Mourning the loss of our friend, WhitPhil.
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
access audio black screen blue screen boot bsod connection crash dell desktop driver drivers dvd email error excel firefox hard drive hardware hijackthis internet keyboard laptop malware monitor network networking outlook problem processor recovery registry cleaner router safe mode slow sound spyware tdlwsp.dll trojan upgrade vba video virus vista vundo windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Suspect Vundo Infection - Please Help! (In Progress)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Page 1 of 2 1 2
 
Thread Tools
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
22-Oct-2009, 10:34 PM #1
Suspect Vundo Infection - Please Help!
Hi,

I have been having some trouble with my browser and email program and Spybot S&D detected Virtumonde Trojan. I selected the 'Fix it' option, but there is still something wrong:

  • Google Searches on Firefox are re-directed to ad sites
  • IE sometimes won't open, saying it needed to shut down unexpectedly
  • Thunderbird won't open ('Missing Shortcut') Firefox and Thunderbird are my programs of choice for Internet and Email
  • Ad-Aware shuts down while running
  • I tried Vundofix, but it found no infected files
Thank you so much for taking the time to look at this. I truly appreciate it. Here is the Hijack This log I did after running Spybot:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:48 PM, on 10/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Verena\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Verena\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/...fslauncher.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O20 - Winlogon Notify: e81390d7687 - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Google Update Service (gupdate1c9ef8d198317fe) (gupdate1c9ef8d198317fe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 8301 bytes
Register for free to hide this ad!
sjpritch25's Avatar
Computer Specs
Moderator with 8,661 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
25-Oct-2009, 06:34 PM #2
Welcome to TSG

Download Combofix from this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Microsoft Valuable Professional Consumer--Security 2007-2009
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
25-Oct-2009, 08:02 PM #3
Combofix and HijackThis logs
sj,

Followed your instructions and here are the requested logs. At this time I am pretty worried about the missing Thunderbird as that would be where all my emails/addresses are and I don't know what's the best way to recover that info.

Thank you so very much!

V

ComboFix 09-10-25.01 - Verena 10/25/2009 19:31.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.523 [GMT -4:00]
Running from: c:\documents and settings\Verena\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Benjamin\Application Data\020000006f0b6fcd687C.manifest
c:\documents and settings\Benjamin\Application Data\020000006f0b6fcd687O.manifest
c:\documents and settings\Benjamin\Application Data\020000006f0b6fcd687P.manifest
c:\documents and settings\Benjamin\Application Data\020000006f0b6fcd687S.manifest
c:\documents and settings\Benjamin\My Documents\ZbThumbnail.info
c:\documents and settings\Christine\Application Data\020000006f0b6fcd687C.manifest
c:\documents and settings\Christine\Application Data\020000006f0b6fcd687O.manifest
c:\documents and settings\Christine\Application Data\020000006f0b6fcd687P.manifest
c:\documents and settings\Christine\Application Data\020000006f0b6fcd687S.manifest
c:\documents and settings\Verena\Application Data\020000006f0b6fcd687C.manifest
c:\documents and settings\Verena\Application Data\020000006f0b6fcd687O.manifest
c:\documents and settings\Verena\Application Data\020000006f0b6fcd687P.manifest
c:\documents and settings\Verena\Application Data\020000006f0b6fcd687S.manifest
c:\documents and settings\Verena\My Documents\ZbThumbnail.info
c:\program files\INSTALL.LOG
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 20:50 . 2009-10-25 20:54 -------- d-----w- c:\program files\Cobian Backup 9
2009-10-16 02:22 . 2009-10-16 11:05 -------- d-----w- c:\windows\BDOSCAN8
2009-10-16 00:20 . 2009-10-16 00:20 -------- d-----w- c:\documents and settings\Verena\Application Data\Malwarebytes
2009-10-16 00:20 . 2009-10-16 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 23:13 . 2009-10-15 23:13 -------- d-----w- C:\VundoFix Backups
2009-10-15 02:04 . 2009-10-15 10:48 -------- d-----w- c:\program files\McAfee
2009-10-15 02:04 . 2009-10-15 10:48 -------- d-----w- c:\program files\Common Files\Network Associates
2009-10-15 02:04 . 2009-10-15 02:04 -------- d-----w- c:\program files\McAfee VirusScan Home Edition 7.02 Demo 30
2009-10-15 01:37 . 2009-10-15 01:37 -------- dc-h--w- c:\windows\ie8
2009-10-14 23:51 . 2009-10-14 23:51 -------- d-----w- c:\program files\Trend Micro
2009-10-14 22:56 . 2009-10-14 22:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-06 23:47 . 2009-10-13 22:22 -------- d-----w- c:\documents and settings\Benjamin\Application Data\LimeWire
2009-10-06 23:04 . 2009-10-06 23:04 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Titanium Gears
2009-10-06 23:03 . 2009-10-06 23:03 -------- d-----w- c:\program files\Music Oasis
2009-10-06 22:33 . 2009-10-06 22:33 -------- d-----w- c:\program files\ezlyrics
2009-10-06 22:32 . 2009-10-13 22:40 -------- d-----w- c:\documents and settings\Benjamin\.jajuk
2009-10-06 22:14 . 2009-10-15 10:44 -------- d-----w- c:\program files\Jajuk
2009-10-06 22:13 . 2009-10-06 22:31 -------- d-----w- c:\documents and settings\Benjamin\Local Settings\Application Data\Mixxx
2009-10-06 22:12 . 2009-10-06 22:13 -------- d-----w- c:\program files\Digital DJ Pro
2009-10-05 08:59 . 2009-10-05 08:59 465920 ------w- c:\windows\system32\ahxyktnzpdffzm.dll
2009-10-02 03:33 . 2009-10-02 03:33 -------- d-----w- c:\documents and settings\Verena\Application Data\OverDrive
2009-10-02 03:29 . 2009-10-02 03:29 -------- d-----w- c:\program files\OverDrive Media Console
2009-10-01 02:41 . 2009-10-01 02:41 -------- d-----w- C:\My Music
2009-09-30 21:40 . 2009-09-30 21:40 45904 ------w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 11:22 . 2009-10-14 02:23 -------- d-----w- c:\documents and settings\Verena\Local Settings\Application Data\Temp
2009-09-30 00:02 . 2009-09-30 00:02 -------- d-----w- c:\documents and settings\Verena\Local Settings\Application Data\Real
2009-09-30 00:01 . 2009-09-30 00:01 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-29 11:22 . 2009-09-29 11:29 -------- d-----w- c:\documents and settings\Christine\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 23:42 . 2009-06-09 22:53 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-25 23:42 . 2009-06-09 22:53 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-25 22:28 . 2005-04-17 18:17 -------- d-----w- c:\documents and settings\Verena\Application Data\Skype
2009-10-25 19:41 . 2007-05-03 14:01 -------- d-----w- c:\program files\ABC Amber PDF2Image Converter
2009-10-24 02:40 . 2005-02-21 13:34 -------- d-----w- c:\program files\Java
2009-10-20 00:15 . 2005-02-21 02:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-19 03:08 . 2005-02-21 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-14 11:02 . 2009-01-08 18:35 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-10-14 10:46 . 2007-12-26 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-14 00:17 . 2005-02-21 02:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 22:30 . 2009-03-16 18:12 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Skype
2009-10-10 03:26 . 2005-04-17 15:50 -------- d-----w- c:\program files\OpenOffice.org1.1.4
2009-10-08 00:35 . 2009-02-06 00:52 664 ------w- c:\windows\system32\d3d9caps.dat
2009-10-07 11:08 . 2005-06-12 21:40 -------- d-----w- c:\program files\LimeWire
2009-10-07 00:17 . 2008-04-02 23:47 -------- d-----w- c:\program files\TheWeatherNetwork
2009-10-03 19:00 . 2007-01-02 02:32 1100 ------w- c:\windows\system32\d3d8caps.dat
2009-10-03 18:07 . 2009-09-22 11:21 -------- d-----w- c:\documents and settings\Benjamin\Application Data\flightgear.org
2009-10-03 17:54 . 2009-09-21 22:18 413696 ------w- c:\windows\system32\wrap_oal.dll
2009-10-03 17:54 . 2009-09-21 22:18 110592 ------w- c:\windows\system32\OpenAL32.dll
2009-09-30 00:01 . 2005-03-09 06:19 -------- d-----w- c:\program files\Common Files\Real
2009-09-30 00:00 . 2006-03-18 17:46 -------- d-----w- c:\program files\Google
2009-09-23 12:55 . 2009-03-23 16:51 64288 ------w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 11:22 . 2009-09-22 11:22 -------- d-----w- c:\documents and settings\Benjamin\Application Data\fltk.org
2009-09-21 22:35 . 2009-09-21 22:14 -------- d-----w- c:\documents and settings\Verena\Application Data\flightgear.org
2009-09-21 22:18 . 2009-09-21 22:18 -------- d-----w- c:\program files\OpenAL
2009-09-11 14:18 . 2003-03-31 12:00 136192 ------w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ------w- c:\windows\system32\msasn1.dll
2009-09-01 17:11 . 2005-05-25 11:55 45904 -c----w- c:\documents and settings\Benjamin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 12:06 . 2009-04-06 12:57 45904 ------w- c:\documents and settings\Christine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 14:58 . 2009-08-30 14:58 -------- d-----w- c:\documents and settings\Verena\Application Data\SanDisk
2009-08-29 08:08 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2005-04-10 16:00 327896 ------w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-04-10 16:00 209632 ------w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ------w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2005-04-10 16:00 35552 ------w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-02-19 22:27 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2003-03-31 12:00 96480 ------w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2005-04-10 16:00 575704 ------w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-03-19 14:13 274288 ------w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-03-19 14:13 215920 ------w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2005-02-19 22:27 1929952 ------w- c:\windows\system32\wuaueng.dll
2009-08-06 23:09 . 2005-02-19 22:54 45904 -c----w- c:\documents and settings\Verena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2005-02-19 22:52 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 19:23 . 2008-11-02 18:02 411368 ------w- c:\windows\system32\deploytk.dll
2004-03-11 18:27 . 2005-02-19 23:11 40960 ------w- c:\program files\Uninstall_CDS.exe
2009-10-05 08:59 . 2009-10-05 08:59 362496 ------w- c:\program files\mozilla firefox\components\ahxyktnzpdffzm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Verena\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-08-30 79872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-04-06 1298542]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-07-12 176128]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-17 781656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-30 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Cobian Backup 9 interface"="c:\program files\Cobian Backup 9\cbInterface.exe" [2009-01-22 2749952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-2-20 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=Digi32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Benjamin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Benjamin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Benjamin\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/23/2009 12:51 PM 64288]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 11:49 AM 77312]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2/21/2005 1:06 AM 6656]
R2 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [10/25/2009 4:50 PM 583168]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/14/2009 8:31 PM 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1170768]
S2 gupdate1c9ef8d198317fe;Google Update Service (gupdate1c9ef8d198317fe);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 4:49 PM 133104]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2/21/2005 1:06 AM 28672]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 23:20]

2009-08-03 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2003-03-31 00:12]

2009-07-08 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-03-31 00:12]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 20:49]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 20:49]

2009-10-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1604221776-725345543-1005Core.job
- c:\documents and settings\Benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-23 23:46]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1604221776-725345543-1005UA.job
- c:\documents and settings\Benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-23 23:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Verena\Application Data\Mozilla\Firefox\Profiles\umg9o2t7.Default User\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\components\ahxyktnzpdffzm.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
Notify-e81390d7687 - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 19:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(492)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Digidesign\Drivers\MMERefresh.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\wdfmgr.exe
c:\combofix\CF4218.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Netropa\Onscreen Display\OSD.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\uWDF.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 23:49

Pre-Run: 50,727,895,040 bytes free
Post-Run: 54,092,152,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 1B0503D57FA12FD01244C1E5999F8EFA




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:45 PM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cobian Backup 9\cbService.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Cobian Backup 9\cbInterface.exe
C:\Documents and Settings\Verena\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Cobian Backup 9 interface] "C:\Program Files\Cobian Backup 9\cbInterface.exe" -service
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\Verena\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/...fslauncher.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartphotocentre.ca/activex/PCAXSetup.cab?
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Cobian Backup 9 service (CobianBackupAmanita) - Luis Cobian - C:\Program Files\Cobian Backup 9\cbService.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Google Update Service (gupdate1c9ef8d198317fe) (gupdate1c9ef8d198317fe) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 8830 bytes
sjpritch25's Avatar
Computer Specs
Moderator with 8,661 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
25-Oct-2009, 09:00 PM #4
Open notepad and copy/paste the text in the codebox below into it:
Code:
@echo off
for %%g in (
"c:\program files\mozilla firefox\components\ahxyktnzpdffzm.dll"
"c:\windows\system32\ahxyktnzpdffzm.dll"
) do zip Files_for_submission %%g
del %0
Save this as grab.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:
Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.

Please upload that file here --> http://www.bleepingcomputer.com/subm...php?channel=70
__________________
Microsoft Valuable Professional Consumer--Security 2007-2009
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
25-Oct-2009, 09:38 PM #5
.zip file uploaded
requested .zip file uploaded successfully.
sjpritch25's Avatar
Computer Specs
Moderator with 8,661 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
25-Oct-2009, 09:54 PM #6
give a sec to check that file out.
sjpritch25's Avatar
Computer Specs
Moderator with 8,661 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
25-Oct-2009, 10:01 PM #7
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
c:\windows\system32\ahxyktnzpdffzm.dll
c:\program files\mozilla firefox\components\ahxyktnzpdffzm.dll
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
__________________
Microsoft Valuable Professional Consumer--Security 2007-2009
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
25-Oct-2009, 10:20 PM #8
combofix.txt
Sorry, it took a while to run combofix. Here's the log:

ComboFix 09-10-25.01 - Verena 10/25/2009 22:08.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.520 [GMT -4:00]
Running from: c:\documents and settings\Verena\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Verena\Desktop\CFScript.txt
FILE ::
"c:\program files\mozilla firefox\components\ahxyktnzpdffzm.dll"
"c:\windows\system32\ahxyktnzpdffzm.dll"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\mozilla firefox\components\ahxyktnzpdffzm.dll
c:\windows\system32\ahxyktnzpdffzm.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.
2009-10-25 23:49 . 2009-10-25 23:49 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-25 20:50 . 2009-10-25 20:54 -------- d-----w- c:\program files\Cobian Backup 9
2009-10-16 02:22 . 2009-10-16 11:05 -------- d-----w- c:\windows\BDOSCAN8
2009-10-16 00:20 . 2009-10-16 00:20 -------- d-----w- c:\documents and settings\Verena\Application Data\Malwarebytes
2009-10-16 00:20 . 2009-10-16 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-15 23:13 . 2009-10-15 23:13 -------- d-----w- C:\VundoFix Backups
2009-10-15 02:04 . 2009-10-15 10:48 -------- d-----w- c:\program files\McAfee
2009-10-15 02:04 . 2009-10-15 10:48 -------- d-----w- c:\program files\Common Files\Network Associates
2009-10-15 02:04 . 2009-10-15 02:04 -------- d-----w- c:\program files\McAfee VirusScan Home Edition 7.02 Demo 30
2009-10-15 01:37 . 2009-10-15 01:37 -------- dc-h--w- c:\windows\ie8
2009-10-14 23:51 . 2009-10-14 23:51 -------- d-----w- c:\program files\Trend Micro
2009-10-14 22:56 . 2009-10-14 22:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-06 23:47 . 2009-10-13 22:22 -------- d-----w- c:\documents and settings\Benjamin\Application Data\LimeWire
2009-10-06 23:04 . 2009-10-06 23:04 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Titanium Gears
2009-10-06 23:03 . 2009-10-06 23:03 -------- d-----w- c:\program files\Music Oasis
2009-10-06 22:33 . 2009-10-06 22:33 -------- d-----w- c:\program files\ezlyrics
2009-10-06 22:32 . 2009-10-13 22:40 -------- d-----w- c:\documents and settings\Benjamin\.jajuk
2009-10-06 22:14 . 2009-10-15 10:44 -------- d-----w- c:\program files\Jajuk
2009-10-06 22:13 . 2009-10-06 22:31 -------- d-----w- c:\documents and settings\Benjamin\Local Settings\Application Data\Mixxx
2009-10-06 22:12 . 2009-10-06 22:13 -------- d-----w- c:\program files\Digital DJ Pro
2009-10-02 03:33 . 2009-10-02 03:33 -------- d-----w- c:\documents and settings\Verena\Application Data\OverDrive
2009-10-02 03:29 . 2009-10-02 03:29 -------- d-----w- c:\program files\OverDrive Media Console
2009-10-01 02:41 . 2009-10-01 02:41 -------- d-----w- C:\My Music
2009-09-30 21:40 . 2009-09-30 21:40 45904 ------w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 11:22 . 2009-10-14 02:23 -------- d-----w- c:\documents and settings\Verena\Local Settings\Application Data\Temp
2009-09-30 00:02 . 2009-09-30 00:02 -------- d-----w- c:\documents and settings\Verena\Local Settings\Application Data\Real
2009-09-30 00:01 . 2009-09-30 00:01 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-29 11:22 . 2009-09-29 11:29 -------- d-----w- c:\documents and settings\Christine\Local Settings\Application Data\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 23:42 . 2009-06-09 22:53 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-25 23:42 . 2009-06-09 22:53 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-25 22:28 . 2005-04-17 18:17 -------- d-----w- c:\documents and settings\Verena\Application Data\Skype
2009-10-25 19:41 . 2007-05-03 14:01 -------- d-----w- c:\program files\ABC Amber PDF2Image Converter
2009-10-24 02:40 . 2005-02-21 13:34 -------- d-----w- c:\program files\Java
2009-10-20 00:15 . 2005-02-21 02:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-19 03:08 . 2005-02-21 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-14 11:02 . 2009-01-08 18:35 -------- d-----w- c:\program files\PC Tools AntiVirus
2009-10-14 10:46 . 2007-12-26 01:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-14 00:17 . 2005-02-21 02:03 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-13 22:30 . 2009-03-16 18:12 -------- d-----w- c:\documents and settings\Benjamin\Application Data\Skype
2009-10-10 03:26 . 2005-04-17 15:50 -------- d-----w- c:\program files\OpenOffice.org1.1.4
2009-10-08 00:35 . 2009-02-06 00:52 664 ------w- c:\windows\system32\d3d9caps.dat
2009-10-07 11:08 . 2005-06-12 21:40 -------- d-----w- c:\program files\LimeWire
2009-10-07 00:17 . 2008-04-02 23:47 -------- d-----w- c:\program files\TheWeatherNetwork
2009-10-03 19:00 . 2007-01-02 02:32 1100 ------w- c:\windows\system32\d3d8caps.dat
2009-10-03 18:07 . 2009-09-22 11:21 -------- d-----w- c:\documents and settings\Benjamin\Application Data\flightgear.org
2009-10-03 17:54 . 2009-09-21 22:18 413696 ------w- c:\windows\system32\wrap_oal.dll
2009-10-03 17:54 . 2009-09-21 22:18 110592 ------w- c:\windows\system32\OpenAL32.dll
2009-09-30 00:01 . 2005-03-09 06:19 -------- d-----w- c:\program files\Common Files\Real
2009-09-30 00:00 . 2006-03-18 17:46 -------- d-----w- c:\program files\Google
2009-09-23 12:55 . 2009-03-23 16:51 64288 ------w- c:\windows\system32\drivers\Lbd.sys
2009-09-22 11:22 . 2009-09-22 11:22 -------- d-----w- c:\documents and settings\Benjamin\Application Data\fltk.org
2009-09-21 22:35 . 2009-09-21 22:14 -------- d-----w- c:\documents and settings\Verena\Application Data\flightgear.org
2009-09-21 22:18 . 2009-09-21 22:18 -------- d-----w- c:\program files\OpenAL
2009-09-11 14:18 . 2003-03-31 12:00 136192 ------w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2003-03-31 12:00 58880 ------w- c:\windows\system32\msasn1.dll
2009-09-01 17:11 . 2005-05-25 11:55 45904 -c----w- c:\documents and settings\Benjamin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-01 12:06 . 2009-04-06 12:57 45904 ------w- c:\documents and settings\Christine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-30 14:58 . 2009-08-30 14:58 -------- d-----w- c:\documents and settings\Verena\Application Data\SanDisk
2009-08-29 08:08 . 2003-03-31 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2005-04-10 16:00 327896 ------w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2005-04-10 16:00 209632 ------w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ------w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2005-04-10 16:00 35552 ------w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2005-02-19 22:27 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2003-03-31 12:00 96480 ------w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2005-04-10 16:00 575704 ------w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-03-19 14:13 274288 ------w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-03-19 14:13 215920 ------w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2005-02-19 22:27 1929952 ------w- c:\windows\system32\wuaueng.dll
2009-08-06 23:09 . 2005-02-19 22:54 45904 -c----w- c:\documents and settings\Verena\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:01 . 2005-02-19 22:52 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2003-03-31 12:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2002-08-29 01:04 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-31 19:23 . 2008-11-02 18:02 411368 ------w- c:\windows\system32\deploytk.dll
2004-03-11 18:27 . 2005-02-19 23:11 40960 ------w- c:\program files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-25_23.43.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-02-19 22:32 . 2009-10-25 23:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-02-19 22:32 . 2009-02-18 13:34 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-02-19 22:32 . 2009-10-25 23:49 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-02-19 22:32 . 2009-02-18 13:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-25 23:49 . 2009-10-25 23:49 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Verena\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-08-30 79872]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-04-06 1298542]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-07-12 176128]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-17 781656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-30 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"Cobian Backup 9 interface"="c:\program files\Cobian Backup 9\cbInterface.exe" [2009-01-22 2749952]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-2-20 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=Digi32.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Benjamin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Benjamin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Benjamin\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/23/2009 12:51 PM 64288]
R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 11:49 AM 77312]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2/21/2005 1:06 AM 6656]
R2 CobianBackupAmanita;Cobian Backup 9 service;c:\program files\Cobian Backup 9\cbService.exe [10/25/2009 4:50 PM 583168]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [6/14/2009 8:31 PM 55152]
S2 gupdate1c9ef8d198317fe;Google Update Service (gupdate1c9ef8d198317fe);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 4:49 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 7:17 AM 1170768]
S2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2/21/2005 1:06 AM 28672]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
2009-10-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 23:20]
2009-08-03 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2003-03-31 00:12]
2009-07-08 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-03-31 00:12]
2009-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 20:49]
2009-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 20:49]
2009-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1604221776-725345543-1005Core.job
- c:\documents and settings\Benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-23 23:46]
2009-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-329068152-1604221776-725345543-1005UA.job
- c:\documents and settings\Benjamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-23 23:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
FF - ProfilePath - c:\documents and settings\Verena\Application Data\Mozilla\Firefox\Profiles\umg9o2t7.Default User\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMySrWB.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 22:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-10-26 22:17
ComboFix-quarantined-files.txt 2009-10-26 02:16
ComboFix2.txt 2009-10-25 23:50
Pre-Run: 54,094,725,120 bytes free
Post-Run: 54,083,051,520 bytes free
- - End Of File - - 042BE304699B67181ED57D0911F2A21B
sjpritch25's Avatar
Computer Specs
Moderator with 8,661 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
26-Oct-2009, 05:01 PM #9
how is everything running???
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
26-Oct-2009, 06:38 PM #10
Well -

IE is running normal, so is Outlook Express.
Mozilla Thunderbird is still missing altogether and Google searches in Firefox are still being re-directed. Just got home from work and am running Ad-Aware to see if it still shuts down half way through.
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
26-Oct-2009, 07:07 PM #11
Ad-Aware is running normal again as well!
sjpritch25's Avatar
Computer Specs
Moderator with 8,661 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
26-Oct-2009, 08:36 PM #12
Download GMER Antirootkit Here, and save to your Desktop
  • Disconnect from the internet and disable all active protection so your security program drivers will not conflict with gmer's driver
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the "Rootkit" Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
    • Type or paste the following to unload the gmer driver:
    • net stop gmer
    • Hit Enter
    • Exit the command prompt.
  • Re-enable all active protection.
__________________
Microsoft Valuable Professional Consumer--Security 2007-2009
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
27-Oct-2009, 12:12 AM #13
gmer log
Ran Gmer. When entering the command line to unload the driver I got a notice that it does not exist as an installed service. Security is back on. Firefox and Thunderbird still persent the same problems as before. Here's the log. Oh, and thanks again!!!

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-26 23:53:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Verena\LOCALS~1\Temp\awloypow.sys

---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF756087E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7560BFE]
Code \??\C:\ComboFix\catchme.sys pIofCallDriver
---- Kernel code sections - GMER 1.0.15 ----
? Combo-Fix.sys The system cannot find the file specified. !
? C:\DOCUME~1\Verena\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Ahead Software AG)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
sjpritch25's Avatar
Computer Specs
Moderator with 8,661 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
28-Oct-2009, 04:13 PM #14
Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.
__________________
Microsoft Valuable Professional Consumer--Security 2007-2009
Please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
verero's Avatar
Computer Specs
Junior Member with 12 posts.
  
Join Date: Oct 2009
Experience: Intermediate
28-Oct-2009, 05:56 PM #15
Downloaded/saved Goored.exe, but the only option was to run it. No # 1 or # 2. I ran it and this is the log (Note: it did fix the Google Redirect, it seems!):

Do you think we can restore my Thunderbird?

GooredFix by jpshortstuff (24.09.09.1)
Log created at 17:50 on 28/10/2009 (Verena)
Firefox version 3.0.14 (en-US)
========== GooredScan ==========

========== GooredLog ==========
C:\Program Files\Mozilla Firefox\extensions\
{800b5000-a755-47e1-992b-48a1c1357f07} [00:30 12/05/2009]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:32 21/02/2005]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [13:07 12/04/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [12:15 10/09/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [15:08 03/12/2007]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [13:26 10/03/2008]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [18:02 02/11/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [13:45 02/03/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [11:53 13/05/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [01:53 29/09/2009]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [02:40 24/10/2009]
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [22:54 06/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [18:02 02/11/2008]
-=E.O.F=-
Reply Bookmark and Share
Page 1 of 2 1 2

Tags
virtumonde, vundo

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 10:58 AM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.