PDA

View Full Version : Trojan/worm introduced thru Facebook



Glennsco
2009-08-30, 05:58
Greetings,
I first started encountering problems after clicking on a bad link in Facebook! Duh! I know I know. Novice mistake but I did it and now I have some website constantly attempting to access my computer. Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:53 PM, on 8/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\webserver\webserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\windows\pp11.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp11.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email04.secureserver.net/Download.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/50.13/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1055142896196
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228828719226
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - E:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c14e60a312e0) (gupdate1c9c14e60a312e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: webserver - Unknown owner - C:\Program Files\webserver\webserver.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12966 bytes

Bio-Hazard
2009-09-01, 14:40
Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:



I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.



Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

No Reply Within 4 Days Will Result In Your Topic Being Closed!!




STEP 1

Download DDS

Please download DDS by sUBs from one of the links below and save it to your desktop:

http://img.photobucket.com/albums/v666/sUBs/dds_scr.gif
Download DDS and save it to your desktop from:

Link 1 (http://download.bleepingcomputer.com/sUBs/dds.scr)
Link 2 (http://www.forospyware.com/sUBs/dds)

Please disable any anti-malware program that will block scripts from running before running DDS.



Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:

DDS.txt
Attach.txt


A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply



STEP 2

SysProt Antirootkit

Download SysProt Antirootkit from HERE (http://sites.google.com/site/sysprotantirootkit/) (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).



Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process
Kernel Modules
SSDT
Kernel Hooks
Hidden Files

At the bottom of the page slect

Hidden Objects Only

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive.
Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to.
Open the text file and copy/paste the log here.




Next Reply

Please reply with:


DDS.txt
Attach.txt
Sysprot Log

Glennsco
2009-09-02, 00:32
DDS (Ver_09-07-30.01) - NTFSx86
Run by mc at 16:59:54.92 on Tue 09/01/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.386 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 090901-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\webserver\webserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\windows\pp11.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\mc\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\adobe\adobe acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-CEC4-75A487FD6484} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\mc\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Acronis*True*Image Monitor] c:\program files\acronis\trueimage\TrueImageMonitor.exe
mRun: [Acronis Scheduler2 Service] c:\program files\common files\acronis\schedule2\schedhlp.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 8.0] "e:\program files\adobe\acrobat 8 standard\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [AdobeVersionCue] e:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [pp] c:\windows\pp11.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\microt~1.lnk - c:\program files\microtek\scanwizard 5\ScannerFinder.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\adobe\acrobat 8 standard\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Web-Based Email Tools - hxxp://email04.secureserver.net/Download.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/50.13/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://www.evite.com/html/imageUpload/ImageUploader5.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1055142896196
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228828719226
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mc\applic~1\mozilla\firefox\profiles\j5gsmim8.default\
FF - plugin: c:\documents and settings\mc\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2003-5-20 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2003-5-20 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2003-5-20 138680]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2009-8-28 38144]
R2 webserver;webserver;c:\program files\webserver\webserver.exe [2009-8-28 13824]
S2 gupdate1c9c14e60a312e0;Google Update Service (gupdate1c9c14e60a312e0);c:\program files\google\update\GoogleUpdate.exe [2009-4-19 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2003-5-20 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2003-5-20 352920]
S3 SCM488C;SCM Microsystems SCR120 PCMCIA Smart Card Reader;c:\windows\system32\drivers\pscr.sys [2003-5-15 16128]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [2008-11-24 171520]
S4 Usrmic;Usrmic;c:\windows\system32\drivers\ptilink.sys [2004-8-4 17792]

=============== Created Last 30 ================

2009-08-29 19:56 <DIR> --d----- c:\program files\WOT
2009-08-29 11:07 415 a------- c:\windows\wininit.ini
2009-08-29 09:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-08-29 09:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-08-29 09:45 <DIR> --d----- c:\program files\Trend Micro
2009-08-29 00:00 13,824 a------- c:\windows\vkl_1251518452
2009-08-28 23:54 13,824 a------- c:\windows\vkl_1251518040
2009-08-28 23:38 38,144 a------- c:\windows\system32\drivers\EAPPkt.sys
2009-08-28 21:34 13,824 a------- c:\windows\vkl_1251509640
2009-08-28 21:09 1 a------- c:\windows\ectbbyn.dat
2009-08-28 21:09 2,020 a------- c:\windows\ex1234.dat
2009-08-28 21:08 1 a------- c:\windows\fdgg34353edfgdfdf
2009-08-28 21:08 36,864 ----h--- c:\windows\pp11.exe
2009-08-28 21:08 2 a------- c:\windows\0101120101464857.xe
2009-08-28 21:07 1 ----h--- c:\windows\ex23567.dat
2009-08-28 21:07 13,824 a------- c:\windows\vkl_1251508045
2009-08-28 21:07 <DIR> --d----- c:\program files\webserver
2009-08-28 21:07 2 a------- c:\windows\0535251103110107106.yux
2009-08-28 21:07 2 a------- c:\windows\0101120101464950.xe
2009-08-28 21:07 1 ----h--- c:\windows\mmsmark2.dat
2009-08-28 21:06 2 a------- c:\windows\0101120101464954.xe
2009-08-28 21:04 2 a------- c:\windows\010112010146101105.te
2009-08-12 22:12 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 22:12 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2008-11-06 15:07 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110620081107\index.dat

============= FINISH: 17:00:46.74 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/9/2003 3:04:16 AM
System Uptime: 8/29/2009 10:47:42 PM (67 hours ago)

Motherboard: Dell Computer Corporation | |
Processor: Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz | Microprocessor | 1794/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 19 GiB total, 3.035 GiB free.
D: is CDROM (CDFS)
E: is FIXED (NTFS) - 19 GiB total, 14.392 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell TrueMobile 1300 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_044914E4&REV_02\4&139E449D&0&18F0
Manufacturer: Broadcom
Name: Dell TrueMobile 1300 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_044914E4&REV_02\4&139E449D&0&18F0
Service: BCM43XX

==== System Restore Points ===================

RP311: 8/17/2009 1:32:22 AM - System Checkpoint
RP312: 8/18/2009 2:04:57 AM - System Checkpoint
RP313: 8/19/2009 2:08:50 AM - System Checkpoint
RP314: 8/20/2009 3:08:47 AM - System Checkpoint
RP315: 8/21/2009 4:21:51 AM - System Checkpoint
RP316: 8/22/2009 5:09:53 AM - System Checkpoint
RP317: 8/23/2009 6:21:24 AM - System Checkpoint
RP318: 8/24/2009 7:09:55 AM - System Checkpoint
RP319: 8/25/2009 7:11:59 AM - System Checkpoint
RP320: 8/26/2009 7:20:15 AM - System Checkpoint
RP321: 8/27/2009 3:00:25 AM - Software Distribution Service 3.0
RP322: 8/28/2009 3:19:39 AM - System Checkpoint
RP323: 8/28/2009 11:20:02 PM - Installed REALTEK RTL8185 Wireless LAN Driver and Utility
RP324: 8/28/2009 11:35:57 PM - Removed REALTEK RTL8185 Wireless LAN Driver and Utility
RP325: 8/28/2009 11:38:53 PM - Installed REALTEK RTL8185 Wireless LAN Driver and Utility
RP326: 8/29/2009 7:56:14 PM - Installed WOT for Internet Explorer
RP327: 8/29/2009 10:45:21 PM - Software Distribution Service 3.0
RP328: 8/30/2009 11:06:11 PM - System Checkpoint
RP329: 8/31/2009 11:53:15 PM - System Checkpoint

==== Installed Programs ======================

Acrobat.com
Acronis*True*Image
Adobe Acrobat 8 Standard
Adobe Acrobat 8.1.4 Standard
Adobe AIR
Adobe Creative Suite
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe PageMaker Plug-in Pack
Adobe Photoshop 7.0
Adobe Reader 9
Adobe SVG Viewer 3.0
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
avast! Antivirus
CCScore
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
CrossFont version 5.3
Dell Driver Reset Tool
Dell Modem-On-Hold
Dell Wireless WLAN Card
deskUNPDF 2
dj_sf_software_req
Driver Detective
Easy CD Creator 5 Basic
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
fflink
FontCreator 5.6
FormViewer
Google Chrome
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
HP Deskjet Printer Driver Software 9.0
Infix
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2
kgcbase
kgcinvt
Kodak EasyShare software
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.13)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MyPoints Toolbar
netbrdg
OfotoXMI
PCTEL 2304WT V.92 MDC Modem Drivers
Picasa 3
Quicken 2007
QuickTime
Revo Uninstaller 1.75
ScanSoft PaperPort Viewer 7.0
ScanWizard 5
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SFR
SHASTA
skin0001
SKINXSDK
Spybot - Search & Destroy
staticcr
Toolbox
tooltips
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
WOT for Internet Explorer

==== Event Viewer Messages From Past Week ========

8/30/2009 1:25:56 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0014A5472B10. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/28/2009 11:49:31 PM, error: Service Control Manager [7000] - The ASPI32 service failed to start due to the following error: The system cannot find the file specified.
8/26/2009 10:23:35 PM, error: Service Control Manager [7034] - The avast! Web Scanner service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================



SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F1B6C000
Module End: F1B84000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F8F0A000
Module End: F8F0C000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwClose
Address: F1E976B8
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwCreateKey
Address: F1E97574
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDeleteValueKey
Address: F1E97A52
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwDuplicateObject
Address: F1E9714C
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenKey
Address: F1E9764E
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenProcess
Address: F1E9708C
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwOpenThread
Address: F1E970F0
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryValueKey
Address: F1E9776E
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: F1E9772E
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwSetValueKey
Address: F1E978AE
Driver Base: F1E8F000
Driver End: F1EB0000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Volume Information\MountPointManagerRemoteDatabase
Status: Access denied

Object: C:\System Volume Information\tracking.log
Status: Access denied

Object: C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}
Status: Access denied

Bio-Hazard
2009-09-02, 09:36
Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)



You must download it to and run it from your Desktop
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE (http://www.bleepingcomputer.com/forums/topic114351.html)
Double click on ComboFix.exe and follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Combofix should never take more that 20 minutes including the reboot if malware is detected.



IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.


Next Reply

Please reply with:


ComboFix log (found at C:\Combofix.txt)
New HijackThis log

Glennsco
2009-09-03, 03:44
ComboFix 09-09-02.02 - mc 09/02/2009 20:04.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.248 [GMT -4:00]
Running from: c:\documents and settings\mc\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1351 [VPS 090902-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\010112010146101105.te
c:\windows\0101120101464857.xe
c:\windows\0101120101464950.xe
c:\windows\0101120101464954.xe
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Installer\23b62625.msp
c:\windows\Installer\31040.msi
c:\windows\Installer\39b3c3f.msp
c:\windows\Installer\4c09812.msp
c:\windows\Installer\fc1ef9f.msp
c:\windows\pp11.exe
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-08-29 23:56 . 2009-08-29 23:56 -------- d-----w- c:\program files\WOT
2009-08-29 13:51 . 2009-08-29 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 13:51 . 2009-08-29 13:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 13:45 . 2009-08-29 13:45 -------- d-----w- c:\program files\Trend Micro
2009-08-29 03:38 . 2007-10-09 17:13 38144 ----a-w- c:\windows\system32\drivers\EAPPkt.sys
2009-08-29 01:09 . 2009-08-29 01:09 1 ----a-w- c:\windows\ectbbyn.dat
2009-08-29 01:09 . 2009-08-29 01:36 2020 ----a-w- c:\windows\ex1234.dat
2009-08-29 01:07 . 2009-08-29 01:07 1 ---h--w- c:\windows\ex23567.dat
2009-08-29 01:07 . 2009-08-29 01:07 -------- d-----w- c:\program files\webserver
2009-08-29 01:07 . 2009-08-29 01:07 1 ---h--w- c:\windows\mmsmark2.dat
2009-08-13 02:12 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 02:22 . 2009-08-26 19:27 -------- d-----w- c:\documents and settings\mc\Local Settings\Application Data\Temp
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 03:54 . 2008-11-12 01:45 -------- d-----w- c:\program files\REALTEK
2009-08-29 03:49 . 2008-06-07 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 03:09 . 2008-11-02 19:09 -------- d-----w- c:\documents and settings\mc\Application Data\U3
2009-08-17 16:10 . 2003-05-20 17:13 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2003-05-20 17:14 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2003-05-20 17:14 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2003-05-20 17:14 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2003-05-20 17:14 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2003-05-20 17:14 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2003-05-20 17:14 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2003-05-20 17:14 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2003-05-20 17:14 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 03:01 . 2008-11-06 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-10 09:30 . 2009-01-24 22:04 -------- d-----w- c:\documents and settings\mc\Application Data\AdobeUM
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2003-06-09 06:55 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"Google Update"="c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"Acronis*True*Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2008-06-07 471637]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-06-07 65536]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe" [2008-10-15 623992]
"AdobeVersionCue"="e:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-24 110592]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2009-1-5 344064]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"53:TCP"= 53:TCP:webserver

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/20/2003 1:14 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/20/2003 1:14 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8/28/2009 11:38 PM 38144]
R2 webserver;webserver;c:\program files\webserver\webserver.exe [8/28/2009 9:07 PM 13824]
S2 gupdate1c9c14e60a312e0;Google Update Service (gupdate1c9c14e60a312e0);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2009 8:24 PM 133104]
S3 SCM488C;SCM Microsystems SCR120 PCMCIA Smart Card Reader;c:\windows\system32\drivers\pscr.sys [5/15/2003 3:13 PM 16128]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [11/24/2008 11:46 AM 171520]
S4 Usrmic;Usrmic;c:\windows\system32\drivers\ptilink.sys [8/4/2004 8:00 AM 17792]
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003Core.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]

2009-09-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003UA.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{A057A204-BACC-4D26-CEC4-75A487FD6484} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Web-Based Email Tools - hxxp://email04.secureserver.net/Download.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\documents and settings\mc\Application Data\Mozilla\Firefox\Profiles\j5gsmim8.default\
FF - plugin: c:\documents and settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 20:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F862D6E-AF30-1B61-CFCD-1A2EC8579B38}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oadilggdmaaedbgfhpfchablidkihp"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5
"nabjbglpgjahpoejijcomoolbcin"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000007

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(776)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-09-03 20:13
ComboFix-quarantined-files.txt 2009-09-03 00:13

Pre-Run: 3,712,090,112 bytes free
Post-Run: 3,801,174,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

231 --- E O F --- 2009-08-30 02:46



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:39:26 PM, on 9/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email04.secureserver.net/Download.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/50.13/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1055142896196
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228828719226
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - E:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c14e60a312e0) (gupdate1c9c14e60a312e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: webserver - Unknown owner - C:\Program Files\webserver\webserver.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12683 bytes
:rockon:

Bio-Hazard
2009-09-03, 07:22
Run CFScript



Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:




http://forums.spybot.info/showthread.php?p=333340#post333340

Collect::
c:\windows\ectbbyn.dat
c:\windows\ex1234.dat
c:\windows\ex23567.dat
c:\windows\mmsmark2.dat


Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt



NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:


ComboFix log (found at C:\Combofix.txt)
New HijackThis log




Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 16.


Go to HERE (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says Java Runtime Environment (JRE) 6 Update 16
Click the Download button to the right
From the dropdown menu choose your platform. Which is Windows
Dont change the language box.
Click on the radio button to Accept License Agreement and after that click continue
Click on Windows Offline Installation Multi-language and save the downloaded file to your computer
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
Reboot your computer
Delete the folder C:\Program Files\Java if present
Install the new version by running the newly-downloaded file and follow the on-screen instructions.
Reboot your computer




ATF-Cleaner

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.



Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.




Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
Archives


Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.






Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


ComboFix log (found at C:\Combofix.txt)
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Glennsco
2009-09-04, 01:26
ComboFix 09-09-02.02 - mc 09/03/2009 1:51.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.239 [GMT -4:00]
Running from: c:\documents and settings\mc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mc\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090902-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\ectbbyn.dat
file zipped: c:\windows\ex1234.dat
file zipped: c:\windows\ex23567.dat
file zipped: c:\windows\mmsmark2.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ectbbyn.dat
c:\windows\ex1234.dat
c:\windows\ex23567.dat
c:\windows\mmsmark2.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-08-29 23:56 . 2009-08-29 23:56 -------- d-----w- c:\program files\WOT
2009-08-29 13:51 . 2009-08-29 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 13:51 . 2009-08-29 13:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 13:45 . 2009-08-29 13:45 -------- d-----w- c:\program files\Trend Micro
2009-08-29 03:38 . 2007-10-09 17:13 38144 ----a-w- c:\windows\system32\drivers\EAPPkt.sys
2009-08-29 01:07 . 2009-08-29 01:07 -------- d-----w- c:\program files\webserver
2009-08-13 02:12 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 02:22 . 2009-08-26 19:27 -------- d-----w- c:\documents and settings\mc\Local Settings\Application Data\Temp
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 03:54 . 2008-11-12 01:45 -------- d-----w- c:\program files\REALTEK
2009-08-29 03:49 . 2008-06-07 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 03:09 . 2008-11-02 19:09 -------- d-----w- c:\documents and settings\mc\Application Data\U3
2009-08-17 16:10 . 2003-05-20 17:13 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2003-05-20 17:14 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2003-05-20 17:14 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2003-05-20 17:14 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2003-05-20 17:14 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2003-05-20 17:14 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2003-05-20 17:14 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2003-05-20 17:14 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2003-05-20 17:14 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 03:01 . 2008-11-06 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-10 09:30 . 2009-01-24 22:04 -------- d-----w- c:\documents and settings\mc\Application Data\AdobeUM
2009-06-29 16:12 . 2004-08-04 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2003-06-09 06:55 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_00.11.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 00:18 . 2009-09-03 00:18 16384 c:\windows\Temp\Perflib_Perfdata_504.dat
+ 2004-08-04 12:00 . 2009-09-03 00:27 72248 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-09-02 23:51 72248 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-03 00:27 444156 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-02 23:51 444156 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"Google Update"="c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"Acronis*True*Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2008-06-07 471637]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-06-07 65536]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe" [2008-10-15 623992]
"AdobeVersionCue"="e:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-24 110592]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2009-1-5 344064]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"53:TCP"= 53:TCP:webserver

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/20/2003 1:14 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/20/2003 1:14 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8/28/2009 11:38 PM 38144]
S3 SCM488C;SCM Microsystems SCR120 PCMCIA Smart Card Reader;c:\windows\system32\drivers\pscr.sys [5/15/2003 3:13 PM 16128]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [11/24/2008 11:46 AM 171520]
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003Core.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003UA.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Web-Based Email Tools - hxxp://email04.secureserver.net/Download.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\documents and settings\mc\Application Data\Mozilla\Firefox\Profiles\j5gsmim8.default\
FF - plugin: c:\documents and settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 02:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F862D6E-AF30-1B61-CFCD-1A2EC8579B38}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oadilggdmaaedbgfhpfchablidkihp"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5
"nabjbglpgjahpoejijcomoolbcin"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000007

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-09-03 2:22
ComboFix-quarantined-files.txt 2009-09-03 06:21
ComboFix2.txt 2009-09-03 00:13

Pre-Run: 3,815,690,240 bytes free
Post-Run: 3,755,454,464 bytes free

219 --- E O F --- 2009-08-30 02:46
Upload was successful



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 3, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 03, 2009 13:46:36
Records in database: 2742384
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 70468
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 03:08:36


File name / Threat / Threats count
C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP325\A0037813.exe Infected: Net-Worm.Win32.Koobface.bkw 1
C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP325\A0037814.exe Infected: Net-Worm.Win32.Koobface.bku 1
C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP325\A0037815.exe Infected: Net-Worm.Win32.Koobface.ble 1

Selected area has been scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:24:00 PM, on 9/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email04.secureserver.net/Download.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/50.13/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1055142896196
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228828719226
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - E:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c14e60a312e0) (gupdate1c9c14e60a312e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: webserver - Unknown owner - C:\Program Files\webserver\webserver.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12956 bytes


PERFORMANCE:
As I was running the last HJT, I did get a pop-up from AVAST saying that it found a virus and "not to worry because it caught it" :confused:

Bio-Hazard
2009-09-04, 11:16
Hello!


I would like to see the avasr! log so i know what file it is referring to.

ATF-Cleaner



Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selectedbutton.

NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.




Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php) and save it to your desktop.



Alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
Alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)



Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware


Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:

Make sure the Perform Full Scan option is selected.
Then click on the Scan button.


If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


Avast log
ComboFix log (found at C:\Combofix.txt)
Malwarebytes Antimalware log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Glennsco
2009-09-05, 16:49
AVAST

5/15/2003 12:00:51 AM SYSTEM 1196 Function setifaceUpdatePackages() has failed. Return code is 0x2000001D, dwRes is 2000001D.
5/15/2003 12:04:35 AM SYSTEM 1352 Function setifaceUpdatePackages() has failed. Return code is 0x2000001D, dwRes is 2000001D.
5/15/2003 12:43:26 AM SYSTEM 1388 Function setifaceUpdatePackages() has failed. Return code is 0x2000001D, dwRes is 2000001D.
5/15/2003 12:46:26 AM SYSTEM 1400 Function setifaceUpdatePackages() has failed. Return code is 0x2000001D, dwRes is 2000001D.
9/28/2008 12:36:38 PM SYSTEM 1172 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
11/2/2008 9:34:32 AM SYSTEM 1472 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
11/7/2008 7:55:17 PM SYSTEM 1724 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\shareddocs\TNTMeetingAttendees20081016.pdf (\\Hppavilion\shareddocs\TNTMeetingAttendees20081016.pdf) returning error, 00000005.
11/9/2008 7:33:16 PM SYSTEM 1564 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
11/9/2008 7:38:51 PM SYSTEM 1676 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
11/15/2008 9:11:20 AM SYSTEM 1636 Function setifaceUpdatePackages() has failed. Return code is 0x20000006, dwRes is 20000006.
11/15/2008 4:08:32 PM SYSTEM 1632 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
11/15/2008 4:08:33 PM SYSTEM 1632 An error has occured while attempting to update. Please check the logs.
11/15/2008 8:27:38 PM SYSTEM 1632 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
11/15/2008 8:27:39 PM SYSTEM 1632 An error has occured while attempting to update. Please check the logs.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\000_0001.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\000_0001.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\000_0006.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\000_0006.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\000_0009.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\000_0009.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0365.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0365.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0366.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0366.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0367.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0367.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0368.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0368.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0370.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0370.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0371.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0371.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0486.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\3905 Woodreed Leak\100_0486.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0636.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0636.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0637.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0637.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0638.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0638.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0639.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0639.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0640.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas 6th Grade Awards\100_0640.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0602.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0602.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0603.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0603.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0607.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0607.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0611.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0611.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0612.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0612.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0613.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0613.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0614.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0614.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0615.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Staishas Wall of Shame\100_0615.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0498.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0498.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0499.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0499.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0502.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0502.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0503.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0503.jpg) returning error, 00000005.
11/23/2008 5:36:18 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0504.jpg (C:\Documents and Settings\All Users\Documents\My Pictures\Kodak Pictures\Winniconne\100_0504.jpg) returning error, 00000005.
11/23/2008 5:41:56 PM SYSTEM 1436 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT (C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT) returning error, 00000005.
11/25/2008 11:30:38 PM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\HPPAVILION\Owner\Desktop\ksa fac loc.doc (\\HPPAVILION\Owner\Desktop\ksa fac loc.doc) returning error, 00000005.
11/25/2008 11:32:44 PM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\Desktop\ksa inv loc.doc (\\Hppavilion\owner\Desktop\ksa inv loc.doc) returning error, 00000005.
12/1/2008 12:30:44 PM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf (\\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf) returning error, 00000005.
12/1/2008 12:32:17 PM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf (\\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf) returning error, 00000005.
12/1/2008 12:52:41 PM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\METRO\Checkstubs2008\Shortcut to 20081125.tiff.lnk (\\Hppavilion\owner\My Documents\METRO\Checkstubs2008\Shortcut to 20081125.tiff.lnk) returning error, 00000005.
12/1/2008 12:58:14 PM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf (\\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf) returning error, 00000005.
12/1/2008 1:05:22 PM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf (\\Hppavilion\owner\My Documents\METRO\Checkstubs2008\20081125.pdf) returning error, 00000005.
12/5/2008 11:38:14 AM SYSTEM 1536 Sign of "VBS:Malware-gen" has been found in "http://www.awesomevideoz.com/m6/movie1.php?id=1632\http:\\www.awesomevideoz.com\m6\movie1" file.
12/5/2008 11:38:31 AM SYSTEM 1536 Sign of "VBS:Malware-gen" has been found in "http://www.awesomevideoz.com/m6/movie1.php?id=1632\http:\\www.awesomevideoz.com\m6\movie1" file.
12/18/2008 4:42:22 AM SYSTEM 1584 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/18/2008 4:44:28 AM SYSTEM 1400 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
12/23/2008 12:37:55 PM SYSTEM 1384 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT (C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT) returning error, 00000005.
1/8/2009 10:11:32 PM SYSTEM 1404 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: D:\Adobe Acrobat 6.0 Professional\setup.exe (D:\Adobe Acrobat 6.0 Professional\setup.exe) returning error, 0000001E.
1/23/2009 2:11:03 PM SYSTEM 1576 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
1/23/2009 2:11:03 PM SYSTEM 1576 An error has occured while attempting to update. Please check the logs.
2/4/2009 11:29:20 AM mc 1432 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\METRO\BusRouteDescriptions\~WRD1104.tmp (\\Hppavilion\owner\My Documents\METRO\BusRouteDescriptions\~WRD1104.tmp) returning error, 0000A420.
2/28/2009 8:13:02 PM SYSTEM 1396 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT (C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT) returning error, 00000005.
2/28/2009 11:47:40 PM SYSTEM 1396 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT (C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT) returning error, 00000005.
3/22/2009 8:44:26 PM SYSTEM 1496 Function setifaceUpdateFiles() has failed. Return code is 0xC0000142, dwRes is C0000142.
3/22/2009 8:44:27 PM SYSTEM 1496 An error has occured while attempting to update. Please check the logs.
4/9/2009 11:57:35 AM SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT (C:\DOCUMENTS AND SETTINGS\MC\APPLICATION DATA\MICROSOFT\TEMPLATES\NORMAL.DOT) returning error, 00000005.
4/25/2009 10:57:57 PM SYSTEM 1428 Sign of "JS:Packed-AA [Trj]" has been found in "http://www.nearear.org/" file.
5/17/2009 10:41:56 AM ¸ 1456 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
5/21/2009 12:59:06 AM SYSTEM 1508 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
5/21/2009 4:59:11 AM SYSTEM 1508 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
5/24/2009 9:58:20 PM SYSTEM 1576 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
6/2/2009 8:00:33 PM SYSTEM 1456 Function setifaceUpdatePackages() has failed. Return code is 0x00000008, dwRes is 00000008.
6/2/2009 8:00:34 PM SYSTEM 1456 An error has occured while attempting to update. Please check the logs.
6/28/2009 5:28:12 PM SYSTEM 1608 Function setifaceUpdatePackages() has failed. Return code is 0x00000008, dwRes is 00000008.
6/28/2009 5:28:13 PM SYSTEM 1608 An error has occured while attempting to update. Please check the logs.
7/11/2009 7:41:19 PM SYSTEM 1652 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\RealEstate\DrGlenn\Kentbury\Disclosures.pdf (\\Hppavilion\owner\My Documents\RealEstate\DrGlenn\Kentbury\Disclosures.pdf) returning error, 00000035.
7/12/2009 2:20:10 AM SYSTEM 1652 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MC\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XLCUNM54\LIBCORE[1].JS (C:\DOCUMENTS AND SETTINGS\MC\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XLCUNM54\LIBCORE[1].JS) returning error, 00000005.
7/12/2009 11:01:16 AM SYSTEM 1652 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\DOCUMENTS AND SETTINGS\MC\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7VP9QNSO\EXPANSION_EMBED[1].JS (C:\DOCUMENTS AND SETTINGS\MC\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\7VP9QNSO\EXPANSION_EMBED[1].JS) returning error, 00000005.
7/12/2009 6:03:07 PM SYSTEM 1652 Function setifaceUpdatePackages() has failed. Return code is 0x00000008, dwRes is 00000008.
7/12/2009 6:03:09 PM SYSTEM 1652 An error has occured while attempting to update. Please check the logs.
7/19/2009 5:06:41 PM SYSTEM 1616 Sign of "JS:Pdfka-JS [Expl]" has been found in "http://ef2tr.cn/traff2/pdf.php?spl=pdf_ie2\{gzip}" file.
8/15/2009 7:32:52 AM SYSTEM 1636 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
8/18/2009 12:15:27 AM SYSTEM 1616 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\RealEstate\Trinkaus\BuyersAgree.pdf (\\Hppavilion\owner\My Documents\RealEstate\Trinkaus\BuyersAgree.pdf) returning error, 00000035.
8/22/2009 9:46:21 AM SYSTEM 1632 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP315\A0037285.msi (C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP315\A0037285.msi) returning error, 0000A413.
8/27/2009 5:59:19 PM SYSTEM 1632 Function setifaceUpdatePackages() has failed. Return code is 0x00000008, dwRes is 00000008.
8/27/2009 5:59:20 PM SYSTEM 1632 An error has occured while attempting to update. Please check the logs.
8/28/2009 9:07:02 PM SYSTEM 1644 Sign of "Win32:LdPinch-CYW [Trj]" has been found in "C:\WINDOWS\srpira1251508020.eXE" file.
8/28/2009 9:07:49 PM SYSTEM 1644 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\XLCUNM54\prx90[1].exe" file.
8/28/2009 9:08:02 PM SYSTEM 1644 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\DOCUME~1\mc\LOCALS~1\Temp\zazodin_1251514400.exe" file.
8/28/2009 9:24:36 PM SYSTEM 1644 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: \\Hppavilion\owner\My Documents\SOFCC\Ushers MOH\UsherInfoDoc.xls (\\Hppavilion\owner\My Documents\SOFCC\Ushers MOH\UsherInfoDoc.xls) returning error, 00000035.
8/28/2009 9:43:15 PM SYSTEM 1632 Sign of "JS:FakeAV-W [Trj]" has been found in "http://plamet.info/?uid=13300" file.
8/28/2009 11:45:35 PM SYSTEM 1276 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/29/2009 9:27:33 AM SYSTEM 1624 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/29/2009 9:57:38 AM SYSTEM 1624 Sign of "JS:FakeAV-W [Trj]" has been found in "http://scarre.info/?uid=13300" file.
8/29/2009 1:59:51 PM SYSTEM 1628 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 2:00:09 PM SYSTEM 1628 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\87PF0U1M\index[1].htm" file.
8/29/2009 5:33:18 PM SYSTEM 1284 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/29/2009 6:18:21 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 6:18:30 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 6:18:30 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\BU0JWT3U\index[1].htm" file.
8/29/2009 6:33:20 PM SYSTEM 1284 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/29/2009 7:18:24 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 7:18:50 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\1DAYC5BI\index[1].htm" file.
8/29/2009 7:18:50 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 7:33:27 PM SYSTEM 1284 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/29/2009 8:18:27 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 8:35:11 PM SYSTEM 1284 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\IZ94IKT3\index[1].htm" file.
8/29/2009 8:58:13 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/29/2009 9:43:17 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 9:43:19 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\IZ94IKT3\index[1].htm" file.
8/29/2009 9:58:15 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/29/2009 10:43:45 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/29/2009 10:44:04 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\BU0JWT3U\index[1].htm" file.
8/29/2009 11:04:59 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/30/2009 1:35:15 PM SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "http://sighal.info/?uid=13300" file.
8/30/2009 7:50:34 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/30/2009 7:50:36 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\XLCUNM54\index[1].htm" file.
8/30/2009 8:05:33 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/30/2009 8:35:35 PM SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "http://outliv.info/?uid=13300" file.
8/30/2009 8:50:36 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/30/2009 8:50:37 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\XE3CY1AE\index[1].htm" file.
8/30/2009 9:05:35 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/30/2009 9:35:38 PM SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "http://outliv.info/?uid=13300" file.
8/30/2009 9:50:39 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://visualsecuritysupply.com/index.php?affid=12400" file.
8/30/2009 9:50:40 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "C:\Documents and Settings\mc\Local Settings\Temporary Internet Files\Content.IE5\7VP9QNSO\index[2].htm" file.
8/30/2009 10:05:38 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/31/2009 4:36:05 PM SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "http://gelded.info/?uid=13300" file.
8/31/2009 4:50:56 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/31/2009 5:05:54 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
8/31/2009 11:36:19 PM SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "http://orodes.info/?uid=13300" file.
9/1/2009 6:11:57 AM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
9/1/2009 6:26:57 AM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
9/1/2009 6:57:02 AM SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "http://fosset.info/?uid=13300" file.
9/1/2009 4:42:16 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://securitytoolworld.com/index.php?affid=12400" file.
9/1/2009 4:57:13 PM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
9/1/2009 9:07:28 PM SYSTEM 1636 Sign of "JS:FakeAV-W [Trj]" has been found in "http://polear.info/?uid=13300" file.
9/1/2009 9:22:34 PM SYSTEM 1636 Sign of "JS:FakeAV-AH [Trj]" has been found in "http://securitytoolworld.com/index.php?affid=12400" file.
9/2/2009 6:37:29 AM SYSTEM 1636 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://61.235.117.83/redirectsoft/popup/" file.
9/2/2009 8:18:33 PM SYSTEM 1284 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\webserver\webserver.exe" file.
9/3/2009 2:26:21 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\webserver\webserver.exe" file.
9/3/2009 6:23:48 PM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\webserver\webserver.exe" file.


COMBOFIX

ComboFix 09-09-02.02 - mc 09/03/2009 1:51.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.239 [GMT -4:00]
Running from: c:\documents and settings\mc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mc\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090902-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\ectbbyn.dat
file zipped: c:\windows\ex1234.dat
file zipped: c:\windows\ex23567.dat
file zipped: c:\windows\mmsmark2.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ectbbyn.dat
c:\windows\ex1234.dat
c:\windows\ex23567.dat
c:\windows\mmsmark2.dat

.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-08-29 23:56 . 2009-08-29 23:56 -------- d-----w- c:\program files\WOT
2009-08-29 13:51 . 2009-08-29 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 13:51 . 2009-08-29 13:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 13:45 . 2009-08-29 13:45 -------- d-----w- c:\program files\Trend Micro
2009-08-29 03:38 . 2007-10-09 17:13 38144 ----a-w- c:\windows\system32\drivers\EAPPkt.sys
2009-08-29 01:07 . 2009-08-29 01:07 -------- d-----w- c:\program files\webserver
2009-08-13 02:12 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 02:22 . 2009-08-26 19:27 -------- d-----w- c:\documents and settings\mc\Local Settings\Application Data\Temp
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 03:54 . 2008-11-12 01:45 -------- d-----w- c:\program files\REALTEK
2009-08-29 03:49 . 2008-06-07 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 03:09 . 2008-11-02 19:09 -------- d-----w- c:\documents and settings\mc\Application Data\U3
2009-08-17 16:10 . 2003-05-20 17:13 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2003-05-20 17:14 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2003-05-20 17:14 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2003-05-20 17:14 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2003-05-20 17:14 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2003-05-20 17:14 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2003-05-20 17:14 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2003-05-20 17:14 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2003-05-20 17:14 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 03:01 . 2008-11-06 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-10 09:30 . 2009-01-24 22:04 -------- d-----w- c:\documents and settings\mc\Application Data\AdobeUM
2009-06-29 16:12 . 2004-08-04 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2003-06-09 06:55 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_00.11.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 00:18 . 2009-09-03 00:18 16384 c:\windows\Temp\Perflib_Perfdata_504.dat
+ 2004-08-04 12:00 . 2009-09-03 00:27 72248 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-09-02 23:51 72248 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-03 00:27 444156 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-02 23:51 444156 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"Google Update"="c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"Acronis*True*Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2008-06-07 471637]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-06-07 65536]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe" [2008-10-15 623992]
"AdobeVersionCue"="e:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-24 110592]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2009-1-5 344064]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"53:TCP"= 53:TCP:webserver

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/20/2003 1:14 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/20/2003 1:14 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8/28/2009 11:38 PM 38144]
S3 SCM488C;SCM Microsystems SCR120 PCMCIA Smart Card Reader;c:\windows\system32\drivers\pscr.sys [5/15/2003 3:13 PM 16128]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [11/24/2008 11:46 AM 171520]
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003Core.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]

2009-09-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003UA.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Web-Based Email Tools - hxxp://email04.secureserver.net/Download.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
FF - ProfilePath - c:\documents and settings\mc\Application Data\Mozilla\Firefox\Profiles\j5gsmim8.default\
FF - plugin: c:\documents and settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 02:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F862D6E-AF30-1B61-CFCD-1A2EC8579B38}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oadilggdmaaedbgfhpfchablidkihp"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5
"nabjbglpgjahpoejijcomoolbcin"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000007

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-09-03 2:22
ComboFix-quarantined-files.txt 2009-09-03 06:21
ComboFix2.txt 2009-09-03 00:13

Pre-Run: 3,815,690,240 bytes free
Post-Run: 3,755,454,464 bytes free

219 --- E O F --- 2009-08-30 02:46
Upload was successful

MALWAREBYTES #1 (aborted when noticed it ran past some directories that I knew were infected - AVAST was still running at this time)

Malwarebytes' Anti-Malware 1.40
Database version: 2743
Windows 5.1.2600 Service Pack 3

9/5/2009 7:27:14 AM
mbam-log-2009-09-05 (07-27-14).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 70532
Time elapsed: 8 hour(s), 20 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\pp11.exe.vir (Worm.Koobface) -> Quarantined and deleted successfully.


MALWAREBYTES LOG #2 (after turning off AVAST and disabling internet connection)

Malwarebytes' Anti-Malware 1.40
Database version: 2744
Windows 5.1.2600 Service Pack 3

9/5/2009 9:24:44 AM
mbam-log-2009-09-05 (09-24-44).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 185121
Time elapsed: 43 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP325\A0037813.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP325\A0037814.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP325\A0037815.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{978D1590-02AB-4DC1-9A42-F70E49674C3D}\RP330\A0038084.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\0535251103110107106.yux (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1251508045 (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1251509640 (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1251518040 (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\vkl_1251518452 (Trojan.DNSChanger) -> Quarantined and deleted successfully.

FRESH HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:36:32 AM, on 9/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email04.secureserver.net/Download.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/50.13/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1055142896196
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228828719226
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - E:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c14e60a312e0) (gupdate1c9c14e60a312e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: webserver - Unknown owner - C:\Program Files\webserver\webserver.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13111 bytes


PERFORMANCE

My PC appears to be performing better now. No warnings and no delayed performance.

Bio-Hazard
2009-09-05, 19:24
Hello!


Is avast! still giving you warnings?

Do you know what this progrma is: C:\Program Files\webserver\webserver.exe

Update Java Runtime:

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason it's extremely important that you keep the program up to date and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 16.


Go to HERE (http://java.sun.com/javase/downloads/index.jsp)
Scroll down to where it says Java Runtime Environment (JRE) 6 Update 16
Click the Download button to the right
From the dropdown menu choose your platform. Which is Windows
Dont change the language box.
Click on the radio button to Accept License Agreement and after that click continue
Click on Windows Offline Installation Multi-language and save the downloaded file to your computer
Go to Start => Control Panel => Add or Remove Programs
Uninstall all old versions of Java (Java 2 Runtime Environment JRE or JSE)
Reboot your computer
Delete the folder C:\Program Files\Java if present
Install the new version by running the newly-downloaded file and follow the on-screen instructions.
Reboot your computer




Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:






Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.



Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


Answer to My question
ESET Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Glennsco
2009-09-05, 23:15
1-AVAST did give a warning when I was running my last HJT. It was related to that webserver.exe file.
2-No I do not know that file/program or anything related to it.

esetlog

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=7.00.6000.16876 (vista_gdr.090625-2339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=eda49a953d1d8a46a015d34c0f0c0d31
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-09-05 07:59:19
# local_time=2009-09-05 03:59:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 21 100 100 68884951696
# scanned=74142
# found=4
# cleaned=0
# scan_time=5028
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinKoobface1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinKoobface3.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinVirutmtt1.zip Win32/Bagle.gen.zip worm 00000000000000000000000000000000 I
C:\Program Files\webserver\webserver.exe probably a variant of Win32/TrojanProxy.Small.NCJ trojan 00000000000000000000000000000000 I


hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:34 PM, on 9/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email04.secureserver.net/Download.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/50.13/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1055142896196
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228828719226
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - E:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c14e60a312e0) (gupdate1c9c14e60a312e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: webserver - Unknown owner - C:\Program Files\webserver\webserver.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12931 bytes

[B]Behavior

Internet Explorer was sluggish in general and it the would becomputer "running hot" as it does when it's trying to do something (for example I've noticed this behavior when it has security updates ready to install and yet some other action is preventing it like it goes to "sleep" before the update happens)
It's not doing that now but it was before the scan.

The warning came after the scan, though. Maybe because the AVAST had been turned off to do the scan?

Bio-Hazard
2009-09-06, 12:36
Hello!

We are almost done.

You need to empty this folder (Do NOT delete it): C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery


Run CFScript



Close any open browsers.
Open Notepad by click start
Click Run
Type notepad into the box and click enter
Notepad will open
Copy and Paste everything from the Code box into Notepad:





Driver::
webserver

Folder::
C:\Program Files\webserver



Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

http://i219.photobucket.com/albums/cc99/BioHazard_030/CFScriptExample.jpg
Refering to the picture below, drag CFScript into ComboFix.exe

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif
When finished, it shall produce a log for you at C:\ComboFix.txt



NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:


ComboFix log (found at C:\Combofix.txt)
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

Glennsco
2009-09-06, 15:37
COMBOFIX

ComboFix 09-09-05.03 - mc 09/06/2009 7:25.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.639.344 [GMT -4:00]
Running from: c:\documents and settings\mc\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mc\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090905-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\webserver
c:\program files\webserver\webserver.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WEBSERVER
-------\Service_webserver


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-05 18:29 . 2009-09-05 18:29 -------- d-----w- c:\program files\ESET
2009-09-05 18:00 . 2009-09-05 18:00 -------- d-----w- c:\program files\Java
2009-09-05 03:02 . 2009-09-05 03:02 -------- d-----w- c:\documents and settings\mc\Application Data\Malwarebytes
2009-09-05 03:02 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 03:02 . 2009-09-05 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-05 03:02 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-05 03:02 . 2009-09-05 03:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 11:12 . 2009-09-05 18:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-29 23:56 . 2009-08-29 23:56 -------- d-----w- c:\program files\WOT
2009-08-29 13:51 . 2009-08-29 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-29 13:51 . 2009-08-29 13:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 13:45 . 2009-08-29 13:45 -------- d-----w- c:\program files\Trend Micro
2009-08-29 03:38 . 2007-10-09 17:13 38144 ----a-w- c:\windows\system32\drivers\EAPPkt.sys
2009-08-13 02:12 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-12 02:22 . 2009-08-26 19:27 -------- d-----w- c:\documents and settings\mc\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-29 03:54 . 2008-11-12 01:45 -------- d-----w- c:\program files\REALTEK
2009-08-29 03:49 . 2008-06-07 19:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-24 03:09 . 2008-11-02 19:09 -------- d-----w- c:\documents and settings\mc\Application Data\U3
2009-08-17 16:10 . 2003-05-20 17:13 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2003-05-20 17:14 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2003-05-20 17:14 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2003-05-20 17:14 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2003-05-20 17:14 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2003-05-20 17:14 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2003-05-20 17:14 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2003-05-20 17:14 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2003-05-20 17:14 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 03:01 . 2008-11-06 17:03 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-07-10 09:30 . 2009-01-24 22:04 -------- d-----w- c:\documents and settings\mc\Application Data\AdobeUM
2009-06-29 16:12 . 2004-08-04 12:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2003-06-09 06:55 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_00.11.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-05 18:03 . 2009-09-05 18:03 16384 c:\windows\Temp\Perflib_Perfdata_668.dat
+ 2009-09-06 11:36 . 2009-09-06 11:36 16384 c:\windows\Temp\Perflib_Perfdata_11c.dat
- 2004-08-04 12:00 . 2009-09-02 23:51 72248 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-05 22:29 72248 c:\windows\system32\perfc009.dat
+ 2009-09-03 00:11 . 2008-10-16 19:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2009-09-03 00:11 . 2008-04-14 00:12 13824 c:\windows\system32\dllcache\cache\wscntfy.exe
+ 2009-09-03 00:11 . 2008-04-14 00:12 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 26112 c:\windows\system32\dllcache\cache\userinit.exe
+ 2009-09-03 00:11 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\cache\svchost.exe
+ 2009-09-03 00:11 . 2008-04-14 00:12 71680 c:\windows\system32\dllcache\cache\ssdpsrv.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
+ 2009-09-03 00:11 . 2008-04-14 00:12 59904 c:\windows\system32\dllcache\cache\regsvc.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 88576 c:\windows\system32\dllcache\cache\rasauto.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 17408 c:\windows\system32\dllcache\cache\powrprof.dll
+ 2009-09-03 00:11 . 2006-10-19 02:47 27136 c:\windows\system32\dllcache\cache\mspmsnsv.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 33792 c:\windows\system32\dllcache\cache\msgsvc.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 13312 c:\windows\system32\dllcache\cache\lsass.exe
+ 2009-09-03 00:11 . 2008-04-14 00:11 22016 c:\windows\system32\dllcache\cache\lpk.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 19968 c:\windows\system32\dllcache\cache\linkinfo.dll
+ 2009-09-03 00:11 . 2008-04-13 18:39 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
+ 2009-09-03 00:11 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
+ 2009-09-03 00:11 . 2008-04-14 00:11 56320 c:\windows\system32\dllcache\cache\eventlog.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
+ 2009-09-03 00:11 . 2008-04-14 00:11 62464 c:\windows\system32\dllcache\cache\cryptsvc.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 77824 c:\windows\system32\dllcache\cache\browser.dll
+ 2009-09-03 00:11 . 2008-04-13 18:57 14336 c:\windows\system32\dllcache\cache\asyncmac.sys
+ 2009-09-03 00:11 . 2004-08-04 12:00 11648 c:\windows\system32\dllcache\cache\acpiec.sys
+ 2009-09-03 00:11 . 2008-04-14 00:12 5120 c:\windows\system32\dllcache\cache\sfc.dll
+ 2009-09-03 00:11 . 2004-08-04 12:00 2944 c:\windows\system32\dllcache\cache\null.sys
+ 2009-09-03 00:11 . 2004-08-04 12:00 4224 c:\windows\system32\dllcache\cache\beep.sys
+ 2004-08-04 12:00 . 2009-09-05 22:29 444156 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-02 23:51 444156 c:\windows\system32\perfh009.dat
+ 2009-09-05 18:01 . 2009-09-05 18:00 149280 c:\windows\system32\javaws.exe
+ 2009-09-05 18:01 . 2009-09-05 18:00 145184 c:\windows\system32\javaw.exe
+ 2009-09-05 18:01 . 2009-09-05 18:00 145184 c:\windows\system32\java.exe
+ 2009-09-03 00:11 . 2008-04-14 00:12 129024 c:\windows\system32\dllcache\cache\xmlprov.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 507904 c:\windows\system32\dllcache\cache\winlogon.exe
+ 2009-09-03 00:11 . 2009-06-29 16:12 827392 c:\windows\system32\dllcache\cache\wininet.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 578560 c:\windows\system32\dllcache\cache\user32.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 185856 c:\windows\system32\dllcache\cache\upnphost.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 295424 c:\windows\system32\dllcache\cache\termsrv.dll
+ 2009-09-03 00:11 . 2008-06-20 11:51 361600 c:\windows\system32\dllcache\cache\tcpip.sys
+ 2009-09-03 00:11 . 2008-04-14 00:12 249856 c:\windows\system32\dllcache\cache\tapisrv.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 171008 c:\windows\system32\dllcache\cache\srsvc.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 135168 c:\windows\system32\dllcache\cache\shsvcs.dll
+ 2009-09-03 00:11 . 2009-02-06 11:11 110592 c:\windows\system32\dllcache\cache\services.exe
+ 2009-09-03 00:11 . 2008-04-14 00:12 192512 c:\windows\system32\dllcache\cache\schedsvc.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 181248 c:\windows\system32\dllcache\cache\scecli.dll
+ 2009-09-03 00:11 . 2009-02-09 12:10 401408 c:\windows\system32\dllcache\cache\rpcss.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 409088 c:\windows\system32\dllcache\cache\qmgr.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 435200 c:\windows\system32\dllcache\cache\ntmssvc.dll
+ 2009-09-03 00:11 . 2008-04-13 19:15 574976 c:\windows\system32\dllcache\cache\ntfs.sys
+ 2009-09-03 00:11 . 2008-04-14 00:12 198144 c:\windows\system32\dllcache\cache\netman.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 407040 c:\windows\system32\dllcache\cache\netlogon.dll
+ 2009-09-03 00:11 . 2008-04-13 19:20 182656 c:\windows\system32\dllcache\cache\ndis.sys
+ 2009-09-03 00:11 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\cache\mswsock.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 927504 c:\windows\system32\dllcache\cache\mfc40u.dll
+ 2009-09-03 00:11 . 2009-03-21 14:06 989696 c:\windows\system32\dllcache\cache\kernel32.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 110080 c:\windows\system32\dllcache\cache\imm32.dll
+ 2009-09-03 00:11 . 2008-07-07 20:26 253952 c:\windows\system32\dllcache\cache\es.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 792064 c:\windows\system32\dllcache\cache\comres.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 617472 c:\windows\system32\dllcache\cache\comctl32.dll
+ 2009-09-03 00:11 . 2008-04-14 00:11 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
+ 2009-09-03 00:11 . 2008-04-13 16:39 142592 c:\windows\system32\dllcache\cache\aec.sys
+ 2009-09-03 00:11 . 2008-04-14 00:12 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
+ 2009-09-03 00:11 . 2009-02-06 11:08 2189056 c:\windows\system32\dllcache\cache\ntoskrnl.exe
+ 2009-09-03 00:11 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
+ 2009-09-03 00:11 . 2009-07-19 13:33 3597824 c:\windows\system32\dllcache\cache\mshtml.dll
+ 2009-09-03 00:11 . 2008-04-14 00:12 1033728 c:\windows\system32\dllcache\cache\explorer.exe
- 2009-01-24 21:45 . 2009-08-31 00:19 3817472 c:\windows\Installer\5ca4d1.msi
+ 2009-01-24 21:45 . 2009-09-05 00:44 3817472 c:\windows\Installer\5ca4d1.msi
+ 2009-09-05 18:00 . 2009-09-05 18:00 1757696 c:\windows\Installer\17459a.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-04 39408]
"Google Update"="c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-13 335872]
"Acronis*True*Image Monitor"="c:\program files\Acronis\TrueImage\TrueImageMonitor.exe" [2008-06-07 471637]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-06-07 65536]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe" [2008-10-15 623992]
"AdobeVersionCue"="e:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-05 149280]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"PCTVOICE"="pctspk.exe" - c:\windows\system32\pctspk.exe [2002-07-18 163840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-1-24 110592]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-7-7 282624]
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2009-1-5 344064]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"53:TCP"= 53:TCP:webserver

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/20/2003 1:14 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/20/2003 1:14 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [8/28/2009 11:38 PM 38144]
S2 gupdate1c9c14e60a312e0;Google Update Service (gupdate1c9c14e60a312e0);c:\program files\Google\Update\GoogleUpdate.exe [4/19/2009 8:24 PM 133104]
S3 SCM488C;SCM Microsystems SCR120 PCMCIA Smart Card Reader;c:\windows\system32\drivers\pscr.sys [5/15/2003 3:13 PM 16128]
S3 wldel48b;Dell TrueMobile 1150 Series PCCard Driver;c:\windows\system32\drivers\wldel48b.sys [11/24/2008 11:46 AM 171520]
S4 Usrmic;Usrmic;c:\windows\system32\drivers\ptilink.sys [8/4/2004 8:00 AM 17792]
.
Contents of the 'Scheduled Tasks' folder

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-20 00:24]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003Core.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-515967899-1060284298-1957994488-1003UA.job
- c:\documents and settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-12 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Web-Based Email Tools - hxxp://email04.secureserver.net/Download.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\mc\Application Data\Mozilla\Firefox\Profiles\j5gsmim8.default\
FF - plugin: c:\documents and settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 07:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F862D6E-AF30-1B61-CFCD-1A2EC8579B38}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oadilggdmaaedbgfhpfchablidkihp"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5
"nabjbglpgjahpoejijcomoolbcin"=hex:6a,61,70,69,69,70,6c,6a,6b,66,63,64,66,70,
69,6d,63,67,63,63,00,f5

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:00000003

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:00000007

[HKEY_USERS\S-1-5-21-515967899-1060284298-1957994488-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000020
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\documents and settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-09-06 7:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 11:42
ComboFix2.txt 2009-09-03 06:23
ComboFix3.txt 2009-09-03 00:13

Pre-Run: 3,295,920,128 bytes free
Post-Run: 3,269,332,992 bytes free

319 --- E O F --- 2009-08-30 02:46


HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:30 AM, on 9/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe
E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Acronis*True*Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] E:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\mc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8 Standard\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Web-Based Email Tools - http://email04.secureserver.net/Download.CAB
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/50.13/uploader2.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.evite.com/html/imageUpload/ImageUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1055142896196
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228828719226
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - E:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9c14e60a312e0) (gupdate1c9c14e60a312e0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12702 bytes


[B]PERFORMANCE

Appears to be acting normal
No AVAST warnings

Bio-Hazard
2009-09-06, 15:53
Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:


DDS - (You can just delete the exe file from your desktop)
SysProt - (You can just delete the exe file from your desktop)
ATF cleaner - (You can just delete the exe file from your desktop)




Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
http://i147.photobucket.com/albums/r301/DFW_photos/CF_Cleanup.png
Please advise if this step is missed for any reason as it performs some important actions.

OTC

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.



Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself



Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.



Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site (http://update.microsoft.com/microsoftupdate) on a regular basis.
NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.
Update Non-Microsoft Programs
Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) or F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html). I suggest that you run one of them at least once a month.
Make Internet Explorer More Secure
You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE (http://surfthenetsafely.com/ieseczone8.htm)




Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.



WinPatrol
As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE (http://www.winpatrol.com/).
SpywareBlaster
SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE (http://www.webopedia.com/TERM/A/ActiveX_control.html). You can download SpywareBlaster from HERE (http://www.javacoolsoftware.com/sbdownload.html).
Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE (http://www.malwarebytes.org/mbam.php). Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide (http://www.lognrock.com/forum/index.php?showtopic=6926) and Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).
Hosts File
For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE (http://forum.malwareremoval.com/viewtopic.php?t=22187) and for more information regarding host files read HERE (http://www.mvps.org/winhelp2002/hosts.htm).
Use an alternative Internet Browser
Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox (http://www.mozilla.com/en-US/firefox/) or Opera (http://www.opera.com/download/) or Google Chrome (http://www.google.com/chrome)



Here is a great article by miekiemoes How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html).

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.


Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php). You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard

Glennsco
2009-09-07, 04:54
Thank you Bio-Hazard. You guys are the best! All appears to be well and I have no more questions. I will try to be more careful in the future. I love being able to resolve these from the comfort of my home and not having to take it to someone and not have access to it for unknown amounts of time. My donation is on its way!!

Bio-Hazard
2009-09-08, 00:29
Thank you for your kind words and donation.

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.