PDA

View Full Version : help needed about about mshta.exe



hmburg52
2009-03-09, 23:52
I am running XP Pro, sp2, all updates ok. I have run Spybot and Malwarebytes' but keep getting a warning about mshta.exe. Here is my HijackThis log, I'd be very grateful if anyone has any ideas what I need to do next!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:26, on 09/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\howie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [realtecks] "C:\Documents and Settings\howie\Application Data\Google\wcwdu16814728.exe" 2
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Policies\Explorer\Run: [Msn] c:\eyJMUpHx.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost] c:\eyJMUpHx.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad] c:\eyJMUpHx.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnConvert] c:\eyJMUpHx.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnMessendger] c:\eyJMUpHx.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [Msn] c:\e4fW5KdT.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [MsnMessendger] c:\e4fW5KdT.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [Msn] c:\e4fW5KdT.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: F1U201.401.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZRxdm719YYGB
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Flash - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - D:\lotus\org6\organize\bandobjs.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://vpn.mmass.co.uk:5410/SysCamInst.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://www.hoppy.com/sacramento/cams/vatdec.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1232130346990
O16 - DPF: {62415890-4985-0825-2508-23487C2A845F} (IPCamera Class) - http://ycam3.dtdns.net:8151/en/cab/ipcamera.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186243458140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208728099062
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://doncesar.com/activex/AMC.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://activex.microsoft.com/controls/iexplorer/x86/iemenu.cab
O16 - DPF: {856ACB65-7B1F-4085-94D9-72824D6266CF} (VilarClient Control) - http://87.102.127.65:100/eng/activex/activex.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=26688
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.cab
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://photoweb-radissonaruba.remotemanager.co.uk/common/activex/MJPEGRender.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.dlink.com/products/livedemo/plugin/h263ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} (TSBnwCam Control) - http://68.15.12.110:8012/user/TSBnwCam.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD96E4B6-6F7D-4FCF-A914-1D4964157FDA}: NameServer = 212.159.13.49,212.159.13.50
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c99dbc4dfdf512) (gupdate1c99dbc4dfdf512) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 14178 bytes

pskelley
2009-03-11, 15:07
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
If you have the scan results from Malwarebytes (MBAM), please post them.

C:\WINDOWS\System32\mshta.exe <<< that's a valid Windows file, see this information:
http://www.liutilities.com/products/wintaskspro/processlibrary/mshta/

Do you have any idea why this item is in your hosts file?
O1 - Hosts: 127.255.255.255 www.getright.com
O1 - Hosts: 127.255.255.255 pro.getright.com
O1 - Hosts: 127.255.255.255 www.headlightinc.com
http://whois.domaintools.com/127.255.255.255 s <<< see this

http://whois.domaintools.com/212.159.13.49 <<< is this your ISP?

I need to collect additional information like this.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post the C:\rapport.txt

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks

hmburg52
2009-03-12, 23:58
thanks for getting back to me. 212.159.13.49 is my ISP, I don't recognise the other numbers at all.
The rapport.txt is:
SmitFraudFix v2.403

Scan done at 21:50:58.78, 12/03/2009
Run from C:\Documents and Settings\howie\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\howie


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\howie\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\howie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\howie\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) 82566DC Gigabit Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 212.159.13.50
DNS Server Search Order: 212.159.13.49

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DD96E4B6-6F7D-4FCF-A914-1D4964157FDA}: NameServer=212.159.13.50,212.159.13.49
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DD96E4B6-6F7D-4FCF-A914-1D4964157FDA}: NameServer=212.159.13.49,212.159.13.50
HKLM\SYSTEM\CS2\Services\Tcpip\..\{DD96E4B6-6F7D-4FCF-A914-1D4964157FDA}: NameServer=212.159.13.50,212.159.13.49
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DD96E4B6-6F7D-4FCF-A914-1D4964157FDA}: NameServer=212.159.13.50,212.159.13.49


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

the uninstall list is:
µTorrent
2x1/4x1 USB Peripheral Switch
ABBYY FineReader 5.0 Sprint Plus
ABBYY FineReader 6.0
Ad-Aware
Adobe Acrobat 8.1.2 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 3.0
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe Media Player
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 7.0.9
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
allTunes
AnyDVD
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
AVI/MPEG/ASF/WMV Splitter 2.21
AVS DVDMenu Editor 1.2.1.19
AVS Video Editor 3.5
AVS Video Tools 5.6
AXIS Media Control
BBC iPlayer Download Manager
Belarc Advisor 7.2
Boilsoft ASF Converter 2.68
Broadband Choices Speed Tester
CloneCD
CloneDVD2
Compatibility Pack for the 2007 Office system
CorelDRAW Graphics Suite 12
Critical Update for Windows Media Player 11 (KB959772)
CuteFTP 6 Professional
CutePDF Writer 2.7
CyberTweak Version 1.3 Final
Dan Elwell's Broadband Speed Test
dBpowerAMP
dBpowerAMP FLAC Codec
dBpowerAMP Monkeys Audio Codec
DivX Codec
Easy GIF Animator 3.0
Easy Video Joiner 5.21
EndItAll 2.0
EPSON CardMonitor
EPSON Copy Utility
EPSON Photo Print
EPSON PhotoStarter3.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EZ Save Flash
FLV Player 1.3.3
Free Video Flip and Rotate version 1.4
GDR 3077 for SQL Server Database Services 2005 ENU (KB960089)
GDR 3077 for SQL Server Tools and Workstation Components 2005 ENU (KB960089)
GetRight Pro
Google Earth
Google Update Helper
Hide Folders XP 1.5 for Windows 2000/XP
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
IBM Lotus Organizer 6 - English
IncrediMail Xe
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 2
LogMeIn
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Malwarebytes' Anti-Malware
Mozilla Firefox (3.0.7)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Multi Meter Bridge
Music Library
Nero 6
NetMeter 1.1.3
NVIDIA Drivers
O&O Defrag Professional Edition
Organizer Conversion Utility
Oz Insight All-In-One Newsreader
Paint Shop Pro 7
Panda ActiveScan
Panda ActiveScan 2.0
PDF Settings
PDFCreator
PowerDVD
PowerISO
PowerQuest PartitionMagic 8.0
Protected Music Converter 1.0.0.3
QuickTime
RealPlayer
RealProducer Basic 11
ScanToWeb
Second Copy (7.0)
SigmaTel Audio
SoulSeek Client 156c
SoundTap
Spark Audio Converter (Remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Tesseract (remove only)
TextPad 4.7
Tracks Eraser Pro v5.6
Tweak UI
Uninstall 1.0.0.1
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinPcap 4.0
WinRAR archiver
WinZip
WM Recorder 11.3
WM Recorder 12.0


thanks again for your help.

pskelley
2009-03-13, 00:19
1) Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

µTorrent <<< p2p program, uninstall
http://forums.spybot.info/showthread.php?t=282

If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.

Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 Plugin
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html

Adobe Reader 7.0.9 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php

Java(TM) 6 Update 11 <<< valid but an update is available
Java(TM) 6 Update 2 <<< out of date and unsafe:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php

Spybot - Search & Destroy 1.5.2.20 <<< uninstall this old version:
Please be sure Spybot S&D is up to date and fully immunized.
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
http://www.safer-networking.org/en/faq/index.html
http://www.safer-networking.org/en/tutorial/index.html


2) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

hmburg52
2009-03-13, 18:46
Hi, really appreciate your help with this!
The combofix.txt log is:
ComboFix 09-03-12.01 - howie 2009-03-13 16:32:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1488 [GMT 0:00]
Running from: c:\documents and settings\howie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-13 15:58 . 2009-03-13 15:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-12 12:27 . 2009-03-12 17:25 <DIR> d-a------ C:\music library database
2009-03-12 12:00 . 2009-03-12 12:00 <DIR> d-------- c:\program files\WenSoftware
2009-03-12 10:25 . 2009-03-12 10:25 <DIR> d-------- C:\music library
2009-03-05 18:00 . 2009-03-05 18:01 <DIR> d-------- c:\program files\Google
2009-03-02 17:37 . 2009-03-02 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-02-28 19:15 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-02-28 18:41 . 2009-02-28 18:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-27 22:13 . 2009-02-27 22:13 <DIR> d-------- c:\documents and settings\howie\dwhelper
2009-02-13 09:57 . 2009-02-13 09:57 <DIR> d-------- c:\windows\SQLTools9_KB960089_ENU
2009-02-13 09:54 . 2009-02-13 09:54 <DIR> d-------- c:\windows\SQL9_KB960089_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 16:33 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-03-13 15:58 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-13 15:58 --------- d-----w c:\program files\Java
2009-03-13 15:37 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-13 10:59 --------- d-----w c:\program files\GetRight
2009-03-10 15:01 --------- d-----w c:\program files\allTunes
2009-03-08 09:51 --------- d-----w c:\documents and settings\howie\Application Data\uTorrent
2009-03-07 15:05 --------- d-----w c:\program files\Dell
2009-03-06 22:09 --------- d-----w c:\program files\WMR11
2009-03-05 10:49 --------- d-----w c:\documents and settings\howie\Application Data\Smart Panel
2009-03-03 17:24 --------- d-----w c:\program files\Dan Elwell's Broadband Speed Test
2009-03-02 17:23 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-14 16:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-13 09:57 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-01 17:17 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-01 17:17 --------- d-----w c:\program files\Adobe Media Player
2009-01-31 08:02 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-31 08:02 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-31 08:02 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-31 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-29 23:02 103,488 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2009-01-29 22:57 23,976 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
2009-01-29 21:54 89,256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-01-27 04:00 8,098 ----a-w C:\UrWhv.bat
2009-01-27 04:00 214 ----a-w C:\nX0mYB.bat
2009-01-27 03:45 8,098 ----a-w C:\sR7a.bat
2009-01-27 03:45 188 ----a-w C:\rjYVV.bat
2009-01-27 03:15 8,098 ----a-w C:\yftX.bat
2009-01-27 03:15 213 ----a-w C:\pDo9wLv.bat
2009-01-27 01:31 8,098 ----a-w C:\ncVs8tQ5.bat
2009-01-27 01:31 213 ----a-w C:\CuyImU.bat
2009-01-27 01:16 8,098 ----a-w C:\H9r35.bat
2009-01-27 01:16 205 ----a-w C:\mcp.bat
2009-01-27 01:00 8,098 ----a-w C:\XAjUQk.bat
2009-01-27 01:00 190 ----a-w C:\uNuoW.bat
2009-01-27 00:30 8,098 ----a-w C:\Zgiwq6C.bat
2009-01-27 00:30 191 ----a-w C:\WGKdIVw.bat
2009-01-26 23:30 8,098 ----a-w C:\uYreO3C.bat
2009-01-26 23:30 200 ----a-w C:\MhQC0.bat
2009-01-26 22:45 8,098 ----a-w C:\ib8hi.bat
2009-01-26 22:45 187 ----a-w C:\RWIWs.bat
2009-01-26 22:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-26 22:15 8,098 ----a-w C:\yhNAZ.bat
2009-01-26 22:15 195 ----a-w C:\EX3kwzZ.bat
2009-01-26 20:00 8,098 ----a-w C:\Wbj.bat
2009-01-26 20:00 186 ----a-w C:\o0Az.bat
2009-01-26 19:30 8,098 ----a-w C:\a7llev3b.bat
2009-01-26 19:30 191 ----a-w C:\IOLzb.bat
2009-01-26 18:00 8,098 ----a-w C:\tWtf4SE.bat
2009-01-26 18:00 192 ----a-w C:\xSUe0s8.bat
2009-01-26 17:31 8,098 ----a-w C:\S87yc.bat
2009-01-26 17:31 191 ----a-w C:\hGq.bat
2009-01-26 17:15 8,098 ----a-w C:\yp0L1.bat
2009-01-26 17:15 204 ----a-w C:\B6mhw183.bat
2009-01-26 15:15 8,098 ----a-w C:\SR0.bat
2009-01-26 15:15 212 ----a-w C:\bXA2A.bat
2009-01-26 15:12 8,098 ----a-w C:\jp8e.bat
2009-01-26 15:12 211 ----a-w C:\Qb3oIpHS.bat
2009-01-25 18:12 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-17 15:52 --------- d-----w c:\program files\Axis Communications
2009-01-14 16:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-13 17:34 --------- d-----w c:\documents and settings\howie\Application Data\Malwarebytes
2009-01-13 17:33 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-13 15:29 --------- d-----w c:\program files\Lavasoft
2009-01-13 15:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2006-03-20 14:37 5,689,344 ----a-w c:\program files\mplayerc.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-13_16.23.44.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-13 16:21:28 223,927 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-13 16:27:56 223,936 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-13 16:27:32 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b0.dat
+ 2009-03-13 16:27:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2007-07-19 208946]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-31 1601304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\howie\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2007-08-05 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-31 08:02 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-03-12 14:05 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedTester.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpeedTester.lnk
backup=c:\windows\pss\SpeedTester.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^howie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\howie\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-04-17 13:03 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"C-DillaCdaC11BA"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AnonMgmtSvc"=2 (0x2)
"AnonAswSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP Professional\\ftpte.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20001:UDP"= 20001:UDP:MicroSAN
"80:TCP"= 80:TCP:Web

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-28 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-27 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-27 107272]
R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [2004-01-11 19732]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-04-17 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-09-11 46112]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-18 29181272]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\Drivers\OCDE.sys --> c:\windows\system32\Drivers\OCDE.sys [?]
S2 gupdate1c99dbc4dfdf512;Google Update Service (gupdate1c99dbc4dfdf512);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 18:00]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZRxdm719YYGB
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
IE: {{5699BDDB-A771-4E54-ACBB-BE86921D7892} - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - c:\progra~1\EZSAVE~1\EZSAVE~1.DLL
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - d:\lotus\org6\organize\bandobjs.dll
TCP: {DD96E4B6-6F7D-4FCF-A914-1D4964157FDA} = 212.159.13.50,212.159.13.49
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://vpn.mmass.co.uk:5410/SysCamInst.cab
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://www.hoppy.com/sacramento/cams/vatdec.cab
DPF: {62415890-4985-0825-2508-23487C2A845F} - hxxp://ycam3.dtdns.net:8151/en/cab/ipcamera.cab
DPF: {856ACB65-7B1F-4085-94D9-72824D6266CF} - hxxp://87.102.127.65:100/eng/activex/activex.CAB
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://photoweb-radissonaruba.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://68.15.12.110:8012/user/TSBnwCam.CAB
FF - ProfilePath - c:\documents and settings\howie\Application Data\Mozilla\Firefox\Profiles\nf0orq0p.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 16:34:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG06.00.00.01WORKSTATION"="62649037415C118FFA171A533E6AD754001186C6917B5AB131362410F433B89BB411EE7464B6222269CC0D91E4F37B928C491485017F48242E3F9FA636FAEFB2F4713D4793914D95B4EFA50EBF850E76CF6941DDC14364C3EE1002C7999407AE82888F96365302B6996EBBE1A73A564D8369C9B7B4BCEA804A498D4EB06ECE3CEEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74C8EDD5E5BE2F6E6679DB7CE019D40AA5C9ADBAE71AE7A2958F7A18690011626358D6E5A55235134E036CD15D5C3496FB284450223F40B73025BF07C2110D22469A4E7B8BD3818765894F61C61DEF7517F78A8A3C2DFDAFC7C9E9ED782ABFA9BE3C139551484364192120FE101C526895346B7166CBD9C4BD6B9E30DF81CDA567124C1B46D6926BEB4D93B9CB692A6BF529F7E5CAF0297295188CD92434DCC5B107033DE53EA7AD81CF87382F704DD61D49956040FC3A724E1CB3EE18FCEC07D71B016DD413459C157DF03D2B0FA472068B07118803EBA103124EBF904D4BBCDFDCEC3C2A90F7AEBAB64894DBDFD71EF4CC2552BF0CE56009E9ADFDE3637D5A3CE1D6BA0F1ED2C118E407AB5F136FE0B7591D9D13EF88F503A1B7815B4F1BB9A324E900FF066CF2C2C901FD412F2A5ED0C44AC263B65131FC9F367A9FCA5AD922C7C09AAF5B05AFDE35611F7D8A5AF5AED65CDC7305D1E4DC758312905147E2D72A37F91C129558B4AF7427073637AD4AAE112D557CE0782DF61B1A634A697526E22F2688751DC1B26BDF49185E6F827870DA176DE4EB2A8F5099439E56AF62DC03F3756F14E24B972D6C035A30D32DEFA1D7B54EB131D6C1DAE5D7C6B8CA82DB922F1879DE7EEB7DFD292B7585940CBB3ADED1C937656C02195E08D8763550462571E2B1C8C17295128AA77A2EFCF0412BB1F01E07701DCFD66C88FF2E5332B72CE0BF4F14C09E55E2F1BDCF21C2660A82A8736D33A543A66AB142959AE8D5CDA5D5A9C975CC78AD2A6CB4EAFCB96FD42BE74F6DF051B16BED513855B0046173DBB04DDF9156777AD2E7AB833108CBD5BA506016A4436F32136EBD18DBCD19E70855279FBF311CFA24DB40D4C9D07C5A2EBB016D00417195A8519C2756CB7F8FCBBE3B0F01A82FB996C60BFBB5197FEFD823DFADF78C4106DDE670E123B93F224432C4D234B8DA92ED83349B8A7E3958543C9795B785DA70FC2F9ED51F8979A58E27099CD711746AE43B9276CC1277B0666C5DFF9000E702892C4A1981A86C33DC7CC6623981709A0C2D3D874E72F65008AF67FE72C99415717136B3EB5B8853004300649731CE739CFB5E36301DE4DA732F4AD43C058B56DFB821210879BBA3F0ADC515754479F66476651409CACEE65C32D459EA5B529EFCF8460CD712D81"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-03-13 16:35:35
ComboFix-quarantined-files.txt 2009-03-13 16:35:33
ComboFix2.txt 2009-03-13 16:24:28

Pre-Run: 27,398,017,024 bytes free
Post-Run: 27,381,428,224 bytes free

246 --- E O F --- 2009-03-11 11:43:41

the latest HJT log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:54, on 13/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\F1U201.401\usbshare.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\howie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: F1U201.401.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZRxdm719YYGB
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Flash - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - C:\PROGRA~1\EZSAVE~1\EZSAVE~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - D:\lotus\org6\organize\bandobjs.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} (Panasonic Network Camera) - http://vpn.mmass.co.uk:5410/SysCamInst.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://www.hoppy.com/sacramento/cams/vatdec.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1232130346990
O16 - DPF: {62415890-4985-0825-2508-23487C2A845F} (IPCamera Class) - http://ycam3.dtdns.net:8151/en/cab/ipcamera.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186243458140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208728099062
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://doncesar.com/activex/AMC.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - http://activex.microsoft.com/controls/iexplorer/x86/iemenu.cab
O16 - DPF: {856ACB65-7B1F-4085-94D9-72824D6266CF} (VilarClient Control) - http://87.102.127.65:100/eng/activex/activex.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=27986
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://146.176.65.10/activex/AxisCamControl.cab
O16 - DPF: {96816368-C1E3-414D-A193-63C3CC921990} (MJPEGRender Control) - http://photoweb-radissonaruba.remotemanager.co.uk/common/activex/MJPEGRender.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} (VaPgCtrl Class) - http://www.dlink.com/products/livedemo/plugin/h263ctrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} (TSBnwCam Control) - http://68.15.12.110:8012/user/TSBnwCam.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD96E4B6-6F7D-4FCF-A914-1D4964157FDA}: NameServer = 212.159.13.50,212.159.13.49
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c99dbc4dfdf512) (gupdate1c99dbc4dfdf512) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 11742 bytes

Thanks again,
Mark

pskelley
2009-03-13, 20:51
You have a lot of .bat files on your C:\ that are the same size (8,098) do you know what those are? Take a look and if you don't know them, follow these directions. They all showed 2009-01-27&26

1) Look in Scheduled Tasks: Start > Control Panel > Scheduled Tasks. If these items are there or any other Tasks you did not schedule, follow the directions to delete them.
C:\WINDOWS\Tasks\At?.job
C:\WINDOWS\Tasks\At??.job

Right-click the task you want to delete, and select delete from the displayed context menu. Click Yes to confirm the deletion. Be aware that you can't delete tasks you've created with the Task Scheduler Wizard from the command line using the AT command.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\UrWhv.bat
C:\nX0mYB.bat
C:\sR7a.bat
C:\rjYVV.bat
C:\yftX.bat
C:\pDo9wLv.bat
C:\ncVs8tQ5.bat
CuyImU.bat
C:\H9r35.bat
C:\mcp.bat
C:\XAjUQk.bat
C:\uNuoW.bat
C:\Zgiwq6C.bat
C:\WGKdIVw.bat
C:\uYreO3C.bat
C:\MhQC0.bat
C:\ib8hi.bat
C:\RWIWs.bat
C:\yhNAZ.bat
C:\EX3kwzZ.bat
C:\Wbj.bat
C:\o0Az.bat
C:\a7llev3b.bat
C:\IOLzb.bat
C:\tWtf4SE.bat
C:\xSUe0s8.bat
C:\S87yc.bat
C:\hGq.bat
C:\yp0L1.bat
C:\B6mhw183.bat
C:\SR0.bat
C:\bXA2A.bat
C:\jp8e.bat
C:\Qb3oIpHS.bat

Folder::
c:\documents and settings\howie\Application Data\uTorrent

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

(If you still have MBAM no need to download, but make sure you update (Database version: 1845) and run as instructed)

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript and the log from MBA<.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

Please tell me how the computer is running now?

Thanks

hmburg52
2009-03-14, 00:28
it was going so well!
here is the combofix log:
ComboFix 09-03-12.01 - howie 2009-03-13 22:17:56.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1438 [GMT 0:00]
Running from: c:\documents and settings\howie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\howie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\ncVs8tQ5.bat
C:\nX0mYB.bat
C:\pDo9wLv.bat
C:\rjYVV.bat
C:\sR7a.bat
C:\UrWhv.bat
C:\yftX.bat
.

((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-13 15:58 . 2009-03-13 15:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-12 12:27 . 2009-03-12 17:25 <DIR> d-a------ C:\music library database
2009-03-12 12:00 . 2009-03-12 12:00 <DIR> d-------- c:\program files\WenSoftware
2009-03-12 10:25 . 2009-03-12 10:25 <DIR> d-------- C:\music library
2009-03-05 18:00 . 2009-03-05 18:01 <DIR> d-------- c:\program files\Google
2009-03-02 17:37 . 2009-03-02 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2009-02-28 19:15 . 2008-06-19 16:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-02-28 18:41 . 2009-02-28 18:41 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-27 22:13 . 2009-02-27 22:13 <DIR> d-------- c:\documents and settings\howie\dwhelper
2009-02-13 09:57 . 2009-02-13 09:57 <DIR> d-------- c:\windows\SQLTools9_KB960089_ENU
2009-02-13 09:54 . 2009-02-13 09:54 <DIR> d-------- c:\windows\SQL9_KB960089_ENU

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 22:19 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-03-13 21:29 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-13 15:58 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-13 15:58 --------- d-----w c:\program files\Java
2009-03-13 15:37 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-13 10:59 --------- d-----w c:\program files\GetRight
2009-03-10 15:01 --------- d-----w c:\program files\allTunes
2009-03-07 15:05 --------- d-----w c:\program files\Dell
2009-03-06 22:09 --------- d-----w c:\program files\WMR11
2009-03-05 10:49 --------- d-----w c:\documents and settings\howie\Application Data\Smart Panel
2009-03-03 17:24 --------- d-----w c:\program files\Dan Elwell's Broadband Speed Test
2009-03-02 17:23 --------- d-----w c:\program files\Common Files\Adobe
2009-02-28 19:00 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-14 16:13 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-13 09:57 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-01 17:17 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-01 17:17 --------- d-----w c:\program files\Adobe Media Player
2009-01-31 08:02 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-01-31 08:02 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-01-31 08:02 10,520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-31 08:02 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-29 23:02 103,488 ----a-w c:\windows\system32\drivers\AnyDVD.sys
2009-01-29 22:57 23,976 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
2009-01-29 21:54 89,256 ----a-w c:\windows\system32\ElbyCDIO.dll
2009-01-25 18:12 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-17 15:52 --------- d-----w c:\program files\Axis Communications
2009-01-13 17:34 --------- d-----w c:\documents and settings\howie\Application Data\Malwarebytes
2009-01-13 17:33 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 15:30 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-13 15:29 --------- d-----w c:\program files\Lavasoft
2009-01-13 15:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2006-03-20 14:37 5,689,344 ----a-w c:\program files\mplayerc.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-03-13_16.23.44.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-13 16:21:28 223,927 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-13 22:07:28 223,926 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2009-03-13 22:07:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3f8.dat
+ 2009-03-13 22:07:18 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_61c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2007-07-19 208946]
"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-28 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-28 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-31 1601304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-13 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]
"nwiz"="nwiz.exe" [2007-06-28 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\howie\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
F1U201.401.lnk - c:\program files\Belkin\F1U201.401\usbshare.exe [2007-08-05 135168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-31 08:02 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-03-12 14:05 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpeedTester.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SpeedTester.lnk
backup=c:\windows\pss\SpeedTester.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^howie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\howie\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-04-17 13:03 63048 c:\program files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"C-DillaCdaC11BA"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AnonMgmtSvc"=2 (0x2)
"AnonAswSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\GlobalSCAPE\\CuteFTP Professional\\ftpte.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20001:UDP"= 20001:UDP:MicroSAN
"80:TCP"= 80:TCP:Web

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-02-28 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-27 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-27 107272]
R1 HFSYS;HFSYS;c:\windows\system32\drivers\hfsys.sys [2004-01-11 19732]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 298264]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2007-04-17 12992]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-09-11 46112]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-12-18 29181272]
S0 OCDE;ZTekWare Original CD Emulator Service;c:\windows\system32\Drivers\OCDE.sys --> c:\windows\system32\Drivers\OCDE.sys [?]
S2 gupdate1c99dbc4dfdf512;Google Update Service (gupdate1c99dbc4dfdf512);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-05 133104]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-03-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: &Search - ?p=ZRxdm719YYGB
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
IE: {{5699BDDB-A771-4E54-ACBB-BE86921D7892} - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - c:\progra~1\EZSAVE~1\EZSAVE~1.DLL
IE: {{B4E30F61-16D9-11D3-85D1-005004229569} - {85E0B172-04FA-11D1-B7DA-00A0C90348D6} - d:\lotus\org6\organize\bandobjs.dll
TCP: {DD96E4B6-6F7D-4FCF-A914-1D4964157FDA} = 212.159.13.50,212.159.13.49
DPF: {1C3DE665-D259-4C72-9D7D-C51FCB4CCFB9} - hxxp://vpn.mmass.co.uk:5410/SysCamInst.cab
DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} - hxxp://www.hoppy.com/sacramento/cams/vatdec.cab
DPF: {62415890-4985-0825-2508-23487C2A845F} - hxxp://ycam3.dtdns.net:8151/en/cab/ipcamera.cab
DPF: {856ACB65-7B1F-4085-94D9-72824D6266CF} - hxxp://87.102.127.65:100/eng/activex/activex.CAB
DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://photoweb-radissonaruba.remotemanager.co.uk/common/activex/MJPEGRender.ocx
DPF: {FE92D9C3-4A69-4EC7-8651-1DC8531D0075} - hxxp://68.15.12.110:8012/user/TSBnwCam.CAB
FF - ProfilePath - c:\documents and settings\howie\Application Data\Mozilla\Firefox\Profiles\nf0orq0p.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 22:19:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG06.00.00.01WORKSTATION"="62649037415C118FFA171A533E6AD754001186C6917B5AB131362410F433B89BB411EE7464B6222269CC0D91E4F37B928C491485017F48242E3F9FA636FAEFB2F4713D4793914D95B4EFA50EBF850E76CF6941DDC14364C3EE1002C7999407AE82888F96365302B6996EBBE1A73A564D8369C9B7B4BCEA804A498D4EB06ECE3CEEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74C8EDD5E5BE2F6E6679DB7CE019D40AA5C9ADBAE71AE7A2958F7A18690011626358D6E5A55235134E036CD15D5C3496FB284450223F40B73025BF07C2110D22469A4E7B8BD3818765894F61C61DEF7517F78A8A3C2DFDAFC7C9E9ED782ABFA9BE3C139551484364192120FE101C526895346B7166CBD9C4BD6B9E30DF81CDA567124C1B46D6926BEB4D93B9CB692A6BF529F7E5CAF0297295188CD92434DCC5B107033DE53EA7AD81CF87382F704DD61D49956040FC3A724E1CB3EE18FCEC07D71B016DD413459C157DF03D2B0FA472068B07118803EBA103124EBF904D4BBCDFDCEC3C2A90F7AEBAB64894DBDFD71EF4CC2552BF0CE56009E9ADFDE3637D5A3CE1D6BA0F1ED2C118E407AB5F136FE0B7591D9D13EF88F503A1B7815B4F1BB9A324E900FF066CF2C2C901FD412F2A5ED0C44AC263B65131FC9F367A9FCA5AD922C7C09AAF5B05AFDE35611F7D8A5AF5AED65CDC7305D1E4DC758312905147E2D72A37F91C129558B4AF7427073637AD4AAE112D557CE0782DF61B1A634A697526E22F2688751DC1B26BDF49185E6F827870DA176DE4EB2A8F5099439E56AF62DC03F3756F14E24B972D6C035A30D32DEFA1D7B54EB131D6C1DAE5D7C6B8CA82DB922F1879DE7EEB7DFD292B7585940CBB3ADED1C937656C02195E08D8763550462571E2B1C8C17295128AA77A2EFCF0412BB1F01E07701DCFD66C88FF2E5332B72CE0BF4F14C09E55E2F1BDCF21C2660A82A8736D33A543A66AB142959AE8D5CDA5D5A9C975CC78AD2A6CB4EAFCB96FD42BE74F6DF051B16BED513855B0046173DBB04DDF9156777AD2E7AB833108CBD5BA506016A4436F32136EBD18DBCD19E70855279FBF311CFA24DB40D4C9D07C5A2EBB016D00417195A8519C2756CB7F8FCBBE3B0F01A82FB996C60BFBB5197FEFD823DFADF78C4106DDE670E123B93F224432C4D234B8DA92ED83349B8A7E3958543C9795B785DA70FC2F9ED51F8979A58E27099CD711746AE43B9276CC1277B0666C5DFF9000E702892C4A1981A86C33DC7CC6623981709A0C2D3D874E72F65008AF67FE72C99415717136B3EB5B8853004300649731CE739CFB5E36301DE4DA732F4AD43C058B56DFB821210879BBA3F0ADC515754479F66476651409CACEE65C32D459EA5B529EFCF8460CD712D81"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-03-13 22:20:46
ComboFix-quarantined-files.txt 2009-03-13 22:20:44
ComboFix2.txt 2009-03-13 16:35:36
ComboFix3.txt 2009-03-13 16:24:28

Pre-Run: 27,314,737,152 bytes free
Post-Run: 27,307,012,096 bytes free

220 --- E O F --- 2009-03-11 11:43:41

But MBAM finds nothing at all so can't get a log.
I may have caused this as I deleted all the scheduled tasks as only one was mine, then I manually deleted all the .bat files in C\: as well. Sorry!
Howver, all seems to be working fine but I'll let you know in a day or two if I get any more warning screens.
Thanks for all your hard work, really appreciated.

pskelley
2009-03-14, 00:41
Thanks for the feedback, let see if we can wrap up like this...

Some good AVG information for you:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/
http://russelltexas.com/tutorials/avg8install.htm


Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update AVG8 and scan the system, to be sure it is running right and scanning clean.

If all is well at this point, let me know and I will close the topic.


Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx

hmburg52
2009-03-14, 14:17
ok, done all that and everything looks ok. No warnings screens so far so I hope it's clear! Interesting that before I contacted this forum I had run Spybot and found nothing and also ran AVG8 scan and that found nothing either. Would it help if I got a good firewall like Zonealarm? I very occasionally use P2P ( which is why uTorrent was installed ) and while I realise this is not good I sometimes have to use it!
Thanks for all your time with this problem, in the nicest possible way I hope I don't have to touble you again!

pskelley
2009-03-14, 14:23
Most experts agree the Windows firewall is better than none but just barely, you can google for more information, but here is some:
Is XP Firewall Safe? Here Are The Issues
http://www.guard-privacy-and-online-security.com/is-xp-firewall-safe.html

I personally use Zone Alarm free but other freeware versions are available in the link I posted near the end of the closing instructions.

As far as p2p programs, it is not always the program that is dangerous, but the files shared on them. Not only are they often dangerous, but they are also often illegal.
http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm
http://arstechnica.com/news.ars/post/20080316-kazaa-downloads-cost-one-man-750-per-song-in-riaa-suit.html

Thanks