1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Protection System virus. help please! HJT log included

Discussion in 'Virus & Other Malware Removal' started by elle21, Aug 20, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. elle21

    elle21 Thread Starter

    Joined:
    Aug 29, 2007
    Messages:
    14
    i have a fake anti-virus called 'protection system' on my computer. I have run malware btyes and AVG software. I tried running ad-aware but it didn't to find anything. *when i downloaded malwarebytes and HJT i had to change both the file names before i could install them* Please help!!!

    ***did a scan this morning, new logs are at bottom of post***
    here is the log from malwarebytes

    Malwarebytes' Anti-Malware 1.40
    Database version: 2551
    Windows 5.1.2600 Service Pack 3

    8/20/2009 12:42:45 AM
    mbam-log-2009-08-20 (00-42-45).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 146971
    Time elapsed: 31 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    \\?\globalroot\systemroot\system32\UACmosoxtbqlm.dll (Rogue.Agent) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    \\?\globalroot\systemroot\system32\UACmosoxtbqlm.dll (Rogue.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

    and here is the HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:39:51 AM, on 8/20/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscsvc32.exe
    C:\Program Files\Malwarebytes' Anti-Malware\click me.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\net1.exe
    C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Protection System\psystem.exe
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\net1.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
    C:\Documents and Settings\Owner\Desktop\HJTInstall.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bcctoday.sunybroome.edu/cp/home/loginf
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\click me.exe" /runcleanupscript
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8231 bytes


    thank you in advance for any help!



    ************NEW LOGS***************

    Malwarebytes' Anti-Malware 1.40
    Database version: 2551
    Windows 5.1.2600 Service Pack 3

    8/20/2009 10:44:35 AM
    mbam-log-2009-08-20 (10-44-35).txt

    Scan type: Quick Scan
    Objects scanned: 97055
    Time elapsed: 5 minute(s), 18 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 1
    Registry Keys Infected: 4
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 2
    Files Infected: 14

    Memory Processes Infected:
    C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Unloaded process successfully.

    Memory Modules Infected:
    \\?\globalroot\systemroot\system32\UACmosoxtbqlm.dll (Rogue.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreGuard2009) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

    Files Infected:
    \\?\globalroot\systemroot\system32\UACmosoxtbqlm.dll (Rogue.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Program Files\Protection System\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Program Files\Protection System\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Program Files\Protection System\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
    C:\Documents and Settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Desktop\Protection System Support.lnk (Rogue.Link) -> Quarantined and deleted successfully.



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:45:23 AM, on 8/20/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\Iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\net.exe
    C:\WINDOWS\system32\net1.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Malwarebytes' Anti-Malware\click me.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bcctoday.sunybroome.edu/cp/home/loginf
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\click me.exe" /runcleanupscript
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7774 bytes
     
  2. elle21

    elle21 Thread Starter

    Joined:
    Aug 29, 2007
    Messages:
    14
    * the 'protection system' virus has tried to uninstall AVG multiple times now. It also has pop ups every few mintues, either telling me that my computer is infected with a new virus, to buy a full version, that i need to scan, etc etc etc
     
  3. elle21

    elle21 Thread Starter

    Joined:
    Aug 29, 2007
    Messages:
    14
    i read in other posts to download rootrepeal.
    here is the log from that.
    please help!


    ==================================================
    Scan Start Time: 2009/08/20 15:06
    Program Version: Version 1.3.5.0
    Windows Version: Windows XP Media Center Edition SP3
    ==================================================

    Drivers
    -------------------
    Name: dump_iaStor.sys
    Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
    Address: 0x96F59000 Size: 819200 File Visible: No Signed: -
    Status: -

    Name: icidpxsc.sys
    Image Path: C:\WINDOWS\system32\drivers\icidpxsc.sys
    Address: 0xA5E67000 Size: 61440 File Visible: No Signed: -
    Status: -

    Name: rootrepeal.sys
    Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
    Address: 0x95A92000 Size: 49152 File Visible: No Signed: -
    Status: -

    Hidden/Locked Files
    -------------------
    Path: C:\WINDOWS\system32\uacinit.dll
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\system32\UACivssvtewux.dll
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\system32\UACixdqjbpjru.dll
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\system32\UACmosoxtbqlm.dll
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\system32\UACndtfwbuabm.dat
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\system32\UACuybigieisx.dll
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\UAC421.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac5089.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac50ec.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac555c.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac584a.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac5b95.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac601a.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac63da.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac65c7.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\UAC6740.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac6a1d.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac6cdc.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac6ff9.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac747d.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac8448.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac88e9.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacae60.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacb16e.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacb371.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\UACb584.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacb5c3.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacb8e0.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacbede.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uaccdd4.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\UACd11b.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd19d.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd256.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd2bf.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd3fe.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd498.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd5f2.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\UACd5fd.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd825.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd8a0.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacd965.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacdb22.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uace1c7.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uace3ca.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\UACf740.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacf758.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uac184f.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\Temp\uacce9d.tmp
    Status: Invisible to the Windows API!

    Path: C:\WINDOWS\system32\drivers\UACehrlovmpxi.sys
    Status: Invisible to the Windows API!

    Path: C:\Documents and Settings\Owner\Local Settings\Temp\UACab2b.tmp
    Status: Invisible to the Windows API!

    Path: c:\documents and settings\owner\local settings\temp\fla19.tmp
    Status: Size mismatch (API: 21990841, Raw: 21401017)

    Stealth Objects
    -------------------
    Object: Hidden Module [Name: UACixdqjbpjru.dll]
    Process: svchost.exe (PID: 1172) Address: 0x10000000 Size: 65536

    Object: Hidden Module [Name: UACivssvtewux.dll]
    Process: Explorer.EXE (PID: 2772) Address: 0x10000000 Size: 49152

    Hidden Services
    -------------------
    Service Name: UACd.sys
    Image Path: C:\WINDOWS\system32\drivers\UACehrlovmpxi.sys

    ==EOF==
     
  4. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Hello and welcome to TSG

    IMPORTANT

    Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
    To make cleaning this machine easier:-
    • Continue to respond to this thread until I give you the All Clean!
    • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
    • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
    • Please follow all instructions in the order posted.
    • If you have any questions or do not understand instructions, please ask before continuing.
    • Please reply to this thread. Do not start a new topic.

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:
    • Start HijackThis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the Open Uninstall Manager button.
    • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

    NEXT Download and run Combofix
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    Please download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop Please rename when saving to combo-fix (include the hyphen)

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • If you need help to disable your protection programs see here.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]
    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    If you need help, see this link:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please reply with:-
    • Combofix log
    • New HJT log
    • Uninstall list
     
  5. elle21

    elle21 Thread Starter

    Joined:
    Aug 29, 2007
    Messages:
    14
    ComboFix 09-08-22.06 - Owner 08/23/2009 22:42.1.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1607 [GMT -4:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\IEToolbar
    c:\windows\jnnmp1381.exe
    c:\windows\kqph00568.exe
    c:\windows\system32\drivers\UACehrlovmpxi.sys
    c:\windows\system32\images
    c:\windows\system32\images\i1.gif
    c:\windows\system32\images\i2.gif
    c:\windows\system32\images\i3.gif
    c:\windows\system32\images\j1.gif
    c:\windows\system32\images\j2.gif
    c:\windows\system32\images\j3.gif
    c:\windows\system32\images\jj1.gif
    c:\windows\system32\images\jj2.gif
    c:\windows\system32\images\jj3.gif
    c:\windows\system32\images\l1.gif
    c:\windows\system32\images\l2.gif
    c:\windows\system32\images\l3.gif
    c:\windows\system32\images\pix.gif
    c:\windows\system32\images\t1.gif
    c:\windows\system32\images\t2.gif
    c:\windows\system32\images\up1.gif
    c:\windows\system32\images\up2.gif
    c:\windows\system32\images\w1.gif
    c:\windows\system32\images\w11.gif
    c:\windows\system32\images\w2.gif
    c:\windows\system32\images\w3.gif
    c:\windows\system32\images\w3.jpg
    c:\windows\system32\images\wt1.gif
    c:\windows\system32\images\wt2.gif
    c:\windows\system32\images\wt3.gif
    c:\windows\system32\resdll.dll
    c:\windows\system32\UACivssvtewux.dll
    c:\windows\system32\UACixdqjbpjru.dll
    c:\windows\system32\UACmosoxtbqlm.dll
    c:\windows\system32\UACndtfwbuabm.dat
    c:\windows\system32\UACuybigieisx.dll
    c:\windows\system32\wscsvc32.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_UACd.sys
    -------\Legacy_UACd.sys


    ((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
    .

    2009-08-21 08:30 . 2009-08-24 02:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2009-08-21 08:29 . 2009-08-24 02:41 -------- d-----w- c:\program files\Spyware Doctor
    2009-08-20 19:04 . 2009-08-20 19:04 0 ----a-w- c:\documents and settings\Owner\settings.dat
    2009-08-20 05:39 . 2009-08-20 05:39 -------- d-----w- c:\program files\Trend Micro
    2009-08-20 05:12 . 2009-08-24 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-08-20 03:43 . 2009-08-20 03:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
    2009-08-20 03:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-20 03:22 . 2009-08-20 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-08-20 03:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-20 03:22 . 2009-08-20 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-20 02:45 . 2009-08-20 02:45 -------- d-----w- C:\_OTM
    2009-08-20 01:26 . 2009-08-20 01:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
    2009-08-12 17:10 . 2009-08-12 17:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-08-12 12:46 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
    2009-08-06 13:57 . 2009-08-06 13:57 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore
    2009-08-06 13:57 . 2009-08-06 13:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL OCP
    2009-08-06 13:57 . 2009-08-06 13:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
    2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
    2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\program files\Viewpoint
    2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
    2009-08-06 13:56 . 2009-08-06 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
    2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
    2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\program files\Common Files\AOL
    2009-08-06 13:55 . 2009-08-06 13:57 -------- d-----w- c:\program files\AIM6
    2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\system32\scripting
    2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\l2schemas
    2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\system32\en
    2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\system32\bits
    2009-08-06 06:46 . 2009-08-06 07:35 -------- d-----w- c:\windows\system32\NtmsData
    2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
    2009-08-04 04:40 . 2009-08-04 04:40 -------- d-----w- c:\windows\ServicePackFiles
    2009-08-04 04:35 . 2008-04-14 00:09 811064 -c----w- c:\windows\system32\dllcache\imjp81k.dll
    2009-08-04 01:23 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2009-08-04 01:23 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2009-08-04 01:23 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
    2009-08-04 01:23 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2009-08-04 01:23 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
    2009-08-04 01:23 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
    2009-08-04 01:23 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
    2009-08-04 01:23 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
    2009-08-01 20:44 . 2009-08-01 20:45 1962544 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
    2009-08-01 20:44 . 2009-08-03 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2009-08-01 20:44 . 2009-08-02 21:24 -------- d-----w- c:\program files\NOS
    2009-07-29 15:13 . 2009-08-21 08:51 -------- d-----w- c:\program files\Snood 4
    2009-07-28 15:03 . 2009-07-28 15:03 -------- d-----w- c:\program files\iPod
    2009-07-28 15:03 . 2009-07-28 15:03 -------- d-----w- c:\program files\iTunes
    2009-07-28 14:55 . 2009-07-28 14:55 75040 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
    2009-07-27 13:24 . 2006-10-26 23:56 32592 ------w- c:\windows\system32\msonpmon.dll
    2009-07-27 13:23 . 2009-07-27 13:23 -------- d-----w- c:\program files\Microsoft Works
    2009-07-27 13:23 . 2009-07-27 13:23 -------- d-----w- c:\program files\MSBuild
    2009-07-27 13:18 . 2009-07-27 13:22 -------- d-----w- c:\windows\SHELLNEW
    2009-07-27 13:18 . 2009-07-27 13:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help
    2009-07-27 13:18 . 2009-08-13 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-07-27 13:17 . 2009-07-27 13:17 -------- d--h--r- C:\MSOCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-21 08:45 . 2009-07-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2009-08-19 18:15 . 2009-07-06 18:14 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
    2009-08-10 18:30 . 2009-07-06 18:03 -------- d-----w- c:\program files\LimeWire
    2009-08-10 06:24 . 2009-07-02 00:55 74184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-06 07:48 . 2009-05-21 18:40 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
    2009-08-05 20:25 . 2009-07-02 14:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
    2009-08-05 20:24 . 2009-07-02 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
    2009-08-05 09:01 . 2009-08-04 04:35 204800 ----a-w- c:\windows\system32\mswebdvd.dll
    2009-08-02 00:20 . 2009-07-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
    2009-08-01 13:18 . 2009-07-07 21:12 -------- d-----w- c:\program files\Microsoft Silverlight
    2009-07-28 15:03 . 2009-07-02 14:08 -------- d-----w- c:\program files\Common Files\Apple
    2009-07-27 13:14 . 2009-07-15 19:42 -------- d-----w- c:\program files\OpenOffice.org 2.4
    2009-07-27 13:14 . 2009-07-15 20:16 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
    2009-07-23 21:13 . 2009-07-15 20:17 1 ------w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
    2009-07-17 19:01 . 2009-08-04 04:35 58880 ----a-w- c:\windows\system32\atl.dll
    2009-07-16 03:43 . 2009-07-16 03:43 -------- d-----w- c:\program files\Alarm Clock
    2009-07-13 14:08 . 2006-03-15 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
    2009-07-10 00:08 . 2009-07-02 20:37 335752 ------w- c:\windows\system32\drivers\avgldx86.sys
    2009-07-07 16:33 . 2009-07-07 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
    2009-07-07 02:44 . 2009-07-07 20:55 937984 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\libs\PicLensHelper.exe
    2009-07-07 02:44 . 2009-07-07 20:55 65536 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\components\coolirisstub.dll
    2009-07-07 02:44 . 2009-07-07 20:55 106496 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
    2009-07-07 02:44 . 2009-07-07 20:55 103424 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\libs\pixomatic.dll
    2009-07-07 02:44 . 2009-07-07 20:55 4722688 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\libs\cooliris19.dll
    2009-07-07 02:44 . 2009-07-07 20:55 344064 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\libs\LaunchCooliris.exe
    2009-07-06 18:04 . 2009-07-06 18:04 410984 ------w- c:\windows\system32\deploytk.dll
    2009-07-06 18:04 . 2009-07-06 18:04 -------- d-----w- c:\program files\Java
    2009-07-06 18:04 . 2009-07-06 18:04 152576 ------w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
    2009-07-06 18:03 . 2009-07-06 18:03 -------- d-----w- c:\program files\Common Files\Adobe
    2009-07-04 07:26 . 2009-07-04 07:26 -------- d-----w- c:\documents and settings\Owner\Application Data\InterVideo
    2009-07-02 20:37 . 2009-07-02 20:37 11952 ------w- c:\windows\system32\avgrsstx.dll
    2009-07-02 20:37 . 2009-07-02 20:37 108552 ------w- c:\windows\system32\drivers\avgtdix.sys
    2009-07-02 20:37 . 2009-07-02 20:37 27784 ------w- c:\windows\system32\drivers\avgmfx86.sys
    2009-07-02 20:37 . 2009-07-02 20:37 -------- d-----w- c:\program files\AVG
    2009-07-02 15:43 . 2009-07-02 15:43 -------- d-----w- c:\program files\Stardock
    2009-07-02 15:43 . 2009-07-02 15:43 -------- d-----w- c:\program files\Common Files\Stardock
    2009-07-02 14:09 . 2009-07-02 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\program files\Bonjour
    2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\program files\QuickTime
    2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
    2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\program files\Apple Software Update
    2009-07-02 05:31 . 2009-07-02 05:31 0 ------w- c:\windows\nsreg.dat
    2009-07-01 02:19 . 2009-07-02 05:36 106496 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Plugins\npcoolirisplugin.dll
    2009-07-01 02:19 . 2009-07-02 05:36 65536 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\components\coolirisstub.dll
    2009-07-01 02:19 . 2009-07-02 05:36 4734976 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\libs\cooliris19.dll
    2009-06-29 16:12 . 2006-03-15 11:00 827392 ----a-w- c:\windows\system32\wininet.dll
    2009-06-29 16:12 . 2006-03-15 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
    2009-06-29 16:12 . 2006-03-15 11:00 17408 ------w- c:\windows\system32\corpol.dll
    2009-06-16 14:36 . 2009-08-04 04:35 81920 ----a-w- c:\windows\system32\fontsub.dll
    2009-06-16 14:36 . 2009-08-04 04:35 119808 ----a-w- c:\windows\system32\t2embed.dll
    2009-06-14 20:07 . 2009-07-06 17:54 1004800 ------w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
    2009-06-12 12:31 . 2009-08-04 04:36 80896 ----a-w- c:\windows\system32\tlntsess.exe
    2009-06-12 12:31 . 2009-08-04 04:35 76288 ----a-w- c:\windows\system32\telnet.exe
    2009-06-10 14:13 . 2009-08-04 04:35 84992 ----a-w- c:\windows\system32\avifil32.dll
    2009-06-10 13:19 . 2009-08-04 04:36 2066432 ----a-w- c:\windows\system32\mstscax.dll
    2009-06-10 06:14 . 2009-08-04 04:35 132096 ----a-w- c:\windows\system32\wkssvc.dll
    2009-06-05 18:42 . 2009-07-02 14:08 39424 ------w- c:\windows\system32\drivers\usbaapl.sys
    2009-06-05 18:42 . 2009-07-02 14:08 2060288 ------w- c:\windows\system32\usbaaplrc.dll
    2009-06-03 19:09 . 2009-08-04 04:35 1291264 ------w- c:\windows\system32\quartz.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2009-06-26 14:36 1008896 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-06 98304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-06 114688]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-06 94208]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-06 136600]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
    "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

    c:\documents and settings\Owner\Start Menu\Programs\Startup\
    Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-7-2 3450608]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2009-07-02 20:37 11952 ------w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2009 4:37 PM 335752]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/2/2009 4:37 PM 108552]
    R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2009 4:37 PM 907032]
    R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2009 4:37 PM 298776]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/6/2009 9:56 AM 24652]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Aim6 - (no file)


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://bcctoday.sunybroome.edu/cp/home/loginf
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\
    FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
    FF - prefs.js: browser.startup.homepage - facebook.com
    FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\components\coolirisstub.dll
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\[email protected]\components\xpavgtbapi.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
    FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npcoolirisplugin.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-23 22:46
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2009-08-24 22:48
    ComboFix-quarantined-files.txt 2009-08-24 02:48

    Pre-Run: 91,521,671,168 bytes free
    Post-Run: 92,464,025,600 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    345 --- E O F --- 2009-08-13 13:41
     
  6. elle21

    elle21 Thread Starter

    Joined:
    Aug 29, 2007
    Messages:
    14
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:52:27 PM, on 8/23/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\AVG\AVG8\avgcsrvx.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\notepad.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bcctoday.sunybroome.edu/cp/home/loginf
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 6721 bytes
     
  7. elle21

    elle21 Thread Starter

    Joined:
    Aug 29, 2007
    Messages:
    14
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    AIM 6
    Alarm Clock v1.0
    Apple Mobile Device Support
    Apple Software Update
    AVG Free 8.5
    Bonjour
    Broadcom 802.11 Wireless LAN Adapter
    Conexant HD Audio
    HDAUDIO Soft Data Fax Modem with SmartCP
    HijackThis 2.0.2
    Hotfix for Windows XP (KB952287)
    HP Product Detection
    HP Quick Launch Buttons 6.30 J1
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections Drivers
    InterVideo WinDVD
    iTunes
    Java(TM) 6 Update 11
    LimeWire 5.2.13
    Malwarebytes' Anti-Malware
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mozilla Firefox (3.5.2)
    ObjectDock
    QuickTime
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Outlook 2007 Junk Email Filter (kb972691)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Windows Media Player Firefox Plugin
    Windows XP Service Pack 3
     
  8. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,880
    Hi, How is the computer running now?


    Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present


    • R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    Once selected close all windows except HJT an click on Fix Checked


    Update Java Runtime

    You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 16.
    • Go to Java Site
    • Click to Download Java SE Runtime Environment (JRE) 6 Update 16
    • In Platform box choose Windows.
    • Check the box to Accept License Agreement and click Continue.
    • Click on Windows Offline Installation, click on the link under it which says "jre-6u16-windows-i586.exe" and save the downloaded file to your desktop.
    • Go to Start => Control Panel => Add or Remove Programs
    • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
    • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
    • Reboot your computer


    Kaspersky Online Scan
    Do an online scan with >Kaspersky Online Scanner<
    • Read through the requirements and privacy statement and click on Accept button
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
    • When the downloads have finished, click on Settings
    • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        Archives
        Mail databases
    • Click on My Computer under Scan
    • Once the scan is complete, it will display the results. Click on View Scan Report
    • You will see a list of infected items there. Click on Save Report As...
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
    • Please post this log in your next reply

    Please reply with:-
    • Kaspersky report
    • New HJT log
    • Update on how things are going
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/853888

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice