PDA

View Full Version : It is antivirus2009 and spysweeper. Please help. Thanks


tiffanyle2000
2009-03-05, 23:18
It has a lot of popup windows, always start up with antivirus2009 and Spy Sweeper. It won't let me in this site (www.safer-networking.org) or trensecure site to download hijack....
Please help me. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:45 PM, on 3/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\U_C\Desktop\HJTInstall.exe
C:\Documents and Settings\U_C\Desktop\HJTInstall.exe
\Jqddjqdd\shareddocs\antivirus2009\HiJackThis.exe
C:\Documents and Settings\U_C\Desktop\HJTInstall.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {5e483ab6-da0c-285b-0434-7a4514f3d354} - {453d3f41-54a7-4340-b582-c0ad6ba384e5} - C:\WINDOWS\system32\mzjezf.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {fc7bfae2-c34a-4321-aa42-31760b97964b} - C:\WINDOWS\system32\yohilite.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [CPMd729a208] Rundll32.exe "c:\windows\system32\tojowebo.dll",a
O4 - HKLM\..\Run: [wigegabiwi] Rundll32.exe "C:\WINDOWS\system32\pozimadu.dll",s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [11285347122748501505870628541194] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\explorer32.exe"
O4 - HKUS\S-1-5-19\..\Run: [wigegabiwi] Rundll32.exe "C:\WINDOWS\system32\pozimadu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wigegabiwi] Rundll32.exe "C:\WINDOWS\system32\pozimadu.dll",s (User 'NETWORK SERVICE')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: windows\system32\tojowebo.dll,c:\windows\system32\tojowebo.dll,C:\WINDOWS\system32\gebojele.dll,mzjezf.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tojowebo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tojowebo.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 5488 bytes
peku006
2009-03-06, 17:46
Hello and Hello and welcome to Safer Networking.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
tiffanyle2000
2009-03-06, 21:00
I have to download the combofix program from another computer and copy to the infected computer. Placed the Combofix icon on the desktop. Double click the combofix icon, it tell me to run the program. Then I hit the Run button, it has no action. The first combofix window not showed.
This is same thing when I do the hijack download too (I down load the third link download hijacthis executable. So I can run the hijack using the executable hijack).
What can I do now?
The infected computer won't let me go in the bleepingcomputer website (when I type www.bleepingcomputer.com the ie show me the "The page cannot be display). This is same problem with your website www.safer-networking.org and trendsecure.com.
peku006
2009-03-06, 21:30
Hi
Let´s try this....
If you have a previous version of Combofix.exe, delete it

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
tiffanyle2000
2009-03-07, 01:01
ComboFix 09-03-04.01 - U_C 2009-03-06 14:48:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.735 [GMT -8:00]
Running from: c:\documents and settings\U_C\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\U_C\LOCALS~1\Temp\tmp1.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\U_C\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
c:\windows\IE4 Error Log.txt
c:\windows\system32\bohotute.dll
c:\windows\system32\butazaji.dll
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\ekahaluh.ini
c:\windows\system32\elepaleg.ini
c:\windows\system32\gebojele.dll
c:\windows\system32\hejitavo.dll
c:\windows\system32\holiwaga.dll
c:\windows\system32\ivahalak.ini
c:\windows\system32\kalahavi.dll
c:\windows\system32\kobitaka.dll
c:\windows\system32\lewiyidi.dll
c:\windows\system32\mesekaho.dll
c:\windows\system32\milokira.dll
c:\windows\system32\mzjezf.dll
c:\windows\system32\namogizu.dll
c:\windows\system32\nezovefo.dll
c:\windows\system32\nojalite.dll
c:\windows\system32\nonabefa.dll
c:\windows\system32\odisinad.ini
c:\windows\system32\ogayotez.ini
c:\windows\system32\opikumon.ini
c:\windows\system32\ovatijeh.ini
c:\windows\system32\pozimadu.dll
c:\windows\system32\sirifiwi.dll
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\tojowebo.dll
c:\windows\system32\umeyanol.ini
c:\windows\system32\unojitef.ini
c:\windows\system32\usajuhig.ini
c:\windows\system32\vomuganu.dll
c:\windows\system32\weluyiki.dll
c:\windows\system32\wumoyuvo.dll
c:\windows\system32\yohilite.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-05 18:44 . 2009-03-06 12:05 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-05 18:25 . 2009-03-05 18:25 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-05 18:25 . 2009-03-05 18:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-05 18:25 . 2009-03-05 18:25 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-05 18:25 . 2009-03-05 18:25 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-05 14:01 . 2009-03-05 21:14 1,406 --a------ c:\windows\SysMech6.INI
2009-03-05 13:18 . 2009-03-05 13:18 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2009-03-05 13:07 . 2005-10-24 17:07 41,472 --a------ c:\windows\system32\iolobtdfg.exe
2009-03-05 13:07 . 2005-09-12 20:20 25,264 --a------ c:\windows\system32\smrgdf.exe
2009-03-05 13:06 . 2009-03-05 13:06 <DIR> d-------- c:\program files\iolo
2009-03-05 13:06 . 2006-02-02 18:42 1,211,904 --a------ c:\windows\system32\Incinerator.dll
2009-03-05 10:52 . 2009-03-05 10:52 <DIR> d-------- c:\program files\AVG
2009-03-05 10:52 . 2009-03-05 10:57 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_2
2009-03-05 10:52 . 2009-03-05 10:52 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_1
2009-03-05 10:35 . 2009-03-05 10:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-03-05 10:30 . 2009-03-05 10:30 2,098 ---hs---- c:\windows\system32\rimuwuka.dll
2009-03-05 10:30 . 2009-03-05 10:30 2,098 ---hs---- c:\windows\system32\mibevilo.dll
2009-03-04 21:40 . 2009-03-04 21:40 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup
2009-03-04 20:28 . 2009-03-04 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Prism
2009-03-04 20:27 . 2009-03-04 20:42 <DIR> d-------- c:\program files\Dell Wireless
2009-03-04 20:27 . 2004-08-31 11:53 1,364,036 -ra------ c:\windows\system32\PRISME5.dll
2009-03-04 20:27 . 2004-10-04 14:05 405,593 --a------ c:\windows\system32\PRISMAPI.dll
2009-03-04 20:27 . 2004-10-04 14:10 327,769 --a------ c:\windows\system32\PRISMSVR.exe
2009-03-04 20:27 . 2004-10-04 14:12 57,344 --a------ c:\windows\system32\PRISMSVC.exe
2009-03-04 20:27 . 2004-09-01 14:39 16,979 --a------ c:\windows\system32\drivers\AEGISP.sys
2009-03-04 19:52 . 2004-09-26 19:42 345,184 --a------ c:\windows\system32\drivers\PRISMA02.sys
2009-03-04 19:52 . 2004-08-18 11:01 49,152 --a------ c:\windows\system32\CoPrism.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 04:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-06 17:29 87,605 ------w c:\windows\system32\lonayemu.dll
2008-09-06 17:29 63,029 --sha-w c:\windows\system32\hupabubi.dll
2008-09-06 17:29 11,264 --sha-w c:\windows\system32\suhahebu.dll
2008-09-06 17:29 63,029 --sha-w c:\windows\system32\tesifoti.dll
2008-09-06 17:29 63,029 --sha-w c:\windows\system32\tukejavi.dll
2008-11-19 20:52 608 --sha-w c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-02-02 578048]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2008-01-10 53248]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-08-31 36864]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 4865600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-05 1261336]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]

c:\documents and settings\U_C\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-03-04 917611]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\HP\\hp laserjet m1522\\Fax Config utility1.exe"=
"c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Combo-Fix\\NirCmd.cfexe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-05 231704]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2008-11-19 20504]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2008-11-13 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2008-11-13 73856]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2009-03-04 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c78e50d-b1d9-11dd-afd0-0013204ee5da}]
\Shell\AutoRun\command - i:\win\setup.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{453d3f41-54a7-4340-b582-c0ad6ba384e5} - c:\windows\system32\mzjezf.dll
BHO-{fc7bfae2-c34a-4321-aa42-31760b97964b} - c:\windows\system32\yohilite.dll
WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
HKLM-Run-d41a9194 - c:\windows\system32\zetoyago.dll
SharedTaskScheduler-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sirifiwi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - c:\program files\ClickClean\ClickClean.exe
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 14:53:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\WRLogonNTF.dll
c:\windows\system32\PRISMAPI.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PRISMSVR.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-06 14:54:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 22:54:32

Pre-Run: 203,207,286,784 bytes free
Post-Run: 203,121,442,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

207


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:15 PM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ToolBoxFX] "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4907 bytes
peku006
2009-03-07, 10:16
Hi tiffanyle2000

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



File::
c:\windows\system32\rimuwuka.dll
c:\windows\system32\lonayemu.dll
c:\windows\system32\hupabubi.dll
c:\windows\system32\suhahebu.dll
c:\windows\system32\tesifoti.dll
c:\windows\system32\tukejavi.dll



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the Malwarebytes' Anti-Malware Log
3. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006
tiffanyle2000
2009-03-07, 23:02
ComboFix 09-03-04.01 - U_C 2009-03-07 12:18:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.568 [GMT -8:00]
Running from: c:\documents and settings\U_C\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\U_C\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\hupabubi.dll
c:\windows\system32\lonayemu.dll
c:\windows\system32\rimuwuka.dll
c:\windows\system32\suhahebu.dll
c:\windows\system32\tesifoti.dll
c:\windows\system32\tukejavi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\rimuwuka.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-06 20:46 . 2009-03-06 20:46 <DIR> d-------- c:\program files\Windows Installer Clean Up
2009-03-06 20:45 . 2009-03-06 20:47 <DIR> d-------- c:\program files\MSECACHE
2009-03-06 19:43 . 2009-03-06 19:43 <DIR> d-------- c:\program files\CONEXANT
2009-03-06 19:39 . 2009-03-06 19:39 <DIR> d-------- c:\windows\Downloaded Installations
2009-03-06 19:39 . 2009-03-06 19:39 <DIR> d-------- c:\program files\eMachines Bay Reader
2009-03-06 17:35 . 2009-03-06 17:35 <DIR> d-------- c:\program files\Western Digital Technologies
2009-03-06 16:36 . 2009-03-06 16:36 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-06 16:15 . 2009-03-06 17:05 <DIR> d-------- c:\windows\system32\NtmsData
2009-03-06 16:03 . 2009-03-06 16:24 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-06 15:57 . 2009-03-06 15:57 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-06 15:56 . 2008-08-14 02:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-06 15:56 . 2008-08-14 01:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-06 15:56 . 2008-08-14 01:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-06 15:56 . 2008-08-14 01:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-06 15:44 . 2009-03-06 16:45 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-06 15:39 . 2008-10-24 03:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-06 14:59 . 2009-03-06 14:59 <DIR> d-------- c:\program files\Trend Micro
2009-03-05 18:44 . 2009-03-07 12:18 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-05 18:25 . 2009-03-06 15:11 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-05 18:25 . 2009-03-06 16:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-05 18:25 . 2009-03-06 16:36 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-05 14:01 . 2009-03-06 19:10 1,696 --a------ c:\windows\SysMech6.INI
2009-03-05 13:18 . 2009-03-05 13:18 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2009-03-05 13:07 . 2005-10-24 17:07 41,472 --a------ c:\windows\system32\iolobtdfg.exe
2009-03-05 13:07 . 2005-09-12 20:20 25,264 --a------ c:\windows\system32\smrgdf.exe
2009-03-05 13:06 . 2009-03-05 13:06 <DIR> d-------- c:\program files\iolo
2009-03-05 13:06 . 2006-02-02 18:42 1,211,904 --a------ c:\windows\system32\Incinerator.dll
2009-03-05 10:52 . 2009-03-05 10:52 <DIR> d-------- c:\program files\AVG
2009-03-05 10:52 . 2009-03-05 10:57 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_2
2009-03-05 10:52 . 2009-03-05 10:52 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup_1
2009-03-05 10:35 . 2009-03-05 10:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-03-05 10:30 . 2009-03-05 10:30 2,098 ---hs---- c:\windows\system32\mibevilo.dll
2009-03-04 21:40 . 2009-03-04 21:40 10,520 --------- c:\windows\system32\avgrsstx.dll.install_backup
2009-03-04 20:28 . 2009-03-04 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Prism
2009-03-04 20:27 . 2009-03-04 20:42 <DIR> d-------- c:\program files\Dell Wireless
2009-03-04 20:27 . 2004-08-31 11:53 1,364,036 -ra------ c:\windows\system32\PRISME5.dll
2009-03-04 20:27 . 2004-10-04 14:05 405,593 --a------ c:\windows\system32\PRISMAPI.dll
2009-03-04 20:27 . 2004-10-04 14:10 327,769 --a------ c:\windows\system32\PRISMSVR.exe
2009-03-04 20:27 . 2004-10-04 14:12 57,344 --a------ c:\windows\system32\PRISMSVC.exe
2009-03-04 20:27 . 2004-09-01 14:39 16,979 --a------ c:\windows\system32\drivers\AEGISP.sys
2009-03-04 19:52 . 2004-09-26 19:42 345,184 --a------ c:\windows\system32\drivers\PRISMA02.sys
2009-03-04 19:52 . 2004-08-18 11:01 49,152 --a------ c:\windows\system32\CoPrism.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 03:39 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-07 00:13 --------- d-----w c:\program files\HP
2009-03-05 04:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-19 20:52 608 --sha-w c:\windows\system32\winzvprt5.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-06_14.54.02.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-19 20:53:38 10,752 ------w c:\windows\assembly\temp\N14NSZ39TT\interop.hpqusg.dll
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\Driver Cache\i386\bthport.sys
+ 2008-10-24 11:10:42 453,632 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-08-14 09:58:27 2,136,064 ------w c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-08-14 09:22:13 2,057,728 ------w c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ------w c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-08-14 10:00:45 2,180,352 ------w c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-03-07 03:39:12 25,214 ----a-r c:\windows\Installer\{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}\ARPPRODUCTICON.exe
+ 2009-03-06 23:57:41 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2004-08-03 22:56:42 100,352 ----a-w c:\windows\system32\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 ----a-w c:\windows\system32\6to4svc.dll
- 2004-08-03 22:56:42 1,016,832 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 ----a-w c:\windows\system32\browseui.dll
- 2004-08-03 22:56:42 150,528 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:37:02 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2004-08-03 22:56:42 1,053,696 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:37:02 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2003-12-24 21:45:30 221,184 ----a-w c:\windows\system32\diconxp.dll
- 2004-08-03 22:56:42 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
+ 2006-08-16 11:58:05 100,352 -c--a-w c:\windows\system32\dllcache\6to4svc.dll
- 2004-08-03 21:14:16 138,496 -c--a-w c:\windows\system32\dllcache\afd.sys
+ 2008-08-14 09:51:43 138,368 -c--a-w c:\windows\system32\dllcache\afd.sys
- 2004-08-03 22:56:42 1,016,832 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:37:04 1,023,488 -c--a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-06-13 13:10:50 272,128 -c----w c:\windows\system32\dllcache\bthport.sys
- 2004-08-03 22:56:42 150,528 -c--a-w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:37:02 151,040 -c--a-w c:\windows\system32\dllcache\cdfview.dll
- 2004-08-03 22:56:42 1,053,696 -c--a-w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:37:02 1,054,208 -c--a-w c:\windows\system32\dllcache\danim.dll
- 2004-08-03 22:56:44 148,480 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
+ 2008-06-21 07:11:12 148,992 -c--a-w c:\windows\system32\dllcache\dnsapi.dll
- 2004-08-03 22:56:44 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-03 22:56:44 201,728 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-03 22:56:44 243,200 -c--a-w c:\windows\system32\dllcache\es.dll
+ 2008-07-07 20:32:22 253,952 -c--a-w c:\windows\system32\dllcache\es.dll
- 2004-08-03 22:56:44 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:37:02 55,808 -c--a-w c:\windows\system32\dllcache\extmgr.dll
- 2004-08-03 22:56:44 278,016 -c--a-w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 -c--a-w c:\windows\system32\dllcache\gdi32.dll
- 2004-08-03 22:56:52 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 09:45:01 18,432 -c--a-w c:\windows\system32\dllcache\iedw.exe
- 2004-08-03 22:56:44 249,344 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:37:02 251,392 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2004-08-03 22:56:44 678,400 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 -c--a-w c:\windows\system32\dllcache\inetcomm.dll
- 2004-08-03 22:56:44 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:37:02 96,256 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2004-08-03 22:56:44 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2007-12-18 14:40:58 450,560 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2004-08-03 22:56:44 15,872 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-03 22:56:52 103,936 -c--a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-10 09:31:06 103,936 -c--a-w c:\windows\system32\dllcache\logagent.exe
- 2004-08-03 22:56:44 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
+ 2008-05-01 14:30:33 331,776 -c--a-w c:\windows\system32\dllcache\msadce.dll
- 2004-08-03 22:56:44 73,728 -c--a-w c:\windows\system32\dllcache\mscms.dll
+ 2008-06-24 16:23:05 74,240 -c--a-w c:\windows\system32\dllcache\mscms.dll
- 2004-08-03 22:56:44 3,003,392 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2004-08-03 22:56:44 448,512 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-03 22:56:44 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:37:02 146,432 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2004-08-03 22:56:44 530,432 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:37:02 532,480 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2004-08-03 22:56:46 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w c:\windows\system32\dllcache\mswsock.dll
- 2004-08-03 22:56:46 1,236,480 -c--a-w c:\windows\system32\dllcache\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 -c--a-w c:\windows\system32\dllcache\msxml3.dll
- 2004-08-03 22:56:46 332,288 -c--a-w c:\windows\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c--a-w c:\windows\system32\dllcache\netapi32.dll
- 2004-08-03 22:56:46 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2004-08-03 22:56:46 1,287,680 -c--a-w c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 -c--a-w c:\windows\system32\dllcache\quartz.dll
- 2001-08-23 12:00:00 200,064 -c--a-w c:\windows\system32\dllcache\rmcast.sys
+ 2008-05-08 12:28:49 202,752 -c--a-w c:\windows\system32\dllcache\rmcast.sys
- 2004-08-03 22:56:46 1,483,264 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 -c--a-w c:\windows\system32\dllcache\shdocvw.dll
- 2004-08-03 22:56:46 8,384,000 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 -c--a-w c:\windows\system32\dllcache\shell32.dll
- 2004-08-03 22:56:46 473,600 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 -c--a-w c:\windows\system32\dllcache\shlwapi.dll
- 2004-08-03 21:14:46 336,256 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2004-08-03 22:56:46 246,302 -c--a-w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 -c--a-w c:\windows\system32\dllcache\strmdll.dll
- 2004-08-03 21:14:42 359,040 -c--a-w c:\windows\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w c:\windows\system32\dllcache\tcpip.sys
- 2004-08-03 21:07:46 223,616 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
+ 2008-06-20 23:22:08 225,920 -c--a-w c:\windows\system32\dllcache\tcpip6.sys
- 2004-08-03 22:56:48 601,088 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:37:04 615,936 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2004-08-03 22:56:48 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2007-12-18 14:40:58 417,792 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2004-08-03 21:17:42 1,835,904 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2004-08-03 22:56:48 656,384 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:37:03 659,456 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2004-08-03 22:56:48 1,050,624 -c--a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-11 02:18:18 1,053,696 -c--a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2004-08-03 22:57:04 2,105,344 -c--a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-11-08 02:32:20 2,109,440 -c--a-w c:\windows\system32\dllcache\WMVCore.dll
- 2004-08-03 22:56:44 148,480 ----a-w c:\windows\system32\dnsapi.dll
+ 2008-06-21 07:11:12 148,992 ----a-w c:\windows\system32\dnsapi.dll
- 2004-08-03 21:14:16 138,496 ----a-w c:\windows\system32\drivers\afd.sys
+ 2008-08-14 09:51:43 138,368 ----a-w c:\windows\system32\drivers\afd.sys
- 2009-03-06 02:25:44 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2009-03-07 00:36:48 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2008-06-13 13:10:50 272,128 ------w c:\windows\system32\drivers\bthport.sys
+ 2005-07-22 19:01:00 717,952 ----a-w c:\windows\system32\drivers\HSF_CNXT.sys
+ 2005-07-22 19:02:12 1,035,008 ----a-w c:\windows\system32\drivers\HSF_DPV.sys
+ 2005-07-22 19:01:10 231,168 ----a-w c:\windows\system32\drivers\HSFHWBS2.sys
+ 2005-10-05 23:57:08 12,544 ----a-w c:\windows\system32\drivers\mdmxsdk.sys
- 2004-08-03 21:15:18 451,456 ----a-w c:\windows\system32\drivers\mrxsmb.sys
+ 2008-10-24 11:10:42 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
- 2001-08-23 12:00:00 200,064 ----a-w c:\windows\system32\drivers\RMCast.sys
+ 2008-05-08 12:28:49 202,752 ----a-w c:\windows\system32\drivers\rmcast.sys
- 2004-08-03 21:14:46 336,256 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys
+ 2004-03-22 19:01:38 40,564 ----a-w c:\windows\system32\drivers\Sunkfilt.sys
+ 2004-03-22 19:27:20 42,936 ----a-w c:\windows\system32\drivers\Sunkfilt39.sys
- 2004-08-03 21:14:42 359,040 ----a-w c:\windows\system32\drivers\tcpip.sys
+ 2008-06-20 10:45:13 360,320 ----a-w c:\windows\system32\drivers\tcpip.sys
- 2004-08-03 21:07:46 223,616 ----a-w c:\windows\system32\drivers\tcpip6.sys
+ 2008-06-20 23:22:08 225,920 ----a-w c:\windows\system32\drivers\tcpip6.sys
- 2004-08-03 22:56:44 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:37:02 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2004-08-03 22:56:44 201,728 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:37:02 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2004-08-03 22:56:44 243,200 ----a-w c:\windows\system32\es.dll
+ 2008-07-07 20:32:22 253,952 ----a-w c:\windows\system32\es.dll
- 2004-08-03 22:56:44 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:37:02 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-11-19 20:54:58 321,136 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-07 00:01:06 321,136 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2004-08-03 22:56:44 278,016 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
+ 2003-12-25 00:10:08 139,264 ----a-w c:\windows\system32\hpicon.dll
- 2004-08-03 22:56:44 249,344 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:37:02 251,392 ----a-w c:\windows\system32\iepeers.dll
- 2004-08-03 22:56:44 678,400 ----a-w c:\windows\system32\inetcomm.dll
+ 2008-04-11 18:50:43 683,520 ----a-w c:\windows\system32\inetcomm.dll
- 2004-08-03 22:56:44 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:37:02 96,256 ----a-w c:\windows\system32\inseng.dll
- 2004-08-03 22:56:44 450,560 ----a-w c:\windows\system32\jscript.dll
+ 2007-12-18 14:40:58 450,560 ----a-w c:\windows\system32\jscript.dll
- 2004-08-03 22:56:44 15,872 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:37:03 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2003-12-03 22:51:28 61,440 ----a-w c:\windows\system32\ldamfilt.dll
+ 2004-01-18 04:31:04 49,152 ----a-w c:\windows\system32\ldamfilt39.dll
- 2004-08-03 22:56:52 103,936 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-10 09:31:06 103,936 ----a-w c:\windows\system32\logagent.exe
+ 2005-10-05 23:56:44 86,016 ----a-w c:\windows\system32\mdmxsdk.dll
- 2004-08-03 22:56:44 73,728 ----a-w c:\windows\system32\mscms.dll
+ 2008-06-24 16:23:05 74,240 ----a-w c:\windows\system32\mscms.dll
- 2004-08-03 22:56:44 3,003,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:33:23 3,060,224 ----a-w c:\windows\system32\mshtml.dll
- 2004-08-03 22:56:44 448,512 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:37:03 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2004-08-03 22:56:44 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:37:02 146,432 ----a-w c:\windows\system32\msrating.dll
- 2004-08-03 22:56:44 530,432 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:37:02 532,480 ----a-w c:\windows\system32\mstime.dll
- 2004-08-03 22:56:46 245,248 ----a-w c:\windows\system32\mswsock.dll
+ 2008-06-20 17:41:10 245,248 ----a-w c:\windows\system32\mswsock.dll
- 2005-01-25 16:33:00 1,049,088 ----a-w c:\windows\system32\msxml3.dll
+ 2008-09-04 16:42:02 1,106,944 ----a-w c:\windows\system32\msxml3.dll
- 2008-01-29 19:32:44 1,230,336 ----a-w c:\windows\system32\msxml4.dll
+ 2008-10-01 00:43:34 1,286,152 ----a-w c:\windows\system32\msxml4.dll
- 2004-08-03 22:56:46 332,288 ----a-w c:\windows\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w c:\windows\system32\netapi32.dll
- 2004-08-03 23:05:44 2,015,232 ----a-w c:\windows\system32\ntkrnlpa.exe
+ 2008-08-14 09:22:14 2,015,744 ----a-w c:\windows\system32\ntkrnlpa.exe
- 2004-08-03 21:18:32 2,148,352 ----a-w c:\windows\system32\ntoskrnl.exe
+ 2008-08-14 09:58:27 2,136,064 ----a-w c:\windows\system32\ntoskrnl.exe
- 2009-03-05 04:40:16 58,596 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-07 04:40:56 58,596 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-05 04:40:16 392,296 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-07 04:40:56 392,296 ----a-w c:\windows\system32\perfh009.dat
- 2004-08-03 22:56:46 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:37:02 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2004-08-03 22:56:46 1,287,680 ----a-w c:\windows\system32\quartz.dll
+ 2008-05-07 05:18:48 1,287,680 ----a-w c:\windows\system32\quartz.dll
- 2004-08-03 22:56:46 1,483,264 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:37:03 1,494,528 ----a-w c:\windows\system32\shdocvw.dll
- 2004-08-03 22:56:46 8,384,000 ----a-w c:\windows\system32\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 ----a-w c:\windows\system32\shell32.dll
- 2004-08-03 22:56:46 473,600 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:37:03 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2005-05-04 22:45:26 13,536 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2004-11-18 18:42:52 22,752 ----a-w c:\windows\system32\spupdsvc.exe
+ 2005-02-25 03:35:05 22,752 ----a-w c:\windows\system32\spupdsvc.exe
- 2004-08-03 22:56:46 246,302 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-22 09:47:07 62,976 ------w c:\windows\system32\tzchange.exe
+ 2005-11-16 23:41:26 114,688 ----a-w c:\windows\system32\uci32103.dll
- 2004-08-03 22:56:48 601,088 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:37:04 615,936 ----a-w c:\windows\system32\urlmon.dll
- 2004-08-03 22:56:48 417,792 ----a-w c:\windows\system32\vbscript.dll
+ 2007-12-18 14:40:58 417,792 ----a-w c:\windows\system32\vbscript.dll
- 2004-08-03 21:17:42 1,835,904 ----a-w c:\windows\system32\win32k.sys
+ 2008-09-15 11:57:41 1,846,016 ----a-w c:\windows\system32\win32k.sys
- 2004-08-03 22:56:48 656,384 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:37:03 659,456 ----a-w c:\windows\system32\wininet.dll
- 2004-08-03 22:56:48 1,050,624 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-11 02:18:18 1,053,696 ----a-w c:\windows\system32\WMNetmgr.dll
- 2004-08-03 22:57:04 2,105,344 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-11-08 02:32:20 2,109,440 ----a-w c:\windows\system32\WMVCore.dll
+ 2008-10-15 14:00:41 351,744 ------w c:\windows\system32\xpsp3res.dll
+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
+ 2008-04-15 17:54:19 1,724,416 ----a-w c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.3352_x-ww_81af8e88\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"SMSystemAnalyzer"="c:\program files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" [2006-02-02 578048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-06 1601304]
"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-11 135168]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]

c:\documents and settings\U_C\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless USB 2.0 WLAN Card Utility.lnk - c:\program files\Dell Wireless\PRISMCFG.exe [2009-03-04 917611]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-06 16:36 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 6

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ cli

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell Wireless\\PRISMCFG.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Combo-Fix\\NirCmd.cfexe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-05 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-06 298264]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2008-11-19 20504]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\drivers\swnc8u56.sys [2008-11-13 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\drivers\swumx56.sys [2008-11-13 73856]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2009-03-04 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c78e50d-b1d9-11dd-afd0-0013204ee5da}]
\Shell\AutoRun\command - i:\win\setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - c:\program files\ClickClean\ClickClean.exe
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 12:21:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\PRISMAPI.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\PRISMSVR.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-07 12:23:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-07 20:22:59
ComboFix2.txt 2009-03-06 22:54:36

Pre-Run: 201,641,529,344 bytes free
Post-Run: 201,618,440,192 bytes free

375 --- E O F --- 2009-03-07 00:45:58

--------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/7/2009 12:56:16 PM
mbam-log-2009-03-07 (12-56-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 87591
Time elapsed: 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\mibevilo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:22 PM, on 3/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4653 bytes
tiffanyle2000
2009-03-07, 23:33
After previous fix, my computer look very good. However, while I browsing internet, my computer is infected again with antivirus XP pro. There is a icon on the bottom right notification area. The icon is red base round with a white X in the middle. When I click it, it show me the website of antivirus XP Pro. My screen turn black with the following notes in the center of the screen:
Dangerous Spyware
Many viruses were found on your computer such as: Trojan horse, PassCapture, ect.
Your personal information can fall in the "third hands".
Please check up the computer with a special software.
Thanks"

This is the latest hijackthis log after infected by antivirus XP Pro.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:32 PM, on 3/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4822 bytes
peku006
2009-03-08, 12:21
Hi tiffanyle2000

1 - Run Malwarebytes' Anti-Malware


Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.


Make sure the "Perform full scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
The log can also be found here:

C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - download and run RSIT

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt<- (will be maximized) and info.txt<- (will be minimized)

3 - Status Check
Please reply with

1.the logs from RSIT (log.txt ,info.txt)
2. the Malwarebytes' Anti-Malware Log

Thanks peku006
tiffanyle2000
2009-03-08, 21:25
Logfile of random's system information tool 1.05 (written by random/random)
Run by U_C at 2009-03-08 12:19:18
Microsoft Windows XP Professional Service Pack 2
System drive C: has 192 GB (96%) free of 200 GB
Total RAM: 1014 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:24 PM, on 3/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\U_C\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\U_C.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4569 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-03-06 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"=C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-07-25 90112]
"AlcWzrd"=C:\WINDOWS\ALCWZRD.EXE [2005-07-25 2806272]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-03-06 1601304]
"SunKistEM"=C:\Program Files\eMachines Bay Reader\shwiconem.exe [2004-03-11 135168]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]
"SMSystemAnalyzer"=C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe [2006-02-02 578048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless USB 2.0 WLAN Card Utility.lnk - C:\Program Files\Dell Wireless\PRISMCFG.exe

C:\Documents and Settings\U_C\Start Menu\Programs\Startup
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-03-06 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=cli

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Dell Wireless\PRISMCFG.exe"="C:\Program Files\Dell Wireless\PRISMCFG.exe:*:Enabled:PRISMCFG"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Combo-Fix\NirCmd.cfexe"="C:\Combo-Fix\NirCmd.cfexe:*:Enabled:NirCmd"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c78e50d-b1d9-11dd-afd0-0013204ee5da}]
shell\AutoRun\command - I:\WIN\setup.exe


======File associations======

.js - open - NOTEPAD.EXE %1
.vbs - open - NOTEPAD.EXE %1

======List of files/folders created in the last 1 months======

2009-03-08 12:19:18 ----D---- C:\rsit
2009-03-07 16:36:00 ----D---- C:\Program Files\SpywareDetector
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\ztvunrar36.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\ztvunace26.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\ztvcabinet.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\unrar3.dll
2009-03-07 15:46:10 ----A---- C:\WINDOWS\system32\unacev2.dll
2009-03-07 15:46:08 ----D---- C:\Documents and Settings\U_C\Application Data\Simply Super Software
2009-03-07 15:46:08 ----D---- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2009-03-07 15:37:53 ----D---- C:\WINDOWS\Minidump
2009-03-07 14:21:01 ----SHD---- C:\RECYCLER
2009-03-07 13:32:28 ----D---- C:\Documents and Settings\U_C\Application Data\Malwarebytes
2009-03-07 13:32:24 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-07 13:32:24 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-07 13:23:04 ----D---- C:\WINDOWS\temp
2009-03-07 13:23:03 ----A---- C:\ComboFix.txt
2009-03-06 21:46:16 ----D---- C:\Program Files\Windows Installer Clean Up
2009-03-06 21:45:57 ----D---- C:\Program Files\MSECACHE
2009-03-06 20:43:54 ----D---- C:\Program Files\CONEXANT
2009-03-06 20:39:12 ----D---- C:\Program Files\eMachines Bay Reader
2009-03-06 20:39:03 ----D---- C:\WINDOWS\Downloaded Installations
2009-03-06 18:35:25 ----D---- C:\Program Files\Western Digital Technologies
2009-03-06 17:45:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2009-03-06 17:45:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2009-03-06 17:45:44 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2009-03-06 17:45:37 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2009-03-06 17:45:32 ----HDC---- C:\WINDOWS\$NtUninstallKB935448$
2009-03-06 17:45:24 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2009-03-06 17:45:09 ----HDC---- C:\WINDOWS\$NtUninstallKB958215$
2009-03-06 17:44:56 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2009-03-06 17:44:49 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2009-03-06 17:44:41 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-03-06 17:44:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2009-03-06 17:44:24 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2009-03-06 17:36:48 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-03-06 17:15:13 ----D---- C:\WINDOWS\system32\NtmsData
2009-03-06 17:03:48 ----D---- C:\WINDOWS\system32\CatRoot_bak
2009-03-06 16:59:16 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2009-03-06 16:59:08 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2009-03-06 16:58:56 ----HDC---- C:\WINDOWS\$NtUninstallKB960714$
2009-03-06 16:58:49 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2009-03-06 16:58:44 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2009-03-06 16:58:38 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2009-03-06 16:58:33 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-03-06 16:58:28 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-03-06 16:58:23 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2009-03-06 16:58:18 ----N---- C:\WINDOWS\system32\xpsp3res.dll
2009-03-06 16:58:16 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2009-03-06 16:58:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2009-03-06 16:58:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2009-03-06 16:57:59 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2009-03-06 16:57:55 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2009-03-06 16:57:50 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2009-03-06 16:57:43 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2009-03-06 16:57:39 ----D---- C:\Program Files\MSXML 4.0
2009-03-06 16:44:14 ----D---- C:\WINDOWS\system32\PreInstall
2009-03-06 16:44:12 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$
2009-03-06 16:44:12 ----HD---- C:\WINDOWS\$hf_mig$
2009-03-06 15:59:06 ----D---- C:\Program Files\Trend Micro
2009-03-06 15:46:09 ----RASHD---- C:\cmdcons
2009-03-06 15:43:57 ----A---- C:\WINDOWS\zip.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\VFIND.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\SWSC.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\SWREG.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\sed.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\NIRCMD.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\grep.exe
2009-03-06 15:43:57 ----A---- C:\WINDOWS\fdsv.exe
2009-03-06 15:43:49 ----D---- C:\WINDOWS\ERDNT
2009-03-06 15:43:45 ----D---- C:\Qoobox
2009-03-05 19:44:24 ----HD---- C:\$AVG8.VAULT$
2009-03-05 19:26:53 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2009-03-05 19:25:38 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-05 15:01:45 ----A---- C:\WINDOWS\SysMech6.INI
2009-03-05 14:07:00 ----A---- C:\WINDOWS\system32\smrgdf.exe
2009-03-05 14:07:00 ----A---- C:\WINDOWS\system32\iolobtdfg.exe
2009-03-05 14:06:59 ----A---- C:\WINDOWS\system32\Incinerator.dll
2009-03-05 14:06:56 ----D---- C:\Program Files\iolo
2009-03-05 11:52:15 ----N---- C:\WINDOWS\system32\avgrsstx.dll.install_backup_2
2009-03-05 11:52:15 ----N---- C:\WINDOWS\system32\avgrsstx.dll.install_backup_1
2009-03-05 11:52:03 ----D---- C:\Program Files\AVG
2009-03-05 11:35:00 ----D---- C:\Documents and Settings\All Users\Application Data\AT&T
2009-03-04 22:40:24 ----N---- C:\WINDOWS\system32\avgrsstx.dll.install_backup
2009-03-04 21:41:21 ----D---- C:\WINDOWS\system32\appmgmt
2009-03-04 21:28:04 ----D---- C:\Documents and Settings\All Users\Application Data\Prism
2009-03-04 21:27:49 ----A---- C:\WINDOWS\system32\PRISMSVR.exe
2009-03-04 21:27:49 ----A---- C:\WINDOWS\system32\PRISMSVC.exe
2009-03-04 21:27:48 ----A---- C:\WINDOWS\system32\PRISMAPI.dll
2009-03-04 21:27:47 ----D---- C:\Program Files\Dell Wireless
2009-03-04 21:27:44 ----RA---- C:\WINDOWS\system32\PRISME5.dll
2009-03-04 20:52:10 ----A---- C:\WINDOWS\system32\CoPrism.dll

======List of files/folders modified in the last 1 months======

2009-03-08 12:17:13 ----D---- C:\WINDOWS\system32\drivers
2009-03-08 12:17:13 ----D---- C:\WINDOWS
2009-03-08 12:16:40 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-08 12:15:44 ----D---- C:\WINDOWS\system32
2009-03-08 11:33:36 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-07 16:37:31 ----D---- C:\WINDOWS\Prefetch
2009-03-07 16:36:06 ----D---- C:\WINDOWS\system
2009-03-07 16:36:00 ----RD---- C:\Program Files
2009-03-07 16:17:40 ----D---- C:\WINDOWS\system32\config
2009-03-07 13:22:19 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-07 13:21:36 ----A---- C:\WINDOWS\system.ini
2009-03-07 13:19:14 ----D---- C:\WINDOWS\AppPatch
2009-03-07 13:19:10 ----D---- C:\Program Files\Common Files
2009-03-06 21:49:11 ----SHD---- C:\WINDOWS\Installer
2009-03-06 21:46:16 ----HD---- C:\Config.Msi
2009-03-06 20:44:10 ----HD---- C:\WINDOWS\inf
2009-03-06 20:40:56 ----D---- C:\cabs
2009-03-06 20:39:02 ----D---- C:\Program Files\Common Files\InstallShield
2009-03-06 18:35:26 ----SD---- C:\Documents and Settings\U_C\Application Data\Microsoft
2009-03-06 17:45:57 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-06 17:45:45 ----D---- C:\Program Files\Messenger
2009-03-06 17:45:14 ----D---- C:\Program Files\Internet Explorer
2009-03-06 17:24:20 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-06 17:16:03 ----D---- C:\WINDOWS\WinSxS
2009-03-06 17:15:31 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-06 17:13:26 ----D---- C:\WINDOWS\twain_32
2009-03-06 17:13:02 ----RSD---- C:\WINDOWS\assembly
2009-03-06 17:13:02 ----D---- C:\Program Files\HP
2009-03-06 17:03:48 ----D---- C:\WINDOWS\Debug
2009-03-06 16:13:09 ----D---- C:\Documents and Settings
2009-03-06 15:46:11 ----RASH---- C:\boot.ini
2009-03-05 19:27:00 ----D---- C:\WINDOWS\SoftwareDistribution
2009-03-05 19:26:59 ----D---- C:\WINDOWS\Help
2009-03-05 15:51:17 ----RD---- C:\WINDOWS\Offline Web Pages
2009-03-05 15:51:16 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-05 11:55:32 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-03-05 11:33:57 ----A---- C:\WINDOWS\smartkeydiagnostics.txt
2009-03-04 22:40:10 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-03-04 21:39:10 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2009-03-04 21:27:44 ----HD---- C:\Program Files\InstallShield Installation Information

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-03-06 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-03-06 27656]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.1.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2004-09-01 16979]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-05 12544]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 DELL_A02;Dell TrueMobile 1300 USB2.0 WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\PRISMA02.sys [2004-09-26 345184]
R3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-02-10 154112]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2005-07-22 1035008]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2005-07-22 231168]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-07-25 3851264]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter; C:\WINDOWS\System32\Drivers\sskbfd.sys [2007-01-25 21056]
R3 SunkFilt;Alcor Micro Corp - 9360; \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2005-07-22 717952]
S1 SDManager;SDManager; \??\C:\Program Files\SpywareDetector\SDManager.sys []
S3 catchme;catchme; \??\C:\Combo-Fix\catchme.sys []
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 HPFXBULK;HPFXBULK; C:\WINDOWS\system32\drivers\hpfxbulk.sys [2007-07-16 17432]
S3 HPFXFAX;HPFXFAX; C:\WINDOWS\system32\drivers\hpfxfax.sys [2007-07-16 20504]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PCASp50;PCASp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\PCASp50.sys [2008-03-06 27072]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCTINDIS5.SYS []
S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 sermouse;Serial Mouse Driver; C:\WINDOWS\system32\DRIVERS\sermouse.sys [2001-08-23 17664]
S3 SunkFilt39;Alcor Micro Corp - 3239; \??\C:\WINDOWS\System32\Drivers\sunkfilt39.sys []
S3 Sunkfiltp;HP && Alcor Micro Corp for Phison; \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys []
S3 swmsflt;swmsflt; C:\WINDOWS\System32\drivers\swmsflt.sys [2008-11-13 26504]
S3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56); C:\WINDOWS\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
S3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56); C:\WINDOWS\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-03-06 298264]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 PRISMSVC;PRISMSVC; C:\WINDOWS\system32\PRISMSVC.EXE [2004-10-04 57344]

-----------------EOF-----------------

info.txt logfile of random's system information tool 1.05 2009-03-08 12:19:25

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
AVG Free 8.0-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Driver Installer-->MsiExec.exe /X{753D852A-D86D-42C9-9978-40AE66FB8985}
eMachines Bay Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Intel(R) PRO Network Adapters and Drivers-->Prounstl.exe
iolo technologies' System Mechanic 6-->"C:\Program Files\iolo\System Mechanic 6\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Motorola Driver Installation-->MsiExec.exe /I{9579E862-5FC7-4337-B1CC-5E37451524C5}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nokia Connectivity Adapter Cable DKU-5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F1BA3CD5-89DC-4273-8603-A75F33E9B335}\Setup.exe" -l0x9
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IPDRSLSM5K.inf
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
USB 2.0 Wireless LAN Card Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\setup.exe" -l0x9 -removeonly
WD Diagnostics-->MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Installer Clean Up-->MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}

======Security center information======

AV: AVG Anti-Virus Free

System event log

Computer Name: UNITED-CARGO
Event Code: 7035
Message: The Fast User Switching Compatibility service was successfully sent a start control.

Record Number: 1061
Source Name: Service Control Manager
Time Written: 20081130095225.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: UNITED-CARGO
Event Code: 7036
Message: The Fast User Switching Compatibility service entered the running state.

Record Number: 1060
Source Name: Service Control Manager
Time Written: 20081130095225.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 7036
Message: The Terminal Services service entered the running state.

Record Number: 1059
Source Name: Service Control Manager
Time Written: 20081130095225.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 6005
Message: The Event log service was started.

Record Number: 1058
Source Name: EventLog
Time Written: 20081130095159.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Multiprocessor Free.

Record Number: 1057
Source Name: EventLog
Time Written: 20081130095159.000000-480
Event Type: information
User:

Application event log

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the MSDTC (MSDTC) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 5
Source Name: LoadPerf
Time Written: 20081112091139.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the TermService (Terminal Services) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 4
Source Name: LoadPerf
Time Written: 20081112091136.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the RemoteAccess (Routing and Remote Access) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 3
Source Name: LoadPerf
Time Written: 20081112090917.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the PSched (PSched) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 2
Source Name: LoadPerf
Time Written: 20081112090855.000000-480
Event Type: information
User:

Computer Name: UNITED-CARGO
Event Code: 1000
Message: Performance counters for the RSVP (QoS RSVP) service were loaded successfully.
The Record Data contains the new index values assigned
to this service.

Record Number: 1
Source Name: LoadPerf
Time Written: 20081112090854.000000-480
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 3, GenuineIntel
"PROCESSOR_REVISION"=0403
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/8/2009 12:15:45 PM
mbam-log-2009-03-08 (12-15-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 88124
Time elapsed: 16 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
peku006
2009-03-08, 21:54
Hi tiffanyle2000

1 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


2 - F-Secure Online Scan

Please go to F-Secure website (http://support.f-secure.com/ols3beta/start.html) to perform an online scan. Click on Start scanning at the bottom of the page.
You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
Click on Accept to accept the License Agreement.
Click on Custom Scan. Under Virus Scan Options, select the Scan whole system option.
Under Other Scan Options, select these options: Scan all files
Scan whole system for rootkits
Scan whole system for spyware
Scan inside archives
Use advanced heuristics Click Start.
It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
Click on I want decide item by item.
Under Actions, select None for all infections found.
Click Next.
Click on Show Report.
Please copy and paste this report in your next reply.
Click Finish.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the F-Secure online scanner report
2. a fresh HijackThis log
How's the computer running now? Any problems?

Thanks peku006
tiffanyle2000
2009-03-09, 08:50
Scanning Report
Sunday, March 08, 2009 21:59:44 - 23:27:07
Computer name: UNITED-CARGO
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 11 malware found
Vundo.DZC (virus)
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSfxmp.dll.vir (Submitted)
Vundo.FBW (virus)
C:\Qoobox\Quarantine\C\WINDOWS\system32\ekahaluh.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\elepaleg.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\ivahalak.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\odisinad.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\ogayotez.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\opikumon.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovatijeh.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\umeyanol.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\unojitef.ini.vir (Submitted)
C:\Qoobox\Quarantine\C\WINDOWS\system32\usajuhig.ini.vir (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 68240
System: 2751
Not scanned: 37
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 11
Submitted: 11
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\radar.BMP
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\icons.bmp
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\Startup.xml
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\MultiMode.zip
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\startup.sgn
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\{8F1035CB-C632-45A9-B75E-F85484ACF039}.skx\MultiMode.sgn
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\radar.BMP
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\icons.bmp
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\Startup.xml
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\MultiMode.zip
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\startup.sgn
C:\Program Files\iolo\System Mechanic 6\Undo\Manual\{81901D13-1307-41A3-8A97-1C9220A87C5C}\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\{B54166A6-E03A-4438-AE2E-CFDB2151E27A}.skx\MultiMode.sgn
C:\DOCUMENTS AND SETTINGS\U_C\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\U_C\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\U_C\LOCAL SETTINGS\TEMP\~DFA27F.TMP
C:\DOCUMENTS AND SETTINGS\U_C\LOCAL SETTINGS\TEMP\~DFA2CA.TMP
C:\DOCUMENTS AND SETTINGS\U_C\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\U_C\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT.LOG
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT.LOG

-----------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:40 PM, on 3/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Cleaner - {CCF00E14-7C5E-4420-9BF3-AA4809CFAA13} - C:\Program Files\ClickClean\ClickClean.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O24 - Desktop Component 0: (no name) - http://l.yimg.com/a/i/ww/thm/1/grd-1px_1.4.gif

--
End of file - 4653 bytes
peku006
2009-03-09, 11:23
Hi tiffanyle2000
Things are looking good. Do you still notice any problems with your computer?

it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install COMODO Antivirus (Recommended)"!, "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
tiffanyle2000
2009-03-13, 04:49
After testing my computer for 3 days, it looks very good to me. Only one time it was freezed and the mouse dead. Have to restart the computer. After that, everything working fine.
Thanks.
peku006
2009-03-14, 12:41
Hi tiffanyle2000

The scans are fine and it looks like your machine is clean :yahoo:

Next we remove all used tools.
Delete RSIT from your desktop, also delete this folder C:\rsit.

uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

Install SpyWare Blaster 4.0
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

Install FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

Install MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.


Happy safe surfing! :bigthumb:
peku006
2009-03-18, 14:30
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.