View Full Version : Trojan Horse Generic13.abxw
jluv5479
2009-04-24, 23:26
AVG popped up with and resident shield alert saying a trojan horse generic13.abxw was found on my computer. I clicked to send it to the virus vault and 2 more popped up, the 10, 20, they wouldn't stop. The more that popped up the slower the computer became. I restarted the computer and it seemed to temporarily fix the problem. I googled generic13.abxw but didn't find anything about fixing the problem. Also, internet explorer is opening by itself and then opening blank tab, after blank tab and won't stop. I thought there was maybe a problem with internet explorer so I upgraded to the new version. IE tried to do a windows update but it says my auto updater is turned off (error 0x80070422). I turn it back on and it turns itself back off. I haven't run any tools or fixes outside of avg. I had Norton Antivirus installed on my computer but the subscription expired so I installed AVG. Please help. Thanks a bunch.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:39 PM, on 4/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdUpdater.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O1 - Hosts: tect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: (no name) - {936f4728-6a22-4cce-88b6-44154df90839} - C:\WINDOWS\system32\zasiyugi.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [dupebetuyo] Rundll32.exe "C:\WINDOWS\system32\busiwela.dll",s
O4 - HKLM\..\Run: [CPMa71b1e92] Rundll32.exe "c:\windows\system32\nevigapi.dll",a
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [dupebetuyo] Rundll32.exe "C:\WINDOWS\system32\busiwela.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [dupebetuyo] Rundll32.exe "C:\WINDOWS\system32\busiwela.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240594452859
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL C:\WINDOWS\system32\pozowaha.dll c:\windows\system32\nevigapi.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nevigapi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nevigapi.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RosettaStoneLtdController - Unknown owner - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13074 bytes
pskelley
2009-04-25, 22:17
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You must have read and followed the "Before you Post" instructions, anything else will waste your time and mine.
A question befor we start:
AVG 8 appears to be your antivirus program of choice, I am wondering why I see this running?
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
http://www.bleepingcomputer.com/startups/PIFSvc.exe-18728.html
1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from here:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
jluv5479
2009-04-27, 05:54
First let me say thank you very much for your time and assistance, I really appreciate it.
I have read "BEFORE you POST".
- I have downloaded ENRUN and backed up my registry.
- System Restore is on but had been previously turned off. I hope that doesn't cause any problems.
- The only fixes done have been done through AVG8 or Windows Defender. (I am not sure if windows defender is antivirus software. I installed it because it was suggested by a help page on Windows website. I have read that more than one antivirus software program should not be installed at the same time. If I need to delete it please let me know.)
- AVG 8 is my antivirus software of choice. I was using Norton Antivirus but it expired and I could not afford to reinstate it. I went to Change/Remove programs and thought I had deleted all of it.
-I do not have spybot installed on my computer, as far as I know, so the Tea Timer feature should not be a problem.
- I have never run combo fix.
- I am also experiencing a new problem, now my Mozilla Firefox browser is not working, this is usually my browser of choice but when I open it the homepages load but the hourglass never goes away and you can't change websites.
- I have not yet downloaded ComboFix because I want to make sure everything above is ok with you before I do.
- I am including an updated Hijack This because scheduled scans of my computer by AVG8 has removed viruses and may have changed something.
Thanks again for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:49 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdUpdater.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O1 - Hosts: tect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CPMa71b1e92] Rundll32.exe "c:\windows\system32\pusupuro.dll",a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dupebetuyo] Rundll32.exe "C:\WINDOWS\system32\busiwela.dll",s
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [dupebetuyo] Rundll32.exe "C:\WINDOWS\system32\busiwela.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [dupebetuyo] Rundll32.exe "C:\WINDOWS\system32\busiwela.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240594452859
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL c:\windows\system32\pusupuro.dll,C:\WINDOWS\system32\pozowaha.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pusupuro.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pusupuro.dll (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RosettaStoneLtdController - Unknown owner - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 13330 bytes
pskelley
2009-04-27, 12:42
Thanks for the deatailed feedback, malware is probably effecting Firefox? We need to run combofix to start removing the junk. Do your best to turn off the mentioned programs, but do download and run combofix as instructed using Internet Explorer 8. Once combofix runs you should get some relief from the malware and we will tackle other issues going forward.
Thanks...Phil
jluv5479
2009-04-27, 21:15
Hey Phil,
Here's what you asked for:
ComboFix 09-04-27.02 - Owner 04/27/2009 10:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.212 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\afagiyev.ini
c:\windows\system32\idaneyom.ini
c:\windows\system32\instsrv.exe
c:\windows\system32\tmp.reg
D:\Autorun.inf
----- BITS: Possible infected sites -----
hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.
2009-04-25 05:09 . 2009-04-25 05:09 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-24 22:53 . 2006-08-01 22:02 49152 ----a-w c:\windows\system32\ChCfg.exe
2009-04-24 22:52 . 2009-04-24 22:52 -------- d-----w c:\program files\Realtek AC97
2009-04-24 22:52 . 2006-12-08 22:20 10528768 ----a-w c:\windows\system32\RTLCPL.exe
2009-04-24 22:52 . 2007-04-16 22:28 577536 ----a-w c:\windows\soundman.exe
2009-04-24 22:52 . 2006-10-18 09:53 147456 ----a-w c:\windows\system32\RtlCPAPI.dll
2009-04-24 22:52 . 2006-07-31 18:19 315392 ----a-w c:\windows\alcupd.exe
2009-04-24 22:52 . 2006-07-31 18:27 217088 ----a-w c:\windows\Alcrmv.exe
2009-04-24 19:05 . 2009-04-24 19:06 -------- d-----w c:\program files\ERUNT
2009-04-24 18:02 . 2009-04-24 18:02 -------- d-----w c:\program files\Windows Defender
2009-04-24 17:13 . 2009-04-24 17:13 -------- d-sh--w c:\documents and settings\Owner\IECompatCache
2009-04-24 17:11 . 2009-04-24 17:11 -------- d-sh--w c:\documents and settings\Owner\PrivacIE
2009-04-24 17:09 . 2009-04-24 17:09 -------- d-sh--w c:\documents and settings\Owner\IETldCache
2009-04-24 17:03 . 2009-04-24 17:05 -------- dc-h--w c:\windows\ie8
2009-04-22 20:14 . 2009-04-25 16:45 -------- d--h--w C:\$AVG8.VAULT$
2009-04-22 19:34 . 2009-04-22 19:34 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-22 19:34 . 2009-04-22 19:34 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-22 19:34 . 2009-04-22 19:34 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-22 19:34 . 2009-04-27 17:14 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-22 19:33 . 2009-04-25 16:48 -------- d-----w c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-04-22 19:33 . 2009-04-22 19:33 -------- d-----w c:\program files\AVG
2009-04-22 19:33 . 2009-04-24 04:38 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-22 06:14 . 2009-04-22 06:14 39100 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 22:27 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 22:27 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 22:27 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 22:27 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 22:27 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 22:27 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 22:27 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 22:27 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 22:27 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 22:26 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 22:26 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-03-30 03:59 . 2009-03-30 03:59 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-03-30 03:59 . 2009-03-30 03:59 -------- d-----w c:\windows\system32\IOSUBSYS
2009-03-28 19:18 . 2009-03-28 19:18 -------- d-----w c:\documents and settings\Owner\Application Data\QQ Games Plugin
2009-03-28 19:16 . 2009-03-28 19:16 -------- d-----w c:\program files\Tencent
2009-03-28 19:16 . 2009-04-22 19:17 -------- d-----w c:\documents and settings\All Users\Application Data\Tencent
2009-03-28 19:13 . 2009-03-28 19:13 -------- d-----w c:\program files\Common Files\Software Update Utility
2009-03-28 19:13 . 2009-04-22 18:47 -------- d-----w c:\program files\AIM Toolbar
2009-03-28 19:07 . 2009-03-28 19:07 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\AOL
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 22:52 . 2002-10-29 21:38 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 19:21 . 2004-09-14 04:10 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-22 19:04 . 2004-09-23 06:35 -------- d-----w c:\program files\Canon
2009-04-22 19:01 . 2007-01-27 10:43 -------- d-----w c:\program files\Apple Software Update
2009-04-22 18:46 . 2007-07-09 02:09 -------- d-----w c:\program files\Common Files\AOL
2009-04-22 05:18 . 2008-03-22 15:52 -------- d-----w c:\program files\FinePixViewer
2009-03-30 03:58 . 2004-10-09 06:59 -------- d-----w c:\program files\Google
2009-03-28 19:12 . 2002-10-29 22:00 -------- d-----w c:\program files\Viewpoint
2009-03-08 11:34 . 2004-09-14 01:09 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-09-14 01:34 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-09-14 01:32 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-09-14 01:09 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-09-14 01:07 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-09-14 01:34 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-09-14 01:34 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-09-14 01:35 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-09-14 01:35 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-09-14 01:35 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-09-14 01:08 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-09-14 01:34 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-09-14 20:29 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-09-14 01:32 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2002-10-29 19:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-09-14 01:09 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-09-14 01:08 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2002-08-29 08:04 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-09-14 01:08 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 08:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-09-14 01:08 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-24 23:07 . 2007-08-11 18:10 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-22 08:11 . 2009-01-22 08:11 49664 --sha-w c:\windows\system32\howikeve.dll.tmp
2009-01-22 08:11 . 2009-01-22 08:11 49664 --sha-w c:\windows\system32\meyilona.dll.tmp
2009-01-22 08:11 . 2009-01-22 08:11 49664 --sha-w c:\windows\system32\pewulatu.dll.tmp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}]
2007-10-06 01:38 266240 ----a-w c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4}"= "c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL" [2007-10-06 266240]
[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 3572984]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-24 2356088]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2002-10-01 548933]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-21 143360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\System32\hphmon04.exe" [2002-06-20 339968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-06 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-22 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2002-10-01 372736]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-14 5562368]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-3-22 303104]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-22 19:34 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Palo Alto Software Update Manager 8.0.lnk
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdController.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\RosettaStoneLtdServices\\RosettaStoneLtdUpdater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\pando.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"55567:TCP"= 55567:TCP:RosettaStoneLtdServices Port 55567
"55570:TCP"= 55570:TCP:RosettaStoneLtdServices Port 55570
"55568:TCP"= 55568:TCP:RosettaStoneLtdServices Port 55568
"55569:TCP"= 55569:TCP:RosettaStoneLtdUpdater Port 55569
"55566:TCP"= 55566:TCP:RosettaStoneLtdServices Port 55566
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-24 29744]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-22 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-22 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-22 298264]
S2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [2004-03-06 3744]
S2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [2004-03-06 3904]
S2 RosettaStoneLtdController;RosettaStoneLtdController;c:\program files\RosettaStoneLtdServices\RosettaStoneLtdController.exe [2007-08-25 32624]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-CPMa71b1e92 - c:\windows\system32\pusupuro.dll
HKLM-Run-dupebetuyo - c:\windows\system32\busiwela.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert for CLIÉ - c:\program files\Sony\Image Converter\menu.htm
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z6k7m9wf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://toofatforfashion.blogspot.com/|http://www.stevepavlina.com/blog/|http://www.google.com/ig?hl=en|https://wwws.mint.com/summary.event
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z6k7m9wf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPPandBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 10:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2028)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\RosettaStoneLtdServices\RosettaStoneLtdUpdater.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-27 10:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-27 17:52
Pre-Run: 83,495,743,488 bytes free
Post-Run: 84,498,563,072 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
317 --- E O F --- 2009-04-27 17:50
[B]Uninstall List
7-Zip 4.57
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.2
AVG 8.5
BeTrapped!
Business Plan Pro 2005
CCleaner (remove only)
CCScore
CheckIt Diagnostics
CLIE Album Plugin
CLIE Mail Conduit
CLIE SCSI Driver
CLIE Update Wizard
Coloreal
CompuServe
Critical Update for Windows Media Player 11 (KB959772)
Cucusoft DVD to Zune + Zune Video Converter Suite 6.2.5.16
Data Export
Detto IntelliMover Demo
Disney's Mickey Mouse Toddler
Disney's Winnie the Pooh Toddler
Download Updater (AOL LLC)
DVD to Zune Converter 4
easy Internet sign-up
ERUNT 1.1j
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
e-Sword
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.5
getPlus(R)_ocx
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Handmark 4.0Student for Palm OS
Handmark PocketMoney
Handmark® PocketMoney® for Palm OS
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
hp instant support
HP Photo and Imaging 1.0 - HP Photosmart Printer Series
Image Converter 1.1
Image Transfer
ImageMixer for Sony
Inactive HP Printer Drivers (Remove only)
Indeo® Software
Inspector Parker
Inspector-Parker
Intel(R) Extreme Graphics Driver
InterVideo WinDVD 4
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
Java(TM) 6 Update 2
Java(TM) 6 Update 4
Java(TM) SE Runtime Environment 6 Update 1
KBD
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Last.fm 1.3.1.1
LimeWire 4.12.11
LiveUpdate Notice (Symantec Corporation)
Lizardtech DjVu Control (autoinstall)
Macromedia Shockwave Player
Mavis Beacon Teaches Typing 16
MetaFrame Presentation Server Client
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Microsoft Works 7.0
MicroStaff WINASPI
Mobile Connection Wizard
Mozilla Firefox (3.0.9)
MSN Gaming Zone
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Music Visualizer Library 1.4.00
MySpaceIM
netbrdg
Netscape (7.0)
Notifier
NVIDIA Windows 2000/XP Display Drivers
OfotoXMI
OpenMG Limited Patch 3.2-03-02-21-08
OpenMG Limited Patch 3.2-03-02-25-01
OpenMG Limited Patch 3.2-03-04-14-02
OpenMG Secure Module 3.2
OpenOffice.org 2.4
Palm Desktop
Palo Alto Software's Application Manager 8.1
Pando
Pando Toolbar
PCDADDIN
PCDHELP
PC-Doctor for Windows
Photosmart 130,230,7150,7345,7350,7550 (Remove only)
Picasa 3
PictureGear Studio 1.0
Playhouse Disney Rolie Polie Olie
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2003 New User Edition
QuickTime
RealPlayer
Realtek AC'97 Audio
RecordNow
RecordNow Update Manager
Rhapsody
Rosetta Stone Ltd Services
S3Display
S3Gamma2
S3Info2
S3Overlay
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SFR
SHASTA
ShowBiz
Simple Installer - Multilanguage Version
SKIN0001
SKINXSDK
SonicStage 1.5.53
Sony Download Taxi 1.5.0.0
Sony ImageStation 3 Library
Sony USB Driver
Special Internet Offers
staticcr
StumbleUpon IE Toolbar
tooltips
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Veoh Video Compass
Veoh Web Player Beta
Viewpoint Media Player
Virtools 3D Life Player
VPRINTOL
Windows Defender
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinMX
WinRAR archiver
WIRELESS
Yahoo! Essentials
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Login
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Print-at-Home Tool
Yahoo! Toolbar for Internet Explorer
YNAB Pro version 2.8.2.1
Zune
Zune
Zune Desktop Theme
Zune Language Pack (ES)
Zune Language Pack (FR)
Thanks again!
pskelley
2009-04-27, 21:42
In "Other Deletions" you can see the junk that was causing your problems.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Flash Player 10 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
Adobe Reader 8.1.2 <<< out of date and unsafe, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck any toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment Standard Edition v1.3.1_02 <<< even older
Java 2 Runtime Environment, SE v1.4.0_01 <<< very old
Java(TM) 6 Update 2
Java(TM) 6 Update 4
Java(TM) SE Runtime Environment 6 Update 1
all are out of date and need to be installed, read the instructions first.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
http://raproducts.org/ <<< this tool will help if the old version will not uninstall.
LimeWire 4.12.11 <<< File Sharing, otherwise known as Peer To Peer. (P2P)
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
LiveUpdate Notice (Symantec Corporation) <<< uninstall
Viewpoint Media Player
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
http://vil.nai.com/vil/content/v_137262.htm
Once you uninstall that Symantec item, if anything is left, use this tool:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=
I need a new HijackThis log created after combofix was run.
Thanks
jluv5479
2009-04-28, 02:50
Here's the HijackThis Log....sorry about that.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:08 PM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdUpdater.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Pando Networks\Pando\pando.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240594452859
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: RosettaStoneLtdController - Unknown owner - C:\Program Files\RosettaStoneLtdServices\RosettaStoneLtdController.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 12250 bytes
jluv5479
2009-04-28, 05:05
I uninstalled the programs suggested as well as a few others I don't use. I also downloaded PSI and made the suggested upgrades. Should I post another HijackThis Log or Uninstall list?
pskelley
2009-04-28, 13:43
Should I post another HijackThis Log or Uninstall list?
Not at this time.
This file: c:\windows\system32\ChCfg.exe is giving me mixed signals, see the Google:
http://www.google.com/search?hl=en&q=ChCfg.exe&btnG=Google+Search&aq=f&oq=
Looks like Realtek but Prevx is calling it Malicious Software
Make sure you can view all files and folders:
http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
scan that file here: http://virusscan.jotti.org/ and post the results.
Before we start, please be aware of this:
http://www.systemlookup.com/CLSID/38069.html
Follow the directions carefully and in the numbered order.
1) Move HijackThis to the location in the directions:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until I ask for a new HJT log.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
3) Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\howikeve.dll.tmp
c:\windows\system32\meyilona.dll.tmp
c:\windows\system32\pewulatu.dll.tmp
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4}"=-
Folder::
C:\Program Files\PandoBar
C:\Program Files\Common Files\Symantec Shared
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
6) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running?
Thanks
jluv5479
2009-04-29, 21:25
Results from scan of c:\windows\system32\ChCfg.exe
Service load:
0% 100%
File: ChCfg.exe
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 43c3571eada5bc1edead7ca22ad66f30
Packers detected: -
Scanner results
Scan taken on 29 Apr 2009 17:55:47 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
I have deleted pando and pando toolbar.
jluv5479
2009-04-30, 00:06
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Not found:
O2 - BHO: Pando Toolbar BHO - {E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O3 - Toolbar: Pando Toolbar - {E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4} - C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
Found and fixed:
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
CFScript ComboFix Log
ComboFix 09-04-29.01 - Owner 04/29/2009 11:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.177 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\howikeve.dll.tmp
c:\windows\system32\meyilona.dll.tmp
c:\windows\system32\pewulatu.dll.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\ez_log.html
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
c:\program files\Common Files\Symantec Shared\Registry Backup\ccReg.reg
c:\program files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg
c:\program files\Common Files\Symantec Shared\SMNLnch.exe
c:\program files\Common Files\Symantec Shared\Support Controls\symdlmgr.dll
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\20070712.003\Catalog.dat
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\latest-hub-webauth.sql\LHW.sql.bin
c:\program files\Common Files\Symantec Shared\SymcData\nco1.0defs\tmp3fe4.tmp\cur.enc
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\{707D28BF-E145-4a9b-B97E-94FA586D05F3}.exe
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\{707D28BF-E145-4a9b-B97E-94FA586D05F3}.loc
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\ccL60U.dll
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\msvcp71.dll
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\msvcr71.dll
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\Support\Reporter\Reporter.exe
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\Support\Reporter\Reporter.loc
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\SymHTML.dll
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\SymTheme.dll
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\Temp{707D28BF-E145-4a9b-B97E-94FA586D05F3}.exe
c:\program files\Common Files\Symantec Shared\SymSetup\{707D28BF-E145-4a9b-B97E-94FA586D05F3}\Temp{707D28BF-E145-4a9b-B97E-94FA586D05F3}.loc
c:\program files\Common Files\Symantec Shared\VirusDefs\20070808.018\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20070808.018\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20070808.018\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\20070808.018\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\20070808.018\NAVEX32A.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\CATALOG.DAT
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\CCERASER.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\ECBOOTIL.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\ECMSVR32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\EECTRL.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\ERASER.GRD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\ERASER.SIG
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\ERASER.SPM
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\ERASER.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\ESRDEF.BIN
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\HH
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\NAVENG.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\NAVENG.SYS
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\NAVENG.VXD
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\NAVENG32.DLL
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\NAVEX15.EXP
c:\program files\Common Files\Symantec Shared\VirusDefs\tmp5f8a.tmp\NAVEX15.SYS
c:\program files\PandoBar
c:\windows\system32\howikeve.dll.tmp
c:\windows\system32\meyilona.dll.tmp
c:\windows\system32\pewulatu.dll.tmp
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.
2009-04-29 18:18 . 2009-04-29 18:18 -------- d-----w c:\program files\Trend Micro
2009-04-29 01:03 . 2007-10-06 01:38 266240 ----a-w c:\program files\Uninstall Pando Toolbar.dll
2009-04-28 01:06 . 2009-04-28 01:06 -------- d-----w c:\program files\Secunia
2009-04-28 00:41 . 2009-04-28 00:41 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-25 05:09 . 2009-04-25 05:09 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-24 22:53 . 2006-08-01 22:02 49152 ----a-w c:\windows\system32\ChCfg.exe
2009-04-24 22:52 . 2009-04-24 22:52 -------- d-----w c:\program files\Realtek AC97
2009-04-24 22:52 . 2006-12-08 22:20 10528768 ----a-w c:\windows\system32\RTLCPL.exe
2009-04-24 22:52 . 2007-04-16 22:28 577536 ----a-w c:\windows\soundman.exe
2009-04-24 22:52 . 2006-10-18 09:53 147456 ----a-w c:\windows\system32\RtlCPAPI.dll
2009-04-24 22:52 . 2006-07-31 18:19 315392 ----a-w c:\windows\alcupd.exe
2009-04-24 22:52 . 2006-07-31 18:27 217088 ----a-w c:\windows\Alcrmv.exe
2009-04-24 19:05 . 2009-04-24 19:06 -------- d-----w c:\program files\ERUNT
2009-04-24 18:02 . 2009-04-24 18:02 -------- d-----w c:\program files\Windows Defender
2009-04-24 17:13 . 2009-04-24 17:13 -------- d-sh--w c:\documents and settings\Owner\IECompatCache
2009-04-24 17:11 . 2009-04-24 17:11 -------- d-sh--w c:\documents and settings\Owner\PrivacIE
2009-04-24 17:09 . 2009-04-24 17:09 -------- d-sh--w c:\documents and settings\Owner\IETldCache
2009-04-24 17:03 . 2009-04-24 17:05 -------- dc-h--w c:\windows\ie8
2009-04-22 20:14 . 2009-04-29 10:24 -------- d--h--w C:\$AVG8.VAULT$
2009-04-22 19:34 . 2009-04-22 19:34 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-22 19:34 . 2009-04-22 19:34 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-22 19:34 . 2009-04-22 19:34 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-22 19:34 . 2009-04-29 16:27 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-22 19:33 . 2009-04-25 16:48 -------- d-----w c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-04-22 19:33 . 2009-04-22 19:33 -------- d-----w c:\program files\AVG
2009-04-22 19:33 . 2009-04-24 04:38 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-22 06:14 . 2009-04-22 06:14 39100 ---ha-w c:\windows\system32\mlfcache.dat
2009-04-16 22:27 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 22:27 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 22:27 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 22:27 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 22:27 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 22:27 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 22:27 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 22:27 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 22:27 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 22:26 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 22:26 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 01:29 . 2008-04-01 13:36 -------- d-----w c:\program files\Safari
2009-04-28 01:25 . 2007-08-31 19:39 -------- d-----w c:\program files\QuickTime
2009-04-28 01:23 . 2007-01-27 10:43 -------- d-----w c:\program files\Apple Software Update
2009-04-28 01:20 . 2002-10-29 21:48 -------- d-----w c:\program files\Common Files\Adobe
2009-04-28 01:04 . 2009-02-23 20:13 -------- d-----w c:\program files\Veoh Networks
2009-04-28 01:03 . 2002-10-29 22:00 -------- d-----w c:\program files\Viewpoint
2009-04-28 00:55 . 2008-02-21 03:44 -------- d-----w c:\program files\Kodak
2009-04-28 00:43 . 2007-02-18 21:42 -------- d-----w c:\program files\LimeWire
2009-04-28 00:41 . 2002-10-29 22:04 -------- d-----w c:\program files\Java
2009-04-28 00:36 . 2002-10-29 21:38 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 19:04 . 2004-09-23 06:35 -------- d-----w c:\program files\Canon
2009-04-22 18:47 . 2009-03-28 19:13 -------- d-----w c:\program files\AIM Toolbar
2009-04-22 18:46 . 2007-07-09 02:09 -------- d-----w c:\program files\Common Files\AOL
2009-04-22 05:18 . 2008-03-22 15:52 -------- d-----w c:\program files\FinePixViewer
2009-03-30 03:58 . 2004-10-09 06:59 -------- d-----w c:\program files\Google
2009-03-28 19:16 . 2009-03-28 19:16 -------- d-----w c:\program files\Tencent
2009-03-24 11:03 . 2009-03-24 11:03 7808 ----a-w c:\windows\system32\drivers\psi_mf.sys
2009-03-08 11:34 . 2004-09-14 01:09 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-09-14 01:34 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-09-14 01:32 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-09-14 01:09 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-09-14 01:07 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-09-14 01:34 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-09-14 01:34 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-09-14 01:35 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-09-14 01:35 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-09-14 01:35 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-09-14 01:08 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-09-14 01:34 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-09-14 20:29 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-09-14 01:32 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2002-10-29 19:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-09-14 01:09 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-09-14 01:08 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2002-08-29 08:04 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-09-14 01:08 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2002-08-29 08:04 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-09-14 01:08 56832 ----a-w c:\windows\system32\secur32.dll
2008-09-24 23:07 . 2007-08-11 18:10 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-27_17.44.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 17:58 . 2009-04-28 17:58 16384 c:\windows\temp\Perflib_Perfdata_5fc.dat
+ 2008-07-16 03:38 . 2009-04-28 01:20 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2007-07-17 05:08 . 2009-04-27 23:46 89102 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-04-28 01:23 . 2009-04-28 01:23 27136 c:\windows\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
+ 2009-02-03 02:15 . 2009-02-03 02:15 240544 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2009-04-28 00:41 . 2009-04-28 00:41 148888 c:\windows\system32\javaws.exe
+ 2009-04-28 00:41 . 2009-04-28 00:41 144792 c:\windows\system32\javaw.exe
+ 2009-04-28 00:41 . 2009-04-28 00:41 144792 c:\windows\system32\java.exe
+ 2009-04-28 01:30 . 2009-04-28 01:30 307200 c:\windows\Installer\{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}\SafariIco.exe
+ 2009-02-03 02:15 . 2009-02-03 02:15 3771296 c:\windows\system32\Macromed\Flash\NPSWF32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-22 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"NVIEW"="nview.dll" - c:\windows\system32\nview.dll [2002-10-01 548933]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"KBD"="c:\hp\KBD\KBD.EXE" [2001-07-07 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-21 143360]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PS2"="c:\windows\system32\ps2.exe" [2002-08-01 81920]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-24 188416]
"HPHmon04"="c:\windows\System32\hphmon04.exe" [2002-06-20 339968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-06 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-22 1932568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-28 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2002-10-01 372736]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-08-14 5562368]
c:\documents and settings\Owner\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-3-24 748840]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-3-22 303104]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-22 19:34 10520 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Palo Alto Software Update Manager 8.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Palo Alto Software Update Manager 8.0.lnk
backup=c:\windows\pss\Palo Alto Software Update Manager 8.0.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-09-24 29744]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-22 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-22 108552]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-22 298264]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2009-03-24 7808]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-04-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert for CLIÉ - c:\program files\Sony\Image Converter\menu.htm
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z6k7m9wf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://toofatforfashion.blogspot.com/|http://www.stevepavlina.com/blog/|http://www.google.com/ig?hl=en|https://wwws.mint.com/summary.event
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\z6k7m9wf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 11:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2009-04-29 11:35
ComboFix-quarantined-files.txt 2009-04-29 18:34
ComboFix2.txt 2009-04-27 17:52
Pre-Run: 84,342,222,848 bytes free
Post-Run: 84,342,767,616 bytes free
316 --- E O F --- 2009-04-27 17:50
MBAM Log
Malwarebytes' Anti-Malware 1.36
Database version: 2059
Windows 5.1.2600 Service Pack 3
4/29/2009 1:12:41 PM
mbam-log-2009-04-29 (13-12-41).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 189868
Time elapsed: 55 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{0be10b0d-b4db-4693-9b1f-9aead54d17dc} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:33 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\YNAB Pro\YNABPro.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert for CLIÉ - C:\Program Files\Sony\Image Converter\menu.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240594452859
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
--
End of file - 10200 bytes
The computer is running much better....thanks so much. I am able to get into Mozilla thought it's still running a little slow. IE works fine. I did, however, notice a few files on my desktop and I'm not sure where they came from (ZbThumbnail.info, AlbumArt_{B0C0E588-80B2-4494-814A-86132C91DE99}_Large.jpg, AlbumArt_{B0C0E588-80B2-4494-814A-86132C91DE99}_Small.jpg, Folder.jpg, ~$12 Resume.doc and ~$ssans Resume.doc.) ZbThumbnail.info says windows can't open this file. When I open AlbumArt_{B0C0E588-80B2-4494-814A-86132C91DE99}_Large.jpg, AlbumArt_{B0C0E588-80B2-4494-814A-86132C91DE99}_Small.jpg and Folder.jpg they look like cd cover pictures but when I try to delete I get a popup that says: "The file is a system file. If you remove it, your computer or one of your programs may no longer work correctly. Are you sure you want to move it to the recycle bin?" When I try to open ~$12 Resume.doc and ~$ssans Resume.doc, word tries to open but a popup says: "Microsoft Word can't import the specified format. This feature is not currently installed. Would you like to install it now?" Should I just delete all these files?
Thanks again for all your help. :)
pskelley
2009-04-30, 00:23
Should I just delete all these files?
Just to be safe, follow these directions:
Let's check your recycle bin to make sure it has not been bypassed. RIGHT click on it and choose properties. It should, by default, be set to "Use one setting for all drives" Make sure the box "Do not move files to the Recycle Bin, remove files immediately when deleted IS NOT CHECKED. Make sure you have space for deleted items, I keep my bin set at 5%. Now when we delete the files they it will be moved to the bin and can be restored IF we make a mistake and need it back. Now delete them all and they will go to the Recycle Bin. After a few days you can empty the Recycle Bin.
Let's see if we can wrap up like this.
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update Windows Defender and scan to make sure it is scanning clean and running as it should.
http://www.microsoft.com/windows/products/winfamily/defender/support.mspx
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, keep it updated and run it once a month or so)
Update AVG 8 and scan the system, to be sure it is running right and scanning clean.
Good AVG information:
FAQ: http://www.avg.com/faq
AVG Free Forum: http://freeforum.avg.com/
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
How hard are your passwords to crack?
http://www.microsoft.com/protect/yourself/password/checker.mspx
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
jluv5479
2009-05-01, 21:33
I've done all the scans suggested and everything seems to be up and running. Thank you soooooooo very much for all your help. I will be forever grateful. :)
P.S. How would you suggest I keep the links you provided for future use?
pskelley
2009-05-01, 21:52
P.S. How would you suggest I keep the links you provided for future use?
I am not yet using Internet Exployer 8, but you should find that information here:
http://blogs.msdn.com/ie/archive/2008/03/12/the-ie8-favorites-bar.aspx
http://www.microsoft.com/windows/internet-explorer/videos.aspx
http://www.microsoft.com/windows/products/winfamily/ie/ie8/customizelinks/default.mspx
Hope that helps:)