1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

avast found win32:dracur_c, win32:trojan-gen,win32:alureon-hd, win32crypt-gwl

Discussion in 'Virus & Other Malware Removal' started by cookiemonsternbr, Jul 17, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    So, this is a newer netbook, almost 8 months old, i dont know how i got these because i have had anti-virus runing from day one

    Anyway it all started when i was on facebook it just went to a diffrent page and i never clicked on anything, then MS security center popped up saying everything was infected, and kept tellin me that i didnt have an antivirus program and i coudlnt do anthing thing but keep going to this ADD to buy one... Which was odd because Avast was running. I opend avast and did a quick check and found the first one Dracur_c, But when i tied to do the the action to mvoe to chest it was telling me that there was not enough room on disc... and my disc is NOT FULL ODD, so i deleted it and it worked i can not coppy and paste the results if i can i dont know how But i will tell you it was in: C:/system volume information/_restore{ number letters}.dll and .EXE and it was also in C:/windows/system32/fwcfg32.dll listed TWICE

    I then restarted the computer in safemode and did a full scan and it then found it again in system volume information/restore{letter numbers}.DLL twice And then in Windows/system32/75.tmp..

    this morning it was still acting wierd when i started EI redirecting me when i would use google and When i would send an error log to MS the page never loded and then i would get a poppup add So i ran another Avast scan and GOT the win32:trojan-gen,win32:alureon-hd, win32crypt-gwl that came up... This time it was found in my TEMP folder as an EXE and one in my system restore as A0032258.EXE... again it wasnt able move to chest because my disc is full (but really is not) so i deleted them.

    My computer is runing slow and EI is sometime never loading pages and google is redirecting to addverts also MS pages for sending log pages NEVER load, and i have gotten 4 popup from asvast saying that that somein is trying to highjack me but it is able to block it... ? here is my HJT LOG

    Logfile of Trend Micro HijackThis

    v2.0.4
    Scan saved at 1:16:25 PM, on

    7/17/2010
    Platform: Windows XP SP3 (WinNT

    5.01.2600)
    MSIE: Internet Explorer v8.00

    (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil

    Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common

    Files\Apple\Mobile Device

    Support\AppleMobileDeviceService.exe
    C:\Program

    Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Intel Matrix

    Storage Manager\IAANTMon.exe
    C:\Program Files\Java\jre6

    \bin\jqs.exe
    C:\Program Files\Acer\Acer

    VCM\RS_Service.exe
    C:\Program Files\Microsoft\Search

    Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth

    Software\bin\btwdins.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program

    Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast5

    \avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows

    Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media

    Player\WMPNSCFG.exe
    C:\Program

    Files\iPod\bin\iPodService.exe
    C:\Program Files\Windows

    Live\Contacts\wlcomm.exe
    C:\Program Files\Internet

    Explorer\iexplore.exe
    C:\Program Files\Internet

    Explorer\iexplore.exe
    C:\Program Files\Internet

    Explorer\iexplore.exe
    C:\Program Files\Internet

    Explorer\iexplore.exe
    C:\Program Files\Internet

    Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Documents and

    Settings\Richa\Desktop\Trend

    Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Page_URL =

    http://go.microsoft.com/fwlink/?

    LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Search_URL =

    http://go.microsoft.com/fwlink/?

    LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Search Page =

    http://go.microsoft.com/fwlink/?

    LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Start Page =

    http://homepage.acer.com/rdr.aspx?

    b=ACAW&l=0409&m=aspire_one&r=0xph1209

    4255l0304wu75w8722311r
    R1 - HKCU\Software\Microsoft\Internet

    Connection Wizard,ShellNext =

    wmplayer.exe //ICWLaunch
    R1 -

    HKCU\Software\Microsoft\Windows\Curre

    ntVersion\Internet

    Settings,ProxyServer =

    http=127.0.0.1:5643
    O2 - BHO: (no name) - {0d15e393-

    WWWW99af-WWWWb41e-WWWWWWb6WWWWWWd3-

    WWWWWWbfWWWWWW22WWWWWWb1WWWWWW4bWWWWW

    W5cWWWWWW8W} - (no file)
    O2 - BHO: (no name) - {0ea648e2-

    WWWW91c2-WWWWc25W-WWWWWWd2WWWWWW21-

    WWWWWWa6WWWWWWecWWWWWWW8WWWWWWa1WWWWW

    WfdWWWWWWa4} - (no file)
    O2 - BHO: AcroIEHelperStub -

    {18DF081C-E8AD-4283-A596-

    FA578C2EBDC3} - C:\Program

    Files\Common

    Files\Adobe\Acrobat\ActiveX\AcroIEHel

    perShim.dll
    O2 - BHO: (no name) - {1bfc2d8a-

    WWWW81Wb-WWWWd1cW-WWWWWW22WWWWWWcd-

    WWWWWW63WWWWWW8fWWWWWW34WWWWWWf8WWWWW

    WW5WWWWWW85} - (no file)
    O2 - BHO: (no name) - {3W7fcW7f-

    WWWWd3W1-WWWW59bc-WWWWWW26WWWWWWbd-

    WWWWWW2fWWWWWWa7WWWWWW86WWWWWWWaWWWWW

    W48WWWWWW9f} - (no file)
    O2 - BHO: (no name) - {567af8cc-

    WWWWcb49-WWWWaW67-WWWWWW7fWWWWWW34-

    WWWWWW4eWWWWWWc1WWWWWWdWWWWWWW5aWWWWW

    WcaWWWWWWbf} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604

    -49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {5W71a76c-

    WWWW9bed-WWWWfc71-WWWWWW29WWWWWW6b-

    WWWWWWb7WWWWWW4aWWWWWW1dWWWWWW2dWWWWW

    WcfWWWWWW27} - (no file)
    O2 - BHO: (no name) - {5Wcc323e-

    WWWWb9bd-WWWWfe6f-WWWWWW2eWWWWWW34-

    WWWWWWcfWWWWWWa8WWWWWWWcWWWWWW48WWWWW

    WcdWWWWWW42} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-

    159F-4bff-A14F-B9E3AAC4465B} -

    C:\Program Files\Microsoft\Search

    Enhancement Pack\Search

    Helper\SEPsearchhelperie.dll
    O2 - BHO: (no name) - {8da9a7ee-

    WWWW15d4-WWWW4f45-WWWWWWWeWWWWWW26-

    WWWWWW11WWWWWW2bWWWWWWW1WWWWWWffWWWWW

    Wb3WWWWWWfb} - (no file)
    O2 - BHO: Windows Live Sign-in Helper

    - {9030D464-4C02-4ABF-8ECC-

    5164760863C6} - C:\Program

    Files\Common Files\Microsoft

    Shared\Windows

    Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {9f6fd7b5-

    WWWWd555-WWWWcb2W-WWWWWW54WWWWWW8d-

    WWWWWW18WWWWWWc4WWWWWWW9WWWWWWcbWWWWW

    W82WWWWWW55} - (no file)
    O2 - BHO: Google Toolbar Helper -

    {AA58ED58-01DD-4d91-8333-

    CF10577473F7} - C:\Program

    Files\Google\Google

    Toolbar\GoogleToolbar_32.dll
    O2 - BHO: (no name) - {acae14cb-

    WWWW18be-WWWW1d4b-WWWWWWdaWWWWWWb5-

    WWWWWWdeWWWWWW64WWWWWW3cWWWWWW25WWWWW

    WW9WWWWWWb4} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO

    - {AF69DE43-7D58-4638-B6FA-

    CE66B5AD205D} - C:\Program

    Files\Google\GoogleToolbarNotifier\5.

    4.4525.1752\swg.dll
    O2 - BHO: Inbox Toolbar - {D3D233D5-

    9F6D-436C-B6C7-E63F77503B30} -

    C:\PROGRA~1\INBOXT~1\Inbox.dll
    O2 - BHO: (no name) - {d932e25d-

    WWWW119W-WWWW3a91-WWWWWW3WWWWWWW2c-

    WWWWWW8bWWWWWWaaWWWWWWW9WWWWWW64WWWWW

    WeWWWWWWWf5} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV

    Helper - {DBC80044-A445-435b-BC74-

    9C25C1C588A9} - C:\Program

    Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper

    - {E15A8DC0-8516-42A1-81EA-

    DC94EC1ACF10} - C:\Program

    Files\Windows

    Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl -

    {E7E6F031-17CE-4C07-BC86-

    EABFE594F69C} - C:\Program

    Files\Java\jre6

    \lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar -

    {2318C2B1-4965-11d4-9B18-

    009027A5CD4F} - C:\Program

    Files\Google\Google

    Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: &Windows Live Toolbar -

    {21FA44EF-376D-4D53-9B0F-

    8A89D3229068} - C:\Program

    Files\Windows

    Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Inbox Toolbar -

    {D7E97865-918F-41E4-9CD0-

    25AB1C574CE8} - C:\PROGRA~1\INBOXT~1

    \Inbox.dll
    O4 - HKLM\..\Run: [RTHDCPL]

    RTHDCPL.EXE
    O4 - HKLM\..\Run: [IMJPMIG8.1]

    "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"

    /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync]

    C:\WINDOWS\system32

    \IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A]

    C:\WINDOWS\system32

    \IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SynTPEnh]

    C:\Program

    Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HotKeysCmds]

    C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray]

    C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed

    Launcher] "C:\Program

    Files\Adobe\Reader 9.0

    \Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM]

    "C:\Program Files\Common

    Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [QuickTime Task]

    "C:\Program

    Files\QuickTime\qttask.exe" -

    atboottime
    O4 - HKLM\..\Run: [avast5]

    C:\PROGRA~1\ALWILS~1\Avast5

    \avastUI.exe /nogui
    O4 - HKLM\..\Run: [KernelFaultCheck]

    %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [iTunesHelper]

    "C:\Program

    Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe]

    C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr]

    "C:\Program Files\Windows

    Live\Messenger\msnmsgr.exe"

    /background
    O4 - HKCU\..\Run: [WMPNSCFG]

    C:\Program Files\Windows Media

    Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [emkrwdrt]

    C:\Documents and Settings\Richa\Local

    Settings\Application

    Data\avfbjlodn\ygelgcttssd.exe
    O4 - HKLM\..\Policies\Explorer\Run:

    [RTHDBPL] C:\Documents and

    Settings\Richa\Application

    Data\SystemProc\lsass.exe
    O9 - Extra button: (no name) -

    AutorunsDisabled - (no file)
    O9 - Extra button: Blog This -

    {219C3416-8CB2-491a-A3C7-

    D9FCDDC9D600} - C:\Program

    Files\Windows

    Live\Writer\WriterBrowserExtension.dl

    l
    O9 - Extra 'Tools' menuitem: &Blog

    This in Windows Live Writer -

    {219C3416-8CB2-491a-A3C7-

    D9FCDDC9D600} - C:\Program

    Files\Windows

    Live\Writer\WriterBrowserExtension.dl

    l
    O9 - Extra button: Send to OneNote -

    {2670000A-7350-4f3c-8081-

    5663EE0C6C49} - C:\PROGRA~1\MICROS~2

    \Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to

    OneNote - {2670000A-7350-4f3c-8081-

    5663EE0C6C49} - C:\PROGRA~1\MICROS~2

    \Office12\ONBttnIE.dll
    O9 - Extra button: Research -

    {92780B25-18CC-41C8-B9BE-

    3C9C571A8263} - C:\PROGRA~1\MICROS~2

    \Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) -

    {e2e2dd38-d088-4134-82b7-

    f2ba38496583} - C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem:

    @xpsp3res.dll,-20001 - {e2e2dd38-

    d088-4134-82b7-f2ba38496583} -

    C:\WINDOWS\Network

    Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger -

    {FB5F1910-F110-11d2-BB9E-

    00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows

    Messenger - {FB5F1910-F110-11d2-BB9E

    -00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O16 - DPF: CabBuilder -

    http://kiw.imgag.com/imgag/kiw/toolba

    r/download/InstallerControl.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-

    FFDE2BAC2967} (DLM Control) -

    http://dlm.tools.akamai.com/dlmanager

    /versions/activex/dlm-activex-

    2.2.5.0.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-

    CC0F21721616} (DivXBrowserPlugin

    Object) -

    http://download.divx.com/player/DivXB

    rowserPlugin.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-

    AFECE305D968} (Facebook Photo

    Uploader 5 Control) -

    http://upload.facebook.com/controls/2

    009.07.28_v5.5.8.1/FacebookPhotoUploa

    der55.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-

    18C3E146372C} (Creative Toolbox Plug

    -in) -

    http://kiw.imgag.com/imgag/cp/install

    /crusher-kiwen.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-

    247DBAF1A147} (Windows Live Hotmail

    Photo Upload Tool) -

    http://gfx1.hotmail.com/mail/w4/pr01/

    photouploadcontrol/MSNPUpld.cab
    O18 - Protocol: inbox - {37540F19-

    DD4C-478B-B2DF-C19281BCAF27} -

    C:\PROGRA~1\INBOXT~1\Inbox.dll
    O18 - Protocol: skype4com -

    {FFC8B962-9B40-4DFF-9458-

    1830C7DD7F5D} - C:\Program

    Files\Acer\Acer VCM\Skype4COM.dll
    O20 - AppInit_DLLs: C:\PROGRA~1

    \Google\GOOGLE~1\GOEC62~1.DLL
    O22 - SharedTaskScheduler: Browseui

    preloader - {438755C2-A8BA-11D1-B96B

    -00A0C90312E1} - C:\WINDOWS\system32

    \browseui.dll
    O22 - SharedTaskScheduler: Component

    Categories cache daemon - {8C7461EF-

    2B13-11d2-BE35-3078302C2030} -

    C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Active File

    Monitor V8

    (AdobeActiveFileMonitor8.0) - Adobe

    Systems Incorporated - C:\Program

    Files\Adobe\Elements Organizer 8.0

    \PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device -

    Apple Inc. - C:\Program Files\Common

    Files\Apple\Mobile Device

    Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus -

    AVAST Software - C:\Program

    Files\Alwil Software\Avast5

    \AvastSvc.exe
    O23 - Service: avast! Mail Scanner -

    AVAST Software - C:\Program

    Files\Alwil Software\Avast5

    \AvastSvc.exe
    O23 - Service: avast! Web Scanner -

    AVAST Software - C:\Program

    Files\Alwil Software\Avast5

    \AvastSvc.exe
    O23 - Service: Bonjour Service -

    Apple Inc. - C:\Program

    Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service

    (btwdins) - Broadcom Corporation. -

    C:\Program Files\WIDCOMM\Bluetooth

    Software\bin\btwdins.exe
    O23 - Service: FLEXnet Licensing

    Service - Acresso Software Inc. -

    C:\Program Files\Common

    Files\Macrovision Shared\FLEXnet

    Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager

    5.9.911.3589 (GoogleDesktopManager-

    110309-193829) - Google - C:\Program

    Files\Google\Google Desktop

    Search\GoogleDesktop.exe
    O23 - Service: Google Update Service

    (gupdate) (gupdate) - Google Inc. -

    C:\Program

    Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software

    Updater (gusvc) - Google - C:\Program

    Files\Google\Common\Google

    Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix

    Storage Event Monitor (IAANTMON) -

    Intel Corporation - C:\Program

    Files\Intel\Intel Matrix Storage

    Manager\IAANTMon.exe
    O23 - Service: iPod Service - Apple

    Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter

    (JavaQuickStarterService) - Sun

    Microsystems, Inc. - C:\Program

    Files\Java\jre6\bin\jqs.exe
    O23 - Service: Raw Socket Service

    (RS_Service) - Acer Incorporated -

    C:\Program Files\Acer\Acer

    VCM\RS_Service.exe
    O24 - Desktop Component 0: (no name)

    - (no file)

    --
    End of file - 11670 bytes


    In the mean time i will do a panda scan ONLINE and post the log THANKS for all ur past help My other computer is acting funny as well so i will be needing to do that one after this THANKS
     
  2. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    ;***********************************************************************************************************************************************************************************
    ANALYSIS: 2010-07-18 00:34:15
    PROTECTIONS: 1
    MALWARE: 10
    SUSPECTS: 0
    ;***********************************************************************************************************************************************************************************
    PROTECTIONS
    Description Version Active Updated
    ;===================================================================================================================================================================================
    avast! Antivirus 5.0.83886674 Yes Yes
    ;===================================================================================================================================================================================
    MALWARE
    Id Description Type Active Severity Disinfectable Disinfected Location
    ;===================================================================================================================================================================================
    00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\networkservice\cookies\[email protected][1].txt
    00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\networkservice\cookies\[email protected][1].txt
    00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\networkservice\cookies\[email protected][1].txt
    00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\networkservice\cookies\[email protected][1].txt
    00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\networkservice\cookies\[email protected][1].txt
    00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\networkservice\cookies\[email protected][1].txt
    00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\networkservice\cookies\[email protected][2].txt
    06566027 Generic Trojan Virus/Trojan No 0 Yes No c:\windows\system32\syswow32\wu110902772v2[patch.exe]
    06581653 W32/Lopown.B Virus No 0 No No c:\windows\system32\syswow32\wu110902772v1[patch.exe]
    06584385 W32/Lopown.B Virus No 0 No No c:\windows\system32\syswow32\wu110902772v3[patch.exe]
    ;===================================================================================================================================================================================
    SUSPECTS
    Sent Location
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
    VULNERABILITIES
    Id Severity Description
    ;===================================================================================================================================================================================
    ;===================================================================================================================================================================================
     
  3. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Hello and welcome to TSG

    IMPORTANT

    Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
    To make cleaning this machine easier:-
    • Continue to respond to this thread until I give you the All Clean!
    • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
    • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
    • Please follow all instructions in the order posted.
    • If you have any questions or do not understand instructions, please ask before continuing.
    • Please reply to this thread. Do not start a new topic.
    • Topics not replied to within 3 days will be removed from my Subscribed Threads List.

      Your log is very hard to read please go into notepad and make sure wordwrap is unchecked.

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:
    • Start HijackThis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the Open Uninstall Manager button.
    • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

    Please post this log on your next reply.

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Please reply with:-
    • Uninstall list
    • RSIT logs ( info.txt and log.txt)
     
  4. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    i have just spent the last hour trying everything to get back online... Some how whatever bug changes all my network settings and also has done something with my usb ports sigh

    here are the logs atached;
     

    Attached Files:

  5. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    What we do next should fix the internet connection.

    Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present


    • R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
      O2 - BHO: (no name) - {0d15e393-WWWW99af-WWWWb41e-WWWWWWb6WWWWWWd3-WWWWWWbfWWWWWW22WWWWWWb1WWWWWW4bWWWWWW5cWWWWWW8W} - (no file)
      O2 - BHO: (no name) - {0ea648e2-WWWW91c2-WWWWc25W-WWWWWWd2WWWWWW21-WWWWWWa6WWWWWWecWWWWWWW8WWWWWWa1WWWWWWfdWWWWWWa4} - (no file)
      O2 - BHO: (no name) - {1bfc2d8a-WWWW81Wb-WWWWd1cW-WWWWWW22WWWWWWcd-WWWWWW63WWWWWW8fWWWWWW34WWWWWWf8WWWWWWW5WWWWWW85} - (no file)
      O2 - BHO: (no name) - {3W7fcW7f-WWWWd3W1-WWWW59bc-WWWWWW26WWWWWWbd-WWWWWW2fWWWWWWa7WWWWWW86WWWWWWWaWWWWWW48WWWWWW9f} - (no file)
      O2 - BHO: (no name) - {567af8cc-WWWWcb49-WWWWaW67-WWWWWW7fWWWWWW34-WWWWWW4eWWWWWWc1WWWWWWdWWWWWWW5aWWWWWWcaWWWWWWbf} - (no file)
      O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
      O2 - BHO: (no name) - {5W71a76c-WWWW9bed-WWWWfc71-WWWWWW29WWWWWW6b-WWWWWWb7WWWWWW4aWWWWWW1dWWWWWW2dWWWWWWcfWWWWWW27} - (no file)
      O2 - BHO: (no name) - {5Wcc323e-WWWWb9bd-WWWWfe6f-WWWWWW2eWWWWWW34-WWWWWWcfWWWWWWa8WWWWWWWcWWWWWW48WWWWWWcdWWWWWW42} - (no file)
      O2 - BHO: (no name) - {8da9a7ee-WWWW15d4-WWWW4f45-WWWWWWWeWWWWWW26-WWWWWW11WWWWWW2bWWWWWWW1WWWWWWffWWWWWWb3WWWWWWfb} - (no file)
      O2 - BHO: (no name) - {9f6fd7b5-WWWWd555-WWWWcb2W-WWWWWW54WWWWWW8d-WWWWWW18WWWWWWc4WWWWWWW9WWWWWWcbWWWWWW82WWWWWW55} - (no file)
      O2 - BHO: (no name) - {acae14cb-WWWW18be-WWWW1d4b-WWWWWWdaWWWWWWb5-WWWWWWdeWWWWWW64WWWWWW3cWWWWWW25WWWWWWW9WWWWWWb4} - (no file)
      O2 - BHO: (no name) - {d932e25d-WWWW119W-WWWW3a91-WWWWWW3WWWWWWW2c-WWWWWW8bWWWWWWaaWWWWWWW9WWWWWW64WWWWWWeWWWWWWWf5} - (no file)
      O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\Richa\Application Data\SystemProc\lsass.exe
      O9 - Extra button: (no name) - AutorunsDisabled - (no file)
      O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
      O24 - Desktop Component 0: (no name) - (no file)

    Once selected close all windows except HJT an click on Fix Checked

    I would like you to restore your Proxy settings as they have been modified by malware and that's the reason why you can't connect.
    To do this:
    In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings >uncheck "use a proxy server" and check to "Automatically detect settings".
    In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

    REBOOT COMPUTER


    Download and run Combofix
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • If you need help to disable your protection programs see here.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]
    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    If you need help, see this link:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please reply with:-
    • Combofix log
    • New HJT log
     
  6. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    Quick question while comofix is running on my laptop... Im a bit confused on how i got these virus when i have a protection program running? BTW i had to restart during scan because of a rootkey STAGE 3 NOW

    Thanks:confused:

    (im on my other computer)
     
  7. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:43:02 AM, on 7/18/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Acer\Acer VCM\RS_Service.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\Richa\Desktop\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph12094255l0304wu75w8722311r
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
    O24 - Desktop Component 0: (no name) - (no file)

    --
    End of file - 9324 bytes

    ComboFix 10-07-16.02 - Richa 07/18/2010 3:22.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.683 [GMT -7:00]
    Running from: c:\documents and settings\Richa\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Richa\Application Data\.#
    c:\documents and settings\Richa\Application Data\.#\[email protected]@3841A0.###
    c:\documents and settings\Richa\Application Data\.#\[email protected]@3841D0.###
    c:\documents and settings\Richa\Application Data\.#\[email protected]@384200.###
    c:\documents and settings\Richa\Application Data\020000009f81d85e950C.manifest
    c:\documents and settings\Richa\Application Data\020000009f81d85e950O.manifest
    c:\documents and settings\Richa\Application Data\020000009f81d85e950P.manifest
    c:\documents and settings\Richa\Application Data\020000009f81d85e950S.manifest
    c:\documents and settings\Richa\Application Data\SystemProc
    c:\documents and settings\Richa\Application Data\SystemProc\upd.exe
    C:\sysmon
    c:\windows\GnuHashes.ini
    c:\windows\system32\_000006_.tmp.dll
    c:\windows\system32\_000007_.tmp.dll
    c:\windows\system32\_000008_.tmp.dll
    c:\windows\system32\_000009_.tmp.dll
    c:\windows\system32\_000023_.tmp.dll
    c:\windows\system32\_000024_.tmp.dll
    c:\windows\system32\_000025_.tmp.dll
    c:\windows\system32\_000026_.tmp.dll
    c:\windows\system32\1861484745
    c:\windows\system32\SysWoW32
    c:\windows\system32\SysWoW32\mu110902772v4
    c:\windows\system32\SysWoW32\mu110902772v4.kwd
    c:\windows\system32\SysWoW32\mu110902772v5
    c:\windows\system32\SysWoW32\mu110902772v5.kwd
    c:\windows\system32\SysWoW32\mu110902772v6
    c:\windows\system32\SysWoW32\mu110902772v6.kwd
    c:\windows\system32\SysWoW32\mu110902772v7
    c:\windows\system32\SysWoW32\mu110902772v7.kwd
    c:\windows\system32\SysWoW32\wu110902772v0
    c:\windows\system32\SysWoW32\wu110902772v0.kwd
    c:\windows\system32\SysWoW32\wu110902772v1
    c:\windows\system32\SysWoW32\wu110902772v1.kwd
    c:\windows\system32\SysWoW32\wu110902772v2
    c:\windows\system32\SysWoW32\wu110902772v2.kwd
    c:\windows\system32\SysWoW32\wu110902772v3
    c:\windows\system32\SysWoW32\wu110902772v3.kwd
    c:\windows\system32\unrar.exe

    ----- BITS: Possible infected sites -----

    hxxp://ads1.msads.net
    Infected copy of c:\windows\system32\drivers\dpti2o.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
    .

    2010-07-18 08:07 . 2010-07-18 08:07 -------- d-----w- c:\program files\trend micro
    2010-07-18 08:07 . 2010-07-18 08:07 -------- d-----w- C:\rsit
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\documents and settings\Richa\Application Data\Yahoo!
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\program files\Yahoo!
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\program files\CCleaner
    2010-07-17 20:55 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-07-17 20:54 . 2010-07-17 20:54 -------- d-----w- c:\program files\Panda Security
    2010-07-17 20:09 . 2010-07-17 20:09 388096 ----a-r- c:\documents and settings\Richa\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-07-16 11:31 . 2010-07-16 11:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-16 10:05 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-07-16 08:55 . 2010-07-16 11:48 -------- d-----w- c:\documents and settings\Richa\Local Settings\Application Data\avfbjlodn
    2010-06-27 18:19 . 2010-06-27 18:19 -------- d-----w- c:\documents and settings\Owner
    2010-06-19 17:07 . 2010-06-19 17:07 -------- d-----w- c:\documents and settings\homo\Application Data\Apple Computer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-18 10:15 . 2010-01-13 08:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-06 17:43 . 2010-03-07 12:05 -------- d-----w- c:\documents and settings\Richa\Application Data\FrostWire
    2010-07-05 07:13 . 2010-04-24 13:00 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-06-28 20:57 . 2010-06-05 18:35 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-06-05 18:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-06-05 18:36 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-06-05 18:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-06-05 18:36 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-06-05 18:36 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-06-05 18:36 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-06-05 18:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-06-17 03:24 . 2010-06-17 03:21 -------- d-----w- c:\program files\iTunes
    2010-06-17 03:21 . 2010-06-17 03:21 -------- d-----w- c:\program files\iPod
    2010-06-17 03:21 . 2010-01-17 01:14 -------- d-----w- c:\program files\Common Files\Apple
    2010-06-17 02:49 . 2010-06-17 02:49 -------- d-----w- c:\program files\Bonjour
    2010-06-17 02:34 . 2010-06-17 02:34 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-15 16:49 . 2009-12-12 21:20 61744 ----a-w- c:\documents and settings\Richa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-14 14:31 . 2009-08-01 06:53 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-11 10:21 . 2009-08-01 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-05 22:40 . 2010-06-05 22:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-06-05 22:39 . 2010-06-05 22:39 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2010-06-05 22:39 . 2009-08-01 09:31 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-05 22:24 . 2009-08-01 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
    2010-06-05 21:50 . 2010-06-05 20:02 1139864748 ----a-w- c:\program files\PhotoshopElements_8_MUL.7z
    2010-06-05 21:50 . 2010-06-05 20:01 -------- d-----w- c:\documents and settings\Richa\Application Data\Download Manager
    2010-06-05 20:02 . 2010-06-05 20:02 1228312 ----a-w- c:\program files\PhotoshopElements_8_MUL.exe
    2010-06-05 18:35 . 2010-06-05 18:35 -------- d-----w- c:\program files\Alwil Software
    2010-06-05 18:35 . 2010-06-05 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-06-05 18:13 . 2010-03-07 18:20 4506256 ----a-w- c:\documents and settings\Richa\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
    2010-06-05 13:31 . 2009-08-01 09:01 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-03 02:45 . 2010-01-17 01:24 -------- d-----w- c:\documents and settings\Richa\Application Data\Apple Computer
    2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
    2010-06-03 02:35 . 2010-01-17 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-05-29 17:36 . 2010-05-29 17:36 -------- d-----w- c:\program files\AnalogX
    2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-06 10:41 . 2009-08-01 07:34 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2009-08-01 07:34 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-22 14:45 . 2009-08-01 06:54 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-04-20 05:30 . 2009-08-01 07:34 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-20 03:47 . 2010-05-06 02:39 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-04-20 03:47 . 2010-05-06 02:39 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Acer\\Acer Crystal Eye webcam\\CrystalEye.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/17/2010 1:55 PM 28552]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/5/2010 11:36 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/5/2010 11:36 AM 17744]
    R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 2:35 AM 237568]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 12:35 AM 38912]
    R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [9/26/2009 9:51 PM 145152]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 5:30 PM 135664]
    S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [10/9/2009 5:45 AM 169312]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 1:48 AM 1684736]
    S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 1:50 AM 30192]
    S4 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
    S4 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

    2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 00:29]

    2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 00:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph12094255l0304wu75w8722311r
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-18 03:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3596)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\btncopy.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Windows Media Player\WMPNetwk.exe
    c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-07-18 03:40:16 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-07-18 10:40

    Pre-Run: 108,197,969,920 bytes free
    Post-Run: 108,707,205,120 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 0A42A360D6EA235D23F5F24EB47180ED


    I see that some of the things i fix in HJT are back after reboot......
     
  8. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Please give me an update on how the computer is running after doing the following.

    Unfortunately there is no one program that will protect you from all that is out there.

    Using P2P programs is just about a guarantee to get infected somewhere along the line and I see that you have FrostWire installed.

    Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present


    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643

    Once selected close all windows except HJT an click on Fix Checked

    COMBOFIX-Script
    A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

      Code:
      File::
      c:\documents and settings\Richa\Local Settings\Application Data\avfbjlodn
       
      Folder::
      c:\documents and settings\All Users\Application Data\McAfee
      
      DDS::
      uInternet Settings,ProxyServer = http=127.0.0.1:5643
      
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • If you need help to disable your protection programs see here.
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

    Please reply with:-
    • Combofix log
    • New HJT log
    • Update on computers performance
     
  9. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    ComboFix 10-07-16.02 - Richa 07/18/2010 4:16.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.603 [GMT -7:00]
    Running from: c:\documents and settings\Richa\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Richa\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\documents and settings\Richa\Local Settings\Application Data\avfbjlodn"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\McAfee
    c:\documents and settings\All Users\Application Data\McAfee\dspwrp\SmartMessaging.db
    c:\documents and settings\All Users\Application Data\McAfee\MSC\Cache\McSubDB.Bak
    c:\documents and settings\All Users\Application Data\McAfee\MSC\mcini.ini
    c:\documents and settings\All Users\Application Data\McAfee\MSC\McSubDB.Dat

    .
    ((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
    .

    2010-07-18 08:07 . 2010-07-18 08:07 -------- d-----w- c:\program files\trend micro
    2010-07-18 08:07 . 2010-07-18 08:07 -------- d-----w- C:\rsit
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\documents and settings\Richa\Application Data\Yahoo!
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\program files\Yahoo!
    2010-07-17 21:37 . 2010-07-17 21:37 -------- d-----w- c:\program files\CCleaner
    2010-07-17 20:55 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
    2010-07-17 20:54 . 2010-07-17 20:54 -------- d-----w- c:\program files\Panda Security
    2010-07-17 20:09 . 2010-07-17 20:09 388096 ----a-r- c:\documents and settings\Richa\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-07-16 11:31 . 2010-07-16 11:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-07-16 10:05 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-07-16 08:55 . 2010-07-16 11:48 -------- d-----w- c:\documents and settings\Richa\Local Settings\Application Data\avfbjlodn
    2010-06-27 18:19 . 2010-06-27 18:19 -------- d-----w- c:\documents and settings\Owner
    2010-06-19 17:07 . 2010-06-19 17:07 -------- d-----w- c:\documents and settings\homo\Application Data\Apple Computer

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-18 10:15 . 2010-01-13 08:17 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-07-06 17:43 . 2010-03-07 12:05 -------- d-----w- c:\documents and settings\Richa\Application Data\FrostWire
    2010-07-05 07:13 . 2010-04-24 13:00 -------- d-----w- c:\program files\Windows Live Safety Center
    2010-06-28 20:57 . 2010-06-05 18:35 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-06-28 20:37 . 2010-06-05 18:36 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-06-28 20:37 . 2010-06-05 18:36 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-06-28 20:33 . 2010-06-05 18:36 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-06-28 20:32 . 2010-06-05 18:36 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-06-28 20:32 . 2010-06-05 18:36 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-06-28 20:32 . 2010-06-05 18:36 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-06-28 20:32 . 2010-06-05 18:36 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-06-17 03:24 . 2010-06-17 03:21 -------- d-----w- c:\program files\iTunes
    2010-06-17 03:21 . 2010-06-17 03:21 -------- d-----w- c:\program files\iPod
    2010-06-17 03:21 . 2010-01-17 01:14 -------- d-----w- c:\program files\Common Files\Apple
    2010-06-17 02:49 . 2010-06-17 02:49 -------- d-----w- c:\program files\Bonjour
    2010-06-17 02:34 . 2010-06-17 02:34 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-06-15 16:49 . 2009-12-12 21:20 61744 ----a-w- c:\documents and settings\Richa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-06-14 14:31 . 2009-08-01 06:53 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    2010-06-11 10:21 . 2009-08-01 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-06-05 22:40 . 2010-06-05 22:40 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-06-05 22:39 . 2010-06-05 22:39 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2010-06-05 22:39 . 2009-08-01 09:31 -------- d-----w- c:\program files\Common Files\Adobe
    2010-06-05 21:50 . 2010-06-05 20:02 1139864748 ----a-w- c:\program files\PhotoshopElements_8_MUL.7z
    2010-06-05 21:50 . 2010-06-05 20:01 -------- d-----w- c:\documents and settings\Richa\Application Data\Download Manager
    2010-06-05 20:02 . 2010-06-05 20:02 1228312 ----a-w- c:\program files\PhotoshopElements_8_MUL.exe
    2010-06-05 18:35 . 2010-06-05 18:35 -------- d-----w- c:\program files\Alwil Software
    2010-06-05 18:35 . 2010-06-05 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-06-05 18:13 . 2010-03-07 18:20 4506256 ----a-w- c:\documents and settings\Richa\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
    2010-06-05 13:31 . 2009-08-01 09:01 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-03 02:45 . 2010-01-17 01:24 -------- d-----w- c:\documents and settings\Richa\Application Data\Apple Computer
    2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
    2010-06-03 02:35 . 2010-01-17 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2010-05-29 17:36 . 2010-05-29 17:36 -------- d-----w- c:\program files\AnalogX
    2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-05-06 10:41 . 2009-08-01 07:34 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-05-02 05:22 . 2009-08-01 07:34 1851264 ----a-w- c:\windows\system32\win32k.sys
    2010-04-22 14:45 . 2009-08-01 06:54 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2010-04-20 05:30 . 2009-08-01 07:34 285696 ----a-w- c:\windows\system32\atmfd.dll
    2010-04-20 03:47 . 2010-05-06 02:39 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-04-20 03:47 . 2010-05-06 02:39 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_10.35.27 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-01 07:34 . 2010-07-18 10:39 68386 c:\windows\system32\perfc009.dat
    - 2009-08-01 07:34 . 2010-07-18 10:25 68386 c:\windows\system32\perfc009.dat
    + 2009-08-01 07:34 . 2010-07-18 10:39 434266 c:\windows\system32\perfh009.dat
    - 2009-08-01 07:34 . 2010-07-18 10:25 434266 c:\windows\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2009-02-24 17529856]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-02-06 1430824]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 23:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
    2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
    2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Acer\\Acer Crystal Eye webcam\\CrystalEye.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:mad:xpsp2res.dll,-22009

    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/17/2010 1:55 PM 28552]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/5/2010 11:36 AM 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/5/2010 11:36 AM 17744]
    R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [8/1/2009 2:35 AM 237568]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/1/2009 12:35 AM 38912]
    R3 M3000Srv;WebCam Driver;c:\windows\system32\drivers\M3000KNT.sys [9/26/2009 9:51 PM 145152]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/1/2010 5:30 PM 135664]
    S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [10/9/2009 5:45 AM 169312]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/1/2009 1:48 AM 1684736]
    S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/1/2009 1:50 AM 30192]
    S4 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
    S4 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

    2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 00:29]

    2010-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-02 00:29]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/
    mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph12094255l0304wu75w8722311r
    uInternet Settings,ProxyOverride = <local>
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-18 04:24
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2010-07-18 04:26:03
    ComboFix-quarantined-files.txt 2010-07-18 11:25
    ComboFix2.txt 2010-07-18 10:40

    Pre-Run: 108,709,408,768 bytes free
    Post-Run: 108,695,642,112 bytes free

    - - End Of File - - A0053397F9ED9DFC52DC2BC49B4436D5


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:27:13 AM, on 7/18/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Acer\Acer VCM\RS_Service.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Richa\Desktop\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph12094255l0304wu75w8722311r
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
    O24 - Desktop Component 0: (no name) - (no file)

    --
    End of file - 8901 bytes

    What is the highlighted network thing???

    it seems to be running better so far... right before the internet went down i got an error for win32... i would like to see how she runs for a few hours like maybe 24 before im sure... also when i pluged in my itouch to the usp port to charge its says unknown device, and will not charge anywhere... could that mean i buged the itouch??? from what was on this computer??
     
  10. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    They are legit files so leave alone.

    Lets finish the cleaning first.

    Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present


    • O24 - Desktop Component 0: (no name) - (no file)

    Once selected close all windows except HJT an click on Fix Checked

    Next

    • Go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab.
      Uncheck and Delete everything you find in there. (Except for "My Current Home Page.")

    Download and Run OTM.exe

    Download OTM.exe by Old Timer and save it to your Desktop.
    • Double-click OTM.exe. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
    • Copy the lines in the codebox below.
    Code:
    :Files
    c:\documents and settings\Richa\Local Settings\Application Data\avfbjlodn
    
    :Commands
    
    [EmptyTemp] 
    [Reboot]
    
    
    • Return to OTM.exe, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.
    • Close OTM.exe

    Update Java Runtime

    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 21.
    • Go to Java Site
    • Scroll down to where it says "JDK 6 Update 21 (JDK or JRE)"
    • Click the orange Download JRE button to the right
    • Select the Windows platform from the dropdown menu
    • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh
    • Click on the link to download Windows Offline Installation & save the file to your desktop
    • Close any programs you may have running - especially your web browser
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs
    • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE) listed below in the code box.
      Code:
      J2SE Runtime Environment 5.0 Update 17
      Java(TM) 6 Update 17
       
    • Reboot your computer once all Java components are removed
    • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version
    • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
      • On the General tab, under Temporary Internet Files, click the Settings button
      • Next, click on the Delete Files button
      • There are two options in the window to clear the cache - Leave BOTH Checked
        • Applications and Applets
          Trace and Log Files
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel


    Please reply with:-
    • OTM log
    • New HJT log
     
  11. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    sorry i need to take a few days away for personal reasons plz dont close out thankd for all ur help
     
  12. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Thanks for letting me know.
     
  13. cookiemonsternbr

    cookiemonsternbr Thread Starter

    Joined:
    Aug 6, 2006
    Messages:
    117
    Sorry i have been gone so long the was a death in my family...

    I followed what the steps where but when i did the OTM it rebooted and i was not able to get any log???

    here is the new HJT log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:04:30 PM, on 8/6/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Acer\Acer VCM\RS_Service.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Documents and Settings\Richa\Desktop\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_one&r=0xph12094255l0304wu75w8722311r
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
    O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://kiw.imgag.com/imgag/cp/install/crusher-kiwen.cab
    O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Acer\Acer VCM\Skype4COM.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Raw Socket Service (RS_Service) - Acer Incorporated - C:\Program Files\Acer\Acer VCM\RS_Service.exe
    O24 - Desktop Component 0: (no name) - (no file)

    --
    End of file - 9452 bytes

    That thing still will not fix
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/936395

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice