1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijacked search engines

Discussion in 'Virus & Other Malware Removal' started by rideswithchrist, Aug 3, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    I work for a company that does internet rating. I often open 5 pages at a time in different tabs so I have no idea which was the malicious site. I had AVG and SuperAntiSpyware. AVG seemed to freeze up and there were pop ups that I knew were fake virus removals-I don't think I clicked 'yes' on any of them but there were pop ups from AVG and them and Firefox warnings. I ran SuperAntiSpyware and it removed some infections, mainly trojans. I then downloaded and ran Malwarebytes in safe mode and it removed more. I then downloaded avast! and it removed more as well.

    When I reboot, I get a dll error and
    AVG does not seem to block any sites any longer either. Now, I have a hijacked browse that I can not get rid of. I downloaded a fix on another forum which replaced a Google plug-in, (Google Antimalware fix by Chase)but all the search engines are hijacked, leading me to believe it is the browser itself. I am using Firefox.

    If I copy and paste a link in the address bar, there is no redirect, but if I use a search engine and click a link-it takes me to: monstormarketplace . com from Yahoo.
    pleasewaitfind TO samantasay. com TO //us.answerfinders.info/findx/fin from Bing
    pleasewaitfind TO samantasay TO //www.mylocalhero. com/s for Google

    Firefox closed with no warning twice today, and when it does, my computer will not open any programs, restart or shutdown. I have to hold the off button.
    Even after running a virus program a day, today Malwarebytes removed 23 infected files.
    Here is my log from Hijackthis which was run after Malwarebytes and working for 2 hours(which means about 100 more sites visited)
    .

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:19:14 PM, on 08/03/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5643
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: (no name) - {B2E527E5-8237-40EC-9641-414E341718EB} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [HotSync] C:\Program Files\Palm\Hotsync.exe -AllUsers
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [sta] rundll32 "ttlgp.dll",,Run
    O4 - HKLM\..\Run: [MChk] C:\WINDOWS\system32\gtlgp.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [Jdenajuhiq] rundll32.exe "C:\WINDOWS\oyalozugecava.dll",Startup
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
    O4 - HKCU\..\Run: [GetModule33] C:\Program Files\GetModule\GetModule33.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [{56967481-3F7A-5692-7F1F-B6B78BBDFC5C}] "C:\Documents and Settings\Owner\Application Data\Emig\akhyy.exe"
    O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\DOCUME~1\Owner\LOCALS~1\Temp\rxaswcemon.tmp
    O4 - HKLM\..\Policies\Explorer\Run: [jgyo0w] C:\DOCUME~1\Owner\LOCALS~1\Temp\19aqp.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} (WNICheck2 Class) - http://www.convergysworkathome.com/AppHardT.CAB
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: vmwvqo.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
    O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
    O23 - Service: Google Update Service (gupdate1c9ac0bbc01d828) (gupdate1c9ac0bbc01d828) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe

    --
    End of file - 8517 bytes

    I am not super tech savvy so I can't tell which is a normal file and which is not!
    I am so ready for a MAC and to toss this PC out the window!
    :mad:
    Please let me know what I can do next.
     
  2. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


      [​IMG]

    • If an infected file is detected, the default action will be Cure, click on Continue.


      [​IMG]

    • If a suspicious file is detected, the default action will be Skip, click on Continue.


      [​IMG]

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


      [​IMG]

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
     
  3. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    Thank you!
    I did the steps above, 1 item cured. Here is the log:


    2010/08/06 10:34:08.0343 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
    2010/08/06 10:34:08.0343 ================================================================================
    2010/08/06 10:34:08.0343 SystemInfo:
    2010/08/06 10:34:08.0343
    2010/08/06 10:34:08.0343 OS Version: 5.1.2600 ServicePack: 2.0
    2010/08/06 10:34:08.0343 Product type: Workstation
    2010/08/06 10:34:08.0343 ComputerName: DAVIDSON-N9O45L
    2010/08/06 10:34:08.0343 UserName: Owner
    2010/08/06 10:34:08.0343 Windows directory: C:\WINDOWS
    2010/08/06 10:34:08.0343 System windows directory: C:\WINDOWS
    2010/08/06 10:34:08.0343 Processor architecture: Intel x86
    2010/08/06 10:34:08.0343 Number of processors: 1
    2010/08/06 10:34:08.0343 Page size: 0x1000
    2010/08/06 10:34:08.0343 Boot type: Normal boot
    2010/08/06 10:34:08.0343 ================================================================================
    2010/08/06 10:34:14.0765 Initialize success
    2010/08/06 10:34:21.0953 ================================================================================
    2010/08/06 10:34:21.0953 Scan started
    2010/08/06 10:34:21.0953 Mode: Manual;
    2010/08/06 10:34:21.0953 ================================================================================
    2010/08/06 10:34:24.0265 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys
    2010/08/06 10:34:24.0843 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/08/06 10:34:25.0062 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/08/06 10:34:25.0328 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    2010/08/06 10:34:25.0437 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2010/08/06 10:34:26.0390 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
    2010/08/06 10:34:26.0500 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2010/08/06 10:34:26.0781 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys
    2010/08/06 10:34:26.0890 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys
    2010/08/06 10:34:27.0031 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys
    2010/08/06 10:34:27.0359 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys
    2010/08/06 10:34:27.0687 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/08/06 10:34:27.0968 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/08/06 10:34:28.0093 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/08/06 10:34:28.0312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/08/06 10:34:28.0593 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
    2010/08/06 10:34:28.0921 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
    2010/08/06 10:34:29.0171 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
    2010/08/06 10:34:29.0390 bcm4sbxp (e727776a56a51b7e6b7c87c02ea8b405) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
    2010/08/06 10:34:29.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/08/06 10:34:30.0281 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/08/06 10:34:30.0765 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/08/06 10:34:31.0046 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/08/06 10:34:31.0281 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/08/06 10:34:31.0500 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/08/06 10:34:32.0046 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/08/06 10:34:32.0375 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/08/06 10:34:32.0593 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2010/08/06 10:34:32.0984 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/08/06 10:34:33.0359 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/08/06 10:34:33.0609 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/08/06 10:34:33.0734 FA312 (aa855fb8a866281aacb393c1feab91ae) C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
    2010/08/06 10:34:34.0296 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/08/06 10:34:35.0171 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/08/06 10:34:35.0390 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2010/08/06 10:34:36.0156 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/08/06 10:34:36.0406 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/08/06 10:34:36.0750 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/08/06 10:34:36.0968 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/08/06 10:34:37.0265 FVNETusb (199062d35b8789238a11e9980479336b) C:\WINDOWS\system32\DRIVERS\vnet58lx.sys
    2010/08/06 10:34:37.0500 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/08/06 10:34:37.0812 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/08/06 10:34:38.0187 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2010/08/06 10:34:38.0390 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2010/08/06 10:34:38.0640 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2010/08/06 10:34:38.0906 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/08/06 10:34:39.0125 i8042prt (bb3b0666abb5d20d0fc7b2a2122391c9) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/08/06 10:34:39.0125 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: bb3b0666abb5d20d0fc7b2a2122391c9, Fake md5: 5502b58eef7486ee6f93f3f164dcb808
    2010/08/06 10:34:39.0125 i8042prt - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/08/06 10:34:39.0281 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/08/06 10:34:39.0625 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/08/06 10:34:39.0937 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/08/06 10:34:40.0156 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/08/06 10:34:40.0390 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/08/06 10:34:40.0656 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/08/06 10:34:40.0890 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/08/06 10:34:41.0187 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/08/06 10:34:41.0453 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/08/06 10:34:41.0656 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/08/06 10:34:41.0921 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/08/06 10:34:42.0156 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/08/06 10:34:42.0250 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/08/06 10:34:42.0656 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/08/06 10:34:42.0906 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2010/08/06 10:34:43.0000 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/08/06 10:34:43.0187 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/08/06 10:34:43.0390 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/08/06 10:34:43.0640 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/08/06 10:34:43.0812 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/08/06 10:34:44.0437 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/08/06 10:34:44.0640 MSHUSBVideo (066f26efe273125b352e35405d258e85) C:\WINDOWS\system32\Drivers\nx6000.sys
    2010/08/06 10:34:44.0984 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/08/06 10:34:45.0203 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/08/06 10:34:45.0390 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/08/06 10:34:45.0578 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/08/06 10:34:45.0703 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/08/06 10:34:45.0968 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/08/06 10:34:46.0328 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/08/06 10:34:46.0546 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/08/06 10:34:46.0812 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/08/06 10:34:47.0031 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/08/06 10:34:47.0328 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/08/06 10:34:47.0515 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/08/06 10:34:47.0765 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/08/06 10:34:48.0000 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/08/06 10:34:48.0218 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/08/06 10:34:48.0531 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/08/06 10:34:48.0734 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/08/06 10:34:49.0312 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/08/06 10:34:49.0765 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/08/06 10:34:50.0109 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/08/06 10:34:50.0406 PalmUSBD (dc450992eba6f914080c1f7fbeeed72c) C:\WINDOWS\system32\drivers\PalmUSBD.sys
    2010/08/06 10:34:50.0812 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/08/06 10:34:51.0203 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/08/06 10:34:51.0609 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/08/06 10:34:51.0843 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/08/06 10:34:52.0171 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/08/06 10:34:52.0406 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/08/06 10:34:53.0281 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/08/06 10:34:53.0515 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/08/06 10:34:53.0750 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/08/06 10:34:54.0281 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/08/06 10:34:54.0500 Ptserlp (ace8fe0e920cb8fba057c024ead33f84) C:\WINDOWS\system32\DRIVERS\ptserlp.sys
    2010/08/06 10:34:55.0031 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/08/06 10:34:55.0437 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/08/06 10:34:55.0656 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/08/06 10:34:55.0859 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/08/06 10:34:56.0062 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/08/06 10:34:56.0296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/08/06 10:34:56.0515 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/08/06 10:35:00.0593 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/08/06 10:35:01.0125 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2010/08/06 10:35:01.0359 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2010/08/06 10:35:01.0609 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2010/08/06 10:35:01.0781 Secdrv (890cada2ab7acf53a5f9cce7515522a2) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/08/06 10:35:01.0968 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    2010/08/06 10:35:02.0421 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/08/06 10:35:02.0640 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/08/06 10:35:02.0921 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/08/06 10:35:03.0250 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/08/06 10:35:03.0734 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    2010/08/06 10:35:04.0125 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/08/06 10:35:04.0265 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/08/06 10:35:04.0468 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/08/06 10:35:04.0640 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/08/06 10:35:05.0296 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/08/06 10:35:06.0109 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/08/06 10:35:07.0250 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/08/06 10:35:07.0937 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/08/06 10:35:08.0718 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/08/06 10:35:09.0609 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/08/06 10:35:10.0187 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/08/06 10:35:10.0656 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/08/06 10:35:11.0375 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/08/06 10:35:12.0218 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/08/06 10:35:12.0890 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/08/06 10:35:13.0500 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/08/06 10:35:13.0953 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/08/06 10:35:14.0453 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/08/06 10:35:14.0765 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/08/06 10:35:15.0062 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/08/06 10:35:15.0328 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/08/06 10:35:15.0812 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2010/08/06 10:35:16.0140 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2010/08/06 10:35:16.0562 Vmodem (b289d19df6103352d3c4b13c0ed79331) C:\WINDOWS\system32\DRIVERS\vmodem.sys
    2010/08/06 10:35:16.0921 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/08/06 10:35:17.0203 Vpctcom (4a4448332075c5a909df123c21616b2a) C:\WINDOWS\system32\DRIVERS\vpctcom.sys
    2010/08/06 10:35:17.0500 Vvoice (120e61aac05f00c867a32de493dab9b4) C:\WINDOWS\system32\DRIVERS\vvoice.sys
    2010/08/06 10:35:17.0750 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/08/06 10:35:18.0046 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/08/06 10:35:18.0296 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
    2010/08/06 10:35:18.0531 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/08/06 10:35:18.0796 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/08/06 10:35:19.0078 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/08/06 10:35:19.0343 ================================================================================
    2010/08/06 10:35:19.0343 Scan finished
    2010/08/06 10:35:19.0343 ================================================================================
    2010/08/06 10:35:19.0421 Detected object count: 1
    2010/08/06 10:35:36.0312 i8042prt (bb3b0666abb5d20d0fc7b2a2122391c9) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/08/06 10:35:36.0312 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: bb3b0666abb5d20d0fc7b2a2122391c9, Fake md5: 5502b58eef7486ee6f93f3f164dcb808
    2010/08/06 10:35:42.0093 Backup copy found, using it..
    2010/08/06 10:35:42.0187 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured after reboot
    2010/08/06 10:35:42.0187 Rootkit.Win32.TDSS.tdl3(i8042prt) - User select action: Cure
    2010/08/06 10:35:55.0328 Deinitialize success
     
  4. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download ComboFix here :

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

      Click me

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
     
  5. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    I downloaded combo fix after I disabled Avg and avast and superantispyware. Combofix gave a warning that AVG was not disabled. The Resident Shield was still counting up as if activated, even though it was unchecked. I attempted to uninstall AVG 9 and got a rundll32.exe error message with
    szAppName : rundll32.exe szAppVer : 5.1.2600.2180 szModName : hungapp
    szModVer : 0.0.0.0 offset : 00000000

    Could AVG 9 be infected? I can't run Combosheild until it is disabled or deleted-what do I do now?
    Thanks
     
  6. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    run combofix anyway
     
  7. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    Deleted AVG-ran combofix:

    ComboFix 10-08-06.01 - Owner 08/07/2010 0:00.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.215 [GMT -5:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Application Data\Emig\akhyy.exe
    c:\documents and settings\Owner\g2mdlhlpx.exe
    c:\documents and settings\Owner\Local Settings\Application Data\{8415D36C-6A9F-4EC8-9521-C61765E718B4}
    c:\documents and settings\Owner\Local Settings\Application Data\{8415D36C-6A9F-4EC8-9521-C61765E718B4}\chrome.manifest
    c:\documents and settings\Owner\Local Settings\Application Data\{8415D36C-6A9F-4EC8-9521-C61765E718B4}\chrome\content\_cfg.js
    c:\documents and settings\Owner\Local Settings\Application Data\{8415D36C-6A9F-4EC8-9521-C61765E718B4}\chrome\content\overlay.xul
    c:\documents and settings\Owner\Local Settings\Application Data\{8415D36C-6A9F-4EC8-9521-C61765E718B4}\install.rdf
    c:\program files\Internet Explorer\msimg32.dll
    c:\windows\system32\atjfrpbj.ini
    c:\windows\system32\bucpkpdd.ini
    c:\windows\system32\pAbehkkj.ini
    c:\windows\system32\pAbehkkj.ini2
    c:\windows\system32\pixhyafb.ini
    c:\windows\system32\rtDffMoq.ini
    c:\windows\system32\rtDffMoq.ini2
    c:\windows\system32\sgkahroh.ini
    c:\windows\system32\ukvuvmol.ini
    c:\windows\system32\vrcvhbli.ini
    c:\windows\system32\whfiomjp.ini
    c:\windows\system32\yftjchle.ini
    c:\windows\Tasks\dxxdjppy.job
    c:\windows\wiaserviv.log

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Service_6to4


    ((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
    .

    2010-08-06 16:35 . 2010-08-06 16:35 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG9
    2010-08-03 22:18 . 2010-08-03 22:18 -------- d-----w- c:\program files\Trend Micro
    2010-07-27 20:00 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-07-27 20:00 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-07-27 20:00 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-07-27 20:00 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-07-27 20:00 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-07-27 20:00 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-07-27 20:00 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-07-27 19:58 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-07-27 19:58 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-07-27 19:57 . 2010-07-27 19:57 -------- d-----w- c:\program files\Alwil Software
    2010-07-27 19:57 . 2010-07-27 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-07-27 02:47 . 2010-07-30 04:17 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-07-26 18:15 . 2010-07-26 18:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-07-26 18:14 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-26 18:14 . 2010-07-26 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-26 18:14 . 2010-07-26 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-26 18:14 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-26 16:06 . 2010-07-27 19:55 0 ----a-w- c:\windows\Wxokejupecejox.bin
    2010-07-26 16:06 . 2010-07-27 19:55 120 ----a-w- c:\windows\Jjuhezorijegoz.dat
    2010-07-26 16:04 . 2010-07-26 16:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ayxtkkxbq
    2010-07-26 16:04 . 2010-07-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
    2010-07-26 16:04 . 2010-07-26 16:06 -------- d-----w- c:\documents and settings\Owner\Application Data\DA05CBC7E6DD861713F3A89DFF40C5AF
    2010-07-20 18:29 . 2010-07-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-07-17 18:58 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-15 22:08 . 2006-10-06 14:35 90112 ----a-w- c:\windows\system32\lfjbg13n.dll
    2010-07-15 22:08 . 2006-10-06 14:35 246272 ----a-w- c:\windows\system32\lfj2k13n.dll
    2010-07-15 22:08 . 2010-07-15 22:08 -------- d-----w- c:\program files\MFInstall
    2010-07-14 15:52 . 2010-07-14 15:52 -------- d-----w- c:\program files\Citrix

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-07 05:15 . 2009-10-10 20:35 -------- d-----w- c:\program files\Common Files\Akamai
    2010-08-07 05:15 . 2008-10-02 01:18 -------- d-----w- c:\program files\DNA
    2010-08-07 05:15 . 2008-10-02 01:18 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
    2010-08-07 04:29 . 2010-02-22 18:11 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
    2010-08-06 15:55 . 2010-02-26 05:10 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
    2010-08-06 15:37 . 2001-08-18 12:00 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2010-08-06 14:55 . 2009-03-23 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-08-02 18:25 . 2009-06-04 22:34 -------- d-----w- c:\program files\Palm
    2010-07-27 00:54 . 2009-02-15 01:25 -------- d-----w- c:\program files\Creative
    2010-07-26 22:44 . 2008-10-02 01:18 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
    2010-07-26 21:48 . 2009-04-04 22:55 -------- d-----w- c:\program files\Windows Live
    2010-07-26 21:40 . 2008-10-02 02:01 -------- d-----w- c:\program files\Image-Line
    2010-07-26 18:47 . 2009-01-19 00:26 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-20 18:32 . 2009-01-09 20:11 -------- d-----w- c:\program files\QuickTime
    2010-07-02 16:43 . 2010-01-22 15:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Emig
    2010-06-29 18:08 . 2007-12-08 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Ivtiy
    2010-06-29 14:50 . 2010-01-15 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-06-10 14:29 . 2010-03-25 00:55 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-06-09 13:34 . 2009-12-28 02:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
    2010-06-09 13:31 . 2009-12-28 02:27 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
    2010-05-22 16:09 . 2007-02-10 22:37 77560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-03-20 23:23 . 2009-03-20 23:23 279888 -c--a-w- c:\program files\npmusicn.dll
    2009-01-10 20:05 . 2009-01-10 20:05 54157776 -c--a-w- c:\program files\avg_free_stf_en_8_176a1400.exe
    2008-10-27 17:18 . 2008-10-27 17:06 27663880 -c--a-w- c:\program files\NN_drv_rub_w01_ENU.exe
    2008-10-06 18:02 . 2008-10-06 18:02 18657813 -c--a-w- c:\program files\PalmDesktopWin414EN.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-23 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
    "HotSync"="c:\program files\Palm\Hotsync.exe" [2008-01-03 1392640]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
    PowerReg Scheduler.exe [2008-10-20 251392]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2010-05-14 15:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1034:TCP"= 1034:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [07/27/2010 3:00 PM 165456]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 67656]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [08/18/2001 7:00 AM 14336]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07/27/2010 3:00 PM 17744]
    R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/27/2009 8:04 PM 30560]
    S2 gupdate1c9ac0bbc01d828;Google Update Service (gupdate1c9ac0bbc01d828);c:\program files\Google\Update\GoogleUpdate.exe [03/23/2009 6:04 PM 133104]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 12872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

    2010-08-07 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 23:00]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 23:03]

    2010-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 23:03]

    2010-08-07 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-02-11 15:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride = <local>
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\o4d46jqv.default\
    FF - prefs.js: browser.search.selectedEngine - Google Anti-Malware Fix by Chase
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/rating/task-edit?task=169832967|https://onlineserv.austincc.edu/Web...326011&CONSTITUENCY=WBST&TYPE=M&PID=CORE-WBST
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\o4d46jqv.default\extensions\[email protected]\plugins\npImgCtl.dll
    FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
    FF - plugin: c:\program files\Java\jre6\bin\npjpi160_15.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=);user_pref(general.useragent.extra.zencast, c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{B2E527E5-8237-40EC-9641-414E341718EB} - (no file)
    HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    HKCU-Run-Rainlendar2 - c:\program files\Rainlendar2\Rainlendar2.exe
    HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
    HKCU-Run-{56967481-3F7A-5692-7F1F-B6B78BBDFC5C} - c:\documents and settings\Owner\Application Data\Emig\akhyy.exe
    HKLM-Run-NWEReboot - (no file)
    HKLM-Run-Jdenajuhiq - c:\windows\oyalozugecava.dll
    Notify-avgrsstarter - avgrsstx.dll
    SafeBoot-klmdb.sys
    MSConfigStartUp-GhostStartTrayApp - c:\program files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    MSConfigStartUp-SoundMAXPnP - c:\program files\Analog Devices\Core\smax4pnp.exe
    AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-07 00:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed"="1"
    @=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed"="1"
    "NoChange"="1"
    @=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed"="1"
    @=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(628)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3796)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\windows\system32\msls31.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Flip Video\FlipShare\FlipShareService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\windows\system32\pctspk.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\System32\wbem\unsecapp.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-07 00:33:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-07 05:33

    Pre-Run: 21,143,232,512 bytes free
    Post-Run: 21,342,646,272 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

    - - End Of File - - E3972F4846EDF9AE772E98E743E46214


    The background image reappeared after the scan.
     
  8. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
     
  9. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    ComboFix 10-08-06.01 - Owner 08/08/2010 19:30:35.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.365 [GMT -5:00]
    Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat"
    "c:\windows\Jjuhezorijegoz.dat"
    "c:\windows\Wxokejupecejox.bin"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\avg9
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\04675bdb-36c2-43d1-9a05-dfb012987545
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\057530cd-b826-41ee-9973-42f0c6194f0f
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\1e9e4ce4-a386-4a43-9b9b-738ccf111bb8
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\20b10236-904e-4328-bb90-175e6185827e
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\23cb08e1-1bce-4c53-9ff5-33e5fbe68f8a
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\4a124636-2e9f-42f3-b31c-d0198618c5c4
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\5402c834-2850-4cfa-ad82-a9f636aa9f00
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\6ef35703-672d-4872-a595-d8c7c0b4acf9
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\7b2bf729-3db5-4676-8b71-bf81a6ab2f15
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\80701829-8a9a-4173-9966-b35d5d52c3f7
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\876610ae-b105-41f7-a7ee-3e53b88a4105
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\8b2fbb1e-8f60-4fee-9b8d-bb4fe718ca52
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\9079e45b-3f6b-428b-893f-fa66b9aa0d6e
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\94315e3c-1df7-47d2-8bdf-d4d4e95a29c8
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\avgcchff.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\avgcchfi.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\avgcchmf.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\avgcchmi.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\b31e3848-b19d-44eb-a3ee-25e527ccce62
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\c4cdd877-c8f6-4979-8ffe-d166ec36b842
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\ce88195c-23cc-4722-9854-b9ec9d627b22
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\d5de61ef-301a-453c-a477-cd8d34f5458f
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\dfccaa4e-1c32-40af-a7c2-5c002e064b41
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\e2aafeab-9825-44d3-8200-14a2875acf54
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\f1aca6e3-9e47-4f7e-a75b-e3d16c988715
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\f420e71c-8df6-4ae6-a979-f33705ba6e4a
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\f9ddf513-7c25-4818-93b0-9c3e187ee0a9
    c:\documents and settings\All Users\Application Data\avg9\Chjw\1ec02b6fc02b4c79\ffb9d93f-a9ca-4a9f-8021-225fd713e39a
    c:\documents and settings\All Users\Application Data\avg9\Chjw\2264f55d64f5345f\21b193e8-eb0d-44ec-8d5f-bb622bc9719f
    c:\documents and settings\All Users\Application Data\avg9\Chjw\2264f55d64f5345f\92731220-1fdb-427c-9d6c-9e98ed53641a
    c:\documents and settings\All Users\Application Data\avg9\Chjw\2264f55d64f5345f\avgcchff.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\2264f55d64f5345f\avgcchfi.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\2264f55d64f5345f\avgcchmf.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\2264f55d64f5345f\avgcchmi.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\e98f07498f05c21\avgcchff.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\e98f07498f05c21\avgcchfi.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\e98f07498f05c21\avgcchmf.dat
    c:\documents and settings\All Users\Application Data\avg9\Chjw\e98f07498f05c21\avgcchmi.dat
    c:\documents and settings\All Users\Application Data\avg9\update\prepare\temp\cty.cty
    c:\documents and settings\Owner\Application Data\AVG9
    c:\documents and settings\Owner\Application Data\AVG9\cfgall\usergui.cfg
    c:\documents and settings\Owner\Local Settings\Application Data\ayxtkkxbq
    c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat
    c:\windows\Jjuhezorijegoz.dat
    c:\windows\Wxokejupecejox.bin

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
    .

    2010-08-03 22:18 . 2010-08-03 22:18 -------- d-----w- c:\program files\Trend Micro
    2010-07-27 20:00 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-07-27 20:00 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-07-27 20:00 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-07-27 20:00 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-07-27 20:00 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-07-27 20:00 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-07-27 20:00 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-07-27 19:58 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
    2010-07-27 19:58 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
    2010-07-27 19:57 . 2010-07-27 19:57 -------- d-----w- c:\program files\Alwil Software
    2010-07-27 19:57 . 2010-07-27 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
    2010-07-27 02:47 . 2010-07-30 04:17 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-07-26 18:15 . 2010-07-26 18:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2010-07-26 18:14 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-07-26 18:14 . 2010-07-26 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-07-26 18:14 . 2010-07-26 18:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-26 18:14 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-07-26 16:04 . 2010-07-26 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
    2010-07-26 16:04 . 2010-07-26 16:06 -------- d-----w- c:\documents and settings\Owner\Application Data\DA05CBC7E6DD861713F3A89DFF40C5AF
    2010-07-20 18:29 . 2010-07-20 18:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2010-07-17 18:58 . 2010-06-14 14:30 743936 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2010-07-16 14:41 . 2009-01-07 18:46 200704 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\o4d46jqv.default\extensions\[email protected]\plugins\npImgCtl.dll
    2010-07-15 22:08 . 2006-10-06 14:35 90112 ----a-w- c:\windows\system32\lfjbg13n.dll
    2010-07-15 22:08 . 2006-10-06 14:35 246272 ----a-w- c:\windows\system32\lfj2k13n.dll
    2010-07-15 22:08 . 2010-07-15 22:08 -------- d-----w- c:\program files\MFInstall
    2010-07-14 15:52 . 2010-07-14 15:52 -------- d-----w- c:\program files\Citrix

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-09 00:41 . 2009-10-10 20:35 -------- d-----w- c:\program files\Common Files\Akamai
    2010-08-09 00:33 . 2008-10-02 01:18 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
    2010-08-09 00:13 . 2008-10-02 01:18 -------- d-----w- c:\program files\DNA
    2010-08-09 00:03 . 2009-03-23 23:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
    2010-08-06 15:37 . 2001-08-18 12:00 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2010-08-02 18:25 . 2009-06-04 22:34 -------- d-----w- c:\program files\Palm
    2010-07-27 00:54 . 2009-02-15 01:25 -------- d-----w- c:\program files\Creative
    2010-07-26 22:44 . 2008-10-02 01:18 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
    2010-07-26 21:48 . 2009-04-04 22:55 -------- d-----w- c:\program files\Windows Live
    2010-07-26 21:40 . 2008-10-02 02:01 -------- d-----w- c:\program files\Image-Line
    2010-07-26 18:47 . 2009-01-19 00:26 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-07-20 18:32 . 2009-01-09 20:11 -------- d-----w- c:\program files\QuickTime
    2010-07-02 16:43 . 2010-01-22 15:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Emig
    2010-06-29 18:08 . 2007-12-08 03:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Ivtiy
    2010-06-29 14:50 . 2010-01-15 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-06-14 14:30 . 2007-02-10 21:37 743936 ----a-w- c:\windows\PCHEALTH\HELPCTR\Binaries\helpsvc.exe
    2010-06-10 14:29 . 2010-03-25 00:55 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-05-25 21:17 . 2010-05-25 21:17 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-77efcc32-n\msvcr71.dll
    2010-05-25 21:17 . 2010-05-25 21:17 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-77efcc32-n\msvcp71.dll
    2010-05-25 21:17 . 2010-05-25 21:17 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-77efcc32-n\jmc.dll
    2010-05-22 16:09 . 2007-02-10 22:37 77560 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-05-15 22:00 . 2010-05-15 22:00 1956808 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
    2009-03-20 23:23 . 2009-03-20 23:23 279888 -c--a-w- c:\program files\npmusicn.dll
    2009-01-10 20:05 . 2009-01-10 20:05 54157776 -c--a-w- c:\program files\avg_free_stf_en_8_176a1400.exe
    2008-10-27 17:18 . 2008-10-27 17:06 27663880 -c--a-w- c:\program files\NN_drv_rub_w01_ENU.exe
    2008-10-06 18:02 . 2008-10-06 18:02 18657813 -c--a-w- c:\program files\PalmDesktopWin414EN.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-23 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
    "HotSync"="c:\program files\Palm\Hotsync.exe" [2008-01-03 1392640]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
    PowerReg Scheduler.exe [2008-10-20 251392]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2010-05-14 15:12 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1342:TCP"= 1342:TCP:Akamai NetSession Interface
    "5000:UDP"= 5000:UDP:Akamai NetSession Interface

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [07/27/2010 3:00 PM 165456]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 67656]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [08/18/2001 7:00 AM 14336]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [07/27/2010 3:00 PM 17744]
    R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/27/2009 8:04 PM 30560]
    S2 gupdate1c9ac0bbc01d828;Google Update Service (gupdate1c9ac0bbc01d828);c:\program files\Google\Update\GoogleUpdate.exe [03/23/2009 6:04 PM 133104]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 12872]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

    2010-08-09 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 23:00]

    2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 23:03]

    2010-08-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 23:03]

    2010-08-09 c:\windows\Tasks\Symantec NetDetect.job
    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-02-11 15:04]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    uInternet Settings,ProxyOverride = <local>
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\o4d46jqv.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/evaluation/search/rating/task-edit?task=169832967|https://onlineserv.austincc.edu/Web...326011&CONSTITUENCY=WBST&TYPE=M&PID=CORE-WBST
    FF - prefs.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071701000002.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\o4d46jqv.default\extensions\[email protected]\plugins\npImgCtl.dll
    FF - plugin: c:\progra~1\Palm\PACKAG~1\NPInstal.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Java\jre6\bin\npdeploytk.dll
    FF - plugin: c:\program files\Java\jre6\bin\npjpi160_15.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101045100&s=);user_pref(general.useragent.extra.zencast, c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-08 19:40
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    @DACL=(02 0000)
    "Installed"="1"
    @=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    @DACL=(02 0000)
    "Installed"="1"
    "NoChange"="1"
    @=""

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    @DACL=(02 0000)
    "Installed"="1"
    @=""
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(624)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-08-08 19:45:22
    ComboFix-quarantined-files.txt 2010-08-09 00:45
    ComboFix2.txt 2010-08-07 05:33

    Pre-Run: 21,222,862,848 bytes free
    Post-Run: 21,205,487,616 bytes free

    - - End Of File - - 74C9CE3ECA8AE8D0F71992A363731039
     
  10. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




    Please download Malwarebytes' Anti-Malware from Here

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






    Go to Kaspersky website and perform an online antivirus scan.

    1. Read through the requirements and privacy statement and click on Accept button.
    2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    3. When the downloads have finished, click on Settings.
    4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    5. Click on My Computer under Scan.
    6. Once the scan is complete, it will display the results. Click on View Scan Report.
    7. You will see a list of infected items there. Click on Save Report As....
    8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
     
  11. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4411

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    08/09/2010 11:02:53 AM
    mbam-log-2010-08-09 (11-02-53).txt

    Scan type: Quick scan
    Objects scanned: 139355
    Time elapsed: 10 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  12. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    I have tried to run Kasperkey 3 times and it goes for about 45 minutes and 21%, finds 1 threat and 1 infected file but then stops and does not give me a log. There may not be enough memory for me to run it.
     
  13. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    do this

    * Go here to run an online scannner from ESET.
    • Note: You will need to use Internet explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Check next options: Remove found threats and Scan unwanted applications.
    • Click Scan
    • Wait for the scan to finish
    • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
    • Copy and paste that log as a reply to this topic
     
  14. rideswithchrist

    rideswithchrist Thread Starter

    Joined:
    Aug 3, 2010
    Messages:
    16
    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=ddaf587a6b9e7c4e9f1f5ee55e7f84fd
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-08-11 06:40:33
    # local_time=2010-08-11 01:40:33 (-0600, Central Daylight Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 588799 588799 0 0
    # compatibility_mode=768 16777215 100 0 1202061 1202061 0 0
    # compatibility_mode=1026 16777214 0 2 13768720 13768720 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=59562
    # found=22
    # cleaned=22
    # scan_time=2920
    C:\Qoobox\Quarantine\C\WINDOWS\system32\atjfrpbj.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\bucpkpdd.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\pAbehkkj.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\pAbehkkj.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\pixhyafb.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\rtDffMoq.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\rtDffMoq.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\sgkahroh.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\ukvuvmol.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\vrcvhbli.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\whfiomjp.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\WINDOWS\system32\yftjchle.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129700.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129701.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129702.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129703.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129704.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129705.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129706.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129707.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129708.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\System Volume Information\_restore{A429694C-5392-4167-B10B-BEFF58AFC555}\RP951\A0129709.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
     
  15. Rorschach112

    Rorschach112 Malware Specialist

    Joined:
    Oct 12, 2008
    Messages:
    2,392
    Your logs are clean


    Follow these steps to uninstall Combofix and tools used in the removal of malware

    Uninstall ComboFix

    Remove Combofix now that we're done with it.
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.


    • Download OTC to your desktop and run it
    • Click Yes to beginning the Cleanup process and remove these components, including this application.
    • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.



    • Please read my guide on how to prevent malware and about safe computing here
    Thank you for your patience, and performing all of the procedures requested.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/940501