d5,15,19,51,ce,05,db,10,49,5f,7c,66,80, \
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZCfgSvc.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\vssvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2009-07-06 14:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-06 04:25

Pre-Run: 44,104,019,968 bytes free
Post-Run: 44,045,221,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:40 PM, on 7/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint2K\Apoint.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [LtMoh] "C:\Program Files\ltmoh\Ltmoh.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Diskeeper 9 Home Edition Registration.lnk = C:\Program Files\Executive Software\Diskeeper\ESIRegister.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1201850888652
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201850854243
O17 - HKLM\System\CCS\Services\Tcpip\..\{C75B8FCE-0BF2-477D-B502-A066479831C8}: NameServer = 203.8.183.1 192.189.54.33
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/MYBITS~1/LOCALS~1/Temp/msoclip1/01/clip_image002.gif

--
End of file - 6680 bytes

219 --- E O F --- 2009-06-26 09:35

thanks aroha

**Cookiegal** · 06-Jul-2009, 04:12 PM **#39**

Open Notepad and copy and paste the text in the code box below into it:

Code:

Folder::
c:\documents and settings\All Users\AVP 2009

RegNull::
[HKEY_USERS\S-1-5-21-3092170582-3944574435-1440423449-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{847682DE-AF1A-58B6-B17F-B3D4CB77C9AC}*]
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9aa176f6-b962-4b61-bafa-eb76cdd8dbc5}]

Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

aroha · 06-Jul-2009, 09:52 PM **#40**

Hi Cookiegal,
I did everything you told me to do. When i ran combofix. During their scanning or thereabout a message dropdown saying that avg was running do etc. i ended up having to uninstall avg. the combofix continued. Next notepad appeared but there were no icons or taskbar etc. I couldn't copy & paste, so i click file in the notepad and save as. Then i manually closed the internet. When i restarted it my saved message was nowhere to be found.
aroha

aroha · 07-Jul-2009, 12:44 AM **#41**

Hi Cookiegal,

I think the problem is me.

I used the uninstall that came with AVG. I was about to install it again, but decided to check ADD & REMOVE. Avg was still their.
I don't know what to do when they say that avg is still running. I remove it from the startup taskbar.
-------------------------------------------------------------
How do i make mozella & thunderbird my default page?
Aroha

aroha · 07-Jul-2009, 07:51 PM **#42**

Hi cookiegal,

aroha · 07-Jul-2009, 07:55 PM **#43**

Hi Cookiegal
My email and webpage is fine now. Was wondering if i uninstall avg then did what you asked me to do. Then reinstall avg?
aroha

**Cookiegal** · 07-Jul-2009, 08:02 PM **#44**

Did you follow the instructions at the following link to disable AVG?

http://www.bleepingcomputer.com/forums/topic114351.html

Please run it again and then post the log.

aroha · 08-Jul-2009, 05:25 AM **#45**

Hi cookiegal,
finally
aroha

ComboFix 09-07-07.A4 - My bits and pieces 07/08/2009 18:59.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.495.148 [GMT 10:00]
Running from: c:\documents and settings\My bits and pieces\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\My bits and pieces\Desktop\CFScript.tex.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-05 11:16 . 2009-07-05 11:16 -------- d-----w- c:\program files\Executive Software
2009-07-01 09:45 . 2009-06-17 01:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-01 09:45 . 2009-07-01 09:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 09:45 . 2009-06-17 01:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-23 04:44 . 2009-07-07 22:30 117760 ----a-w- c:\documents and settings\My bits and pieces\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 04:26 . 2009-06-23 04:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-23 04:25 . 2009-07-02 05:44 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 04:25 . 2009-06-23 04:25 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\SUPERAntiSpyware.com
2009-06-23 04:25 . 2009-06-23 04:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-21 01:57 . 2009-06-21 01:57 -------- d-----w- c:\program files\Registry Clean Expert
2009-06-21 01:50 . 2009-06-21 01:50 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\Auslogics
2009-06-21 01:47 . 2009-06-21 01:47 -------- d-----w- c:\program files\Auslogics
2009-06-21 01:26 . 2009-06-22 23:41 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\wsInspector
2009-06-21 00:09 . 2009-06-21 01:51 -------- d-----w- c:\program files\Startup Inspector for Windows

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 08:33 . 2008-05-15 03:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-08 00:06 . 2007-09-20 09:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-07 08:45 . 2008-03-29 05:51 169936 -c--a-w- c:\documents and settings\My bits and pieces\Application Data\Mozilla\Firefox\Profiles\kqmqm7gf.default\FlashGot.exe
2009-06-23 01:17 . 2007-03-24 03:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-23 01:14 . 2006-12-24 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-22 09:48 . 2008-02-09 20:17 -------- d-----w- c:\program files\Bonjour
2009-06-22 09:20 . 2008-03-29 08:45 -------- d-----w- c:\program files\CyberLink
2009-06-22 09:20 . 2004-04-10 07:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-28 02:20 . 2009-03-30 03:39 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-28 02:20 . 2009-03-30 03:39 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-28 02:20 . 2009-03-30 03:39 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-28 02:20 . 2009-03-30 03:39 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-27 01:58 . 2007-04-20 09:32 -------- d-----w- c:\documents and settings\My bits and pieces\Application Data\Canon
2009-05-07 15:32 . 2004-04-10 06:43 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2006-06-23 00:33 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-04-10 06:44 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-12 04:53 . 2005-01-05 23:57 54824 -c--a-w- c:\documents and settings\My bits and pieces\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2006-12-27 10:58 . 2006-12-27 10:58 5971432 -c--a-w- c:\program files\Firefox Setup 2.0.0.1.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-07-06_04.22.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-07 22:29 . 2009-07-07 22:29 16384 c:\windows\Temp\Perflib_Perfdata_6a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-30 192512]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-26 118843]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2003-01-02 172032]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-07-03 40960]
"FixCamera"="c:\windows\FixCamera.exe" [2007-07-11 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-28 1947928]
"DiskeeperSystray"="c:\program files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 184408]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2003-04-18 88363]

c:\documents and settings\My bits and pieces\Start Menu\Programs\Startup\
Diskeeper 9 Home Edition Registration.lnk - c:\program files\Executive Software\Diskeeper\ESIRegister.exe [2005-1-4 3674112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2004-4-10 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 02:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2003-12-16 05:49 110592 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-28 02:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/30/2009 1:39 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/30/2009 1:39 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [4/10/2004 5:27 PM 5760]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/28/2009 12:20 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/28/2009 12:20 PM 298776]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [4/10/2004 9:50 AM 46108]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [6/22/2007 8:54 AM 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [12/13/2006 5:31 PM 87040]
S3 Tmesrv;Tmesrv3;c:\program files\Toshiba\TME3\TMESRV31.exe [4/10/2004 5:27 PM 126976]
.
Contents of the 'Scheduled Tasks' folder

2009-07-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-30 08:12]

2009-05-28 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

2009-07-07 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 07:04]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
TCP: {C75B8FCE-0BF2-477D-B502-A066479831C8} = 203.8.183.1 192.189.54.33
FF - ProfilePath - c:\documents and settings\My bits and pieces\Application Data\Mozilla\Firefox\Profiles\kqmqm7gf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Merriam-Webster Dictionary
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPJPI150_01.dll
FF - plugin: c:\program files\Java\jre1.5.0_01\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 19:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\System32\LgNotify.dll

- - - - - - - > 'explorer.exe'(4080)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-08 19:11
ComboFix-quarantined-files.txt 2009-07-08 09:11
ComboFix2.txt 2009-07-07 01:09
ComboFix3.txt 2009-07-06 04:25

Pre-Run: 44,233,621,504 bytes free
Post-Run: 44,215,201,792 bytes free

165 --- E O F --- 2009-06-26 09:35

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)