PDA

View Full Version : need vundo (i think) help



coryr83
2009-11-15, 02:35
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:24 PM, on 11/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 osguard-pro.microsoft.com
O1 - Hosts: 91.212.127.226 osguard-pro.com
O1 - Hosts: 91.212.127.226 www.osguard-pro.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [rohojuwam] Rundll32.exe "c:\windows\system32\mulumobu.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-21-1091305534-1932478288-3135451993-500\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\FAMILY\Application Data\AntiVirus Plus\AntiVirus Plus.70367.dll", start 70367 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\FAMILY\Application Data\AntiVirus Plus\AntiVirus Plus.70367.dll", start 70367 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C314D1CD-1424-49DD-8381-61FFC2B95A50}: NameServer = 77.74.48.113
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll c:\windows\system32\dazumuti.dll c:\windows\system32\wisolike.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\yifulose.dll c:\windows\system32\zesujego.dll felazako.dll c:\windows\system32\kupusalo.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: kikotehis - {1e7252b4-0e5c-4d36-a62e-57cb7b3a25c8} - (no file)
O21 - SSODL: vafijazen - {414b7a8e-d4fd-448f-b0d9-436eef94370b} - (no file)
O22 - SharedTaskScheduler: gahurihor - {709ca040-90de-4741-886c-feafb7d4582d} - c:\windows\system32\dutujahi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {d2a3c5f4-ba75-4fb1-b02c-b5c02edbc0b7} - c:\windows\system32\wisolike.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {e7b0def9-2cbb-4834-8595-d503f18aea07} - c:\windows\system32\tahidazu.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {b4cef2f8-4f0c-42df-ba32-35b6cdc00f06} - c:\windows\system32\zesujego.dll (file missing)
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9185 bytes

peku006
2009-11-16, 21:39
Hello and :welcome: to Safer Networking

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:


If you don't know or understand something please don't hesitate to ask
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

Thanks peku006

coryr83
2009-11-16, 23:00
ComboFix 09-11-16.05 - FAMILY 11/16/2009 14:42..1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.622 [GMT -6:00]
Running from: c:\documents and settings\FAMILY\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\FAMILY\Application Data\AntiVirus Plus\AnTIvirus plus.70367.dll
c:\windows\kb913800.exe
c:\windows\system32\bopufeto.exe
c:\windows\system32\kerodaru.exe
c:\windows\system32\napuruya.exe
c:\windows\system32\pizofubo.dll
c:\windows\system32\rirebuva.exe
c:\windows\system32\vidasasa.exe
C:\xcrashdump.dat

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
hxxp://82.98.231.102
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-15 13:34 . 2009-11-15 13:34 -------- d-----w- C:\.jagex_cache_32
2009-11-15 13:29 . 2009-11-15 13:45 63 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences2.dat
2009-11-15 13:29 . 2009-11-15 13:45 38 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences.dat
2009-11-15 00:04 . 2009-11-15 00:04 -------- d-----w- c:\program files\ERUNT
2009-11-13 12:09 . 2009-11-14 00:32 117760 ----a-w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 12:07 . 2009-11-13 12:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 12:06 . 2009-11-13 12:06 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Malwarebytes
2009-11-12 23:06 . 2009-11-09 21:53 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 23:06 . 2009-11-09 21:53 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 23:06 . 2009-11-09 21:53 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 23:06 . 2009-11-09 21:30 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 23:06 . 2009-11-09 21:52 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 23:06 . 2009-11-09 21:30 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 21:53 . 2009-11-09 21:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 21:51 . 2009-11-09 21:30 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 21:51 . 2009-11-09 21:30 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 21:30 . 2009-11-09 21:42 -------- d-----w- C:\$AVG
2009-11-09 21:29 . 2009-11-16 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-07 16:33 . 2009-11-16 20:48 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AntiVirus Plus
2009-11-04 12:37 . 2009-11-04 12:37 -------- d-----w- c:\program files\Trend Micro
2009-11-03 12:22 . 2009-11-03 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-03 12:16 . 2007-01-18 16:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-11-03 12:15 . 2009-11-03 12:15 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-03 12:14 . 2009-11-03 12:14 -------- d-----w- c:\program files\Research In Motion
2009-11-03 12:11 . 2009-11-03 12:11 -------- d-sh--w- c:\windows\ftpcache
2009-11-02 23:48 . 2009-11-02 23:48 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-02 21:11 . 2009-04-06 17:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-11-02 21:11 . 2009-02-10 22:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-11-02 21:10 . 2009-02-18 23:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-11-02 21:10 . 2009-11-02 21:10 -------- d-----w- c:\program files\Agnitum
2009-11-02 21:09 . 2009-11-02 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2009-10-31 23:46 . 2009-11-02 11:23 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-28 15:22 . 2009-10-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\72421824
2009-10-24 13:19 . 2009-10-25 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\46696334
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 01:14 . 2009-10-28 16:53 -------- d-----w- c:\program files\mgpkhc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com
2009-11-13 11:02 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-11-13 00:47 . 2006-07-19 20:57 -------- d-----w- c:\program files\Dl_cats
2009-11-10 00:13 . 2006-11-23 22:18 -------- d-----w- c:\program files\Common Files\Sierra On-Line
2009-11-09 21:53 . 2008-09-26 19:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 21:30 . 2008-09-26 19:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 21:29 . 2008-09-26 19:21 -------- d-----w- c:\program files\AVG
2009-11-09 17:42 . 2006-07-04 22:30 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AdobeUM
2009-11-04 13:36 . 2007-04-08 13:51 -------- d-----w- c:\documents and settings\FAMILY\Application Data\InstallShield
2009-11-03 14:05 . 2006-06-30 02:18 102584 ----a-w- c:\documents and settings\FAMILY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 12:24 . 2006-06-27 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-03 12:22 . 2006-06-27 04:47 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-03 12:22 . 2006-06-27 04:59 -------- d-----w- c:\program files\Roxio
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-31 22:07 . 2005-08-17 01:58 -------- d-----w- c:\program files\RGB
2009-10-31 22:07 . 2006-06-27 04:48 -------- d-----w- c:\program files\NetWaiting
2009-10-31 22:07 . 2006-06-27 04:47 -------- d-----w- c:\program files\Modem Helper
2009-10-31 22:07 . 2005-08-17 01:54 -------- d-----w- c:\program files\ESPNMotion
2009-10-31 22:07 . 2005-08-17 01:51 -------- d-----w- c:\program files\EnglishOtto
2009-10-31 22:07 . 2009-09-18 21:38 -------- d-----w- c:\program files\ATTToolbar
2009-10-31 22:07 . 2009-09-18 21:35 -------- d-----w- c:\program files\ATT-SST
2009-10-31 20:52 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\FAMILY\Application Data\ATTToolbar
2009-10-28 18:39 . 2006-07-01 17:08 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Microsoft Games
2009-10-25 20:04 . 2008-05-22 19:24 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-10-25 20:00 . 2008-05-22 19:31 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Nikon
2009-10-25 20:00 . 2008-05-22 19:25 -------- d-----w- c:\program files\Common Files\Nikon
2009-09-19 21:42 . 2009-09-18 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-19 12:16 . 2009-09-18 21:02 -------- d-----w- c:\program files\Common Files\Motive
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AT&T
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\program files\AT&T
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-09-18 21:36 . 2009-09-18 21:02 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Motive
2009-09-18 21:02 . 2009-09-18 21:02 -------- d-----w- c:\program files\ATT-HSI
2009-09-11 14:03 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2005-08-16 09:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-11-21 22:52 . 2006-11-21 22:52 251 ----a-w- c:\program files\wt3d.ini
2006-07-22 18:35 . 2006-07-22 18:35 35776 ----a-w- c:\program files\MC
2009-07-22 22:53 . 2009-07-22 22:53 8 --sh--r- c:\windows\system32\818DF4476F.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\fapumoke.dll
2009-07-22 22:53 . 2009-07-22 22:53 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\loviheti.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\mekawiba.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\rigivika.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-26 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-09 21:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FAMILY^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\documents and settings\FAMILY\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/26/2008 1:22 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/26/2008 1:22 PM 360584]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [11/2/2009 3:11 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/2/2009 3:10 PM 1195008]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/9/2009 3:30 PM 285392]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/20/2006 4:32 PM 70016]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/2/2009 3:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [11/2/2009 3:11 PM 257432]
S3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: {C314D1CD-1424-49DD-8381-61FFC2B95A50} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\FAMILY\Application Data\Mozilla\Firefox\Profiles\fyoyz5zl.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-rohojuwam - c:\windows\system32\mulumobu.dll
HKU-Default-Run-AntiVirus Plus - c:\documents and settings\FAMILY\Application Data\AntiVirus Plus\AntiVirus Plus.70367.dll
SharedTaskScheduler-{709ca040-90de-4741-886c-feafb7d4582d} - c:\windows\system32\dutujahi.dll
SharedTaskScheduler-{d2a3c5f4-ba75-4fb1-b02c-b5c02edbc0b7} - c:\windows\system32\wisolike.dll
SharedTaskScheduler-{e7b0def9-2cbb-4834-8595-d503f18aea07} - c:\windows\system32\tahidazu.dll
SharedTaskScheduler-{b4cef2f8-4f0c-42df-ba32-35b6cdc00f06} - c:\windows\system32\zesujego.dll
SSODL-kikotehis-{1e7252b4-0e5c-4d36-a62e-57cb7b3a25c8} - (no file)
SSODL-vafijazen-{414b7a8e-d4fd-448f-b0d9-436eef94370b} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 14:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000013
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2624)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-16 14:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-16 20:56

Pre-Run: 28,234,399,744 bytes free
Post-Run: 28,697,178,112 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 4A1F1A7BCE60771660E89F88D56258FD

peku006
2009-11-17, 00:15
Hi coryr83

Run CFScript

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Rootkit::



Fcopy::
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks peku006

coryr83
2009-11-17, 02:49
ComboFix 09-11-17.01 - FAMILY 11/16/2009 18:30.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.554 [GMT -6:00]
Running from: c:\documents and settings\FAMILY\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\FAMILY\Desktop\CFScript.lnk
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-16 20:56 . 2009-11-16 20:56 -------- d-----w- c:\windows\LastGood
2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-15 13:34 . 2009-11-15 13:34 -------- d-----w- C:\.jagex_cache_32
2009-11-15 13:29 . 2009-11-15 13:45 63 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences2.dat
2009-11-15 13:29 . 2009-11-15 13:45 38 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences.dat
2009-11-15 00:04 . 2009-11-15 00:04 -------- d-----w- c:\program files\ERUNT
2009-11-13 12:09 . 2009-11-14 00:32 117760 ----a-w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 12:07 . 2009-11-13 12:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 12:06 . 2009-11-13 12:06 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Malwarebytes
2009-11-12 23:06 . 2009-11-09 21:53 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 23:06 . 2009-11-09 21:53 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 23:06 . 2009-11-09 21:53 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 23:06 . 2009-11-09 21:30 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 23:06 . 2009-11-09 21:52 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 23:06 . 2009-11-09 21:30 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 21:53 . 2009-11-09 21:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 21:51 . 2009-11-09 21:30 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 21:51 . 2009-11-09 21:30 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 21:30 . 2009-11-09 21:42 -------- d-----w- C:\$AVG
2009-11-09 21:29 . 2009-11-16 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-07 16:33 . 2009-11-16 20:48 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AntiVirus Plus
2009-11-04 12:37 . 2009-11-04 12:37 -------- d-----w- c:\program files\Trend Micro
2009-11-03 12:22 . 2009-11-03 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-03 12:16 . 2007-01-18 16:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-11-03 12:15 . 2009-11-03 12:15 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-03 12:14 . 2009-11-03 12:14 -------- d-----w- c:\program files\Research In Motion
2009-11-03 12:11 . 2009-11-03 12:11 -------- d-sh--w- c:\windows\ftpcache
2009-11-02 23:48 . 2009-11-02 23:48 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-02 21:11 . 2009-04-06 17:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-11-02 21:11 . 2009-02-10 22:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-11-02 21:10 . 2009-02-18 23:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-11-02 21:10 . 2009-11-02 21:10 -------- d-----w- c:\program files\Agnitum
2009-11-02 21:09 . 2009-11-02 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2009-10-31 23:46 . 2009-11-02 11:23 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-28 15:22 . 2009-10-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\72421824
2009-10-24 13:19 . 2009-10-25 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\46696334
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 01:14 . 2009-10-28 16:53 -------- d-----w- c:\program files\mgpkhc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com
2009-11-13 11:02 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-11-13 00:47 . 2006-07-19 20:57 -------- d-----w- c:\program files\Dl_cats
2009-11-10 00:13 . 2006-11-23 22:18 -------- d-----w- c:\program files\Common Files\Sierra On-Line
2009-11-09 21:53 . 2008-09-26 19:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 21:30 . 2008-09-26 19:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 21:29 . 2008-09-26 19:21 -------- d-----w- c:\program files\AVG
2009-11-09 17:42 . 2006-07-04 22:30 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AdobeUM
2009-11-04 13:36 . 2007-04-08 13:51 -------- d-----w- c:\documents and settings\FAMILY\Application Data\InstallShield
2009-11-03 14:05 . 2006-06-30 02:18 102584 ----a-w- c:\documents and settings\FAMILY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 12:24 . 2006-06-27 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-03 12:22 . 2006-06-27 04:47 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-03 12:22 . 2006-06-27 04:59 -------- d-----w- c:\program files\Roxio
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-31 22:07 . 2005-08-17 01:58 -------- d-----w- c:\program files\RGB
2009-10-31 22:07 . 2006-06-27 04:48 -------- d-----w- c:\program files\NetWaiting
2009-10-31 22:07 . 2006-06-27 04:47 -------- d-----w- c:\program files\Modem Helper
2009-10-31 22:07 . 2005-08-17 01:54 -------- d-----w- c:\program files\ESPNMotion
2009-10-31 22:07 . 2005-08-17 01:51 -------- d-----w- c:\program files\EnglishOtto
2009-10-31 22:07 . 2009-09-18 21:38 -------- d-----w- c:\program files\ATTToolbar
2009-10-31 22:07 . 2009-09-18 21:35 -------- d-----w- c:\program files\ATT-SST
2009-10-31 20:52 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\FAMILY\Application Data\ATTToolbar
2009-10-28 18:39 . 2006-07-01 17:08 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Microsoft Games
2009-10-25 20:04 . 2008-05-22 19:24 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-10-25 20:00 . 2008-05-22 19:31 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Nikon
2009-10-25 20:00 . 2008-05-22 19:25 -------- d-----w- c:\program files\Common Files\Nikon
2009-09-19 21:42 . 2009-09-18 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-19 12:16 . 2009-09-18 21:02 -------- d-----w- c:\program files\Common Files\Motive
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AT&T
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\program files\AT&T
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-09-18 21:36 . 2009-09-18 21:02 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Motive
2009-09-18 21:02 . 2009-09-18 21:02 -------- d-----w- c:\program files\ATT-HSI
2009-09-11 14:03 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2005-08-16 09:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-11-21 22:52 . 2006-11-21 22:52 251 ----a-w- c:\program files\wt3d.ini
2006-07-22 18:35 . 2006-07-22 18:35 35776 ----a-w- c:\program files\MC
2009-07-22 22:53 . 2009-07-22 22:53 8 --sh--r- c:\windows\system32\818DF4476F.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\fapumoke.dll
2009-07-22 22:53 . 2009-07-22 22:53 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\loviheti.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\mekawiba.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\rigivika.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-16_20.51.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-30 22:42 . 2008-07-09 07:38 26488 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\spcustom.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 17272 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spmsg.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 382840 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\updspapi.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 755576 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\update.exe
- 2009-05-30 22:42 . 2008-07-09 07:38 231288 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-26 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-09 21:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FAMILY^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\documents and settings\FAMILY\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/26/2008 1:22 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/26/2008 1:22 PM 360584]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [11/2/2009 3:11 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/2/2009 3:10 PM 1195008]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/9/2009 3:30 PM 285392]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/20/2006 4:32 PM 70016]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/2/2009 3:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [11/2/2009 3:11 PM 257432]
S3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: {C314D1CD-1424-49DD-8381-61FFC2B95A50} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\FAMILY\Application Data\Mozilla\Firefox\Profiles\fyoyz5zl.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 18:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000013
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1000)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2848)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-16 18:43
ComboFix-quarantined-files.txt 2009-11-17 00:43
ComboFix2.txt 2009-11-16 20:57

Pre-Run: 28,705,943,552 bytes free
Post-Run: 28,692,271,104 bytes free

- - End Of File - - 860FF6922DFD6CDA45DEA4D98A13BB65


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:06 PM, on 11/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C314D1CD-1424-49DD-8381-61FFC2B95A50}: NameServer = 77.74.48.113
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6473 bytes



homepage for firefox says "Sorry. Service is temporary unavailable!"
when i try to log on to gmail it brings up the 404 not found page...

coryr83
2009-11-17, 02:55
also when i do a google search and click on a link... say one for youtube, it brings me to something else

peku006
2009-11-17, 09:55
Hi coryr83

CFScript Failed.........:confused:


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:


Fcopy::
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please download GooredFix.exe (http://jpshortstuff.247fixes.com/GooredFix.exe)...by jpshortstuff.
Save it to your desktop... Alternate Site (http://downloads.securitycadets.com/GooredFix.exe).
Ensure all Firefox windows are closed.
Double-click GooredFix.exe to run it.
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log file will open... named "GooredFix.txt".
Please copy and paste the contents of the GooredFix.txt file in your next reply.


Thanks peku006

coryr83
2009-11-17, 14:17
ComboFix 09-11-17.01 - FAMILY 11/17/2009 6:02.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.595 [GMT -6:00]
Running from: c:\documents and settings\FAMILY\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\FAMILY\My Documents\Downloads\CFScript.txt.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-15 13:34 . 2009-11-15 13:34 -------- d-----w- C:\.jagex_cache_32
2009-11-15 13:29 . 2009-11-15 13:45 63 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences2.dat
2009-11-15 13:29 . 2009-11-15 13:45 38 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences.dat
2009-11-15 00:04 . 2009-11-15 00:04 -------- d-----w- c:\program files\ERUNT
2009-11-13 12:09 . 2009-11-14 00:32 117760 ----a-w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 12:07 . 2009-11-13 12:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 12:06 . 2009-11-13 12:06 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Malwarebytes
2009-11-12 23:06 . 2009-11-09 21:53 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 23:06 . 2009-11-09 21:53 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 23:06 . 2009-11-09 21:53 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 23:06 . 2009-11-09 21:30 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 23:06 . 2009-11-09 21:52 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 23:06 . 2009-11-09 21:30 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 21:53 . 2009-11-09 21:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 21:51 . 2009-11-09 21:30 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 21:51 . 2009-11-09 21:30 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 21:30 . 2009-11-09 21:42 -------- d-----w- C:\$AVG
2009-11-09 21:29 . 2009-11-16 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-07 16:33 . 2009-11-16 20:48 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AntiVirus Plus
2009-11-04 12:37 . 2009-11-04 12:37 -------- d-----w- c:\program files\Trend Micro
2009-11-03 12:22 . 2009-11-03 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-03 12:16 . 2007-01-18 16:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-11-03 12:15 . 2009-11-03 12:15 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-03 12:14 . 2009-11-03 12:14 -------- d-----w- c:\program files\Research In Motion
2009-11-03 12:11 . 2009-11-03 12:11 -------- d-sh--w- c:\windows\ftpcache
2009-11-02 23:48 . 2009-11-02 23:48 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-02 21:11 . 2009-04-06 17:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-11-02 21:11 . 2009-02-10 22:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-11-02 21:10 . 2009-02-18 23:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-11-02 21:10 . 2009-11-02 21:10 -------- d-----w- c:\program files\Agnitum
2009-11-02 21:09 . 2009-11-02 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2009-10-31 23:46 . 2009-11-02 11:23 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-28 15:22 . 2009-10-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\72421824
2009-10-24 13:19 . 2009-10-25 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\46696334
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 01:14 . 2009-10-28 16:53 -------- d-----w- c:\program files\mgpkhc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com
2009-11-13 11:02 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-11-13 00:47 . 2006-07-19 20:57 -------- d-----w- c:\program files\Dl_cats
2009-11-10 00:13 . 2006-11-23 22:18 -------- d-----w- c:\program files\Common Files\Sierra On-Line
2009-11-09 21:53 . 2008-09-26 19:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 21:30 . 2008-09-26 19:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 21:29 . 2008-09-26 19:21 -------- d-----w- c:\program files\AVG
2009-11-09 17:42 . 2006-07-04 22:30 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AdobeUM
2009-11-04 13:36 . 2007-04-08 13:51 -------- d-----w- c:\documents and settings\FAMILY\Application Data\InstallShield
2009-11-03 14:05 . 2006-06-30 02:18 102584 ----a-w- c:\documents and settings\FAMILY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 12:24 . 2006-06-27 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-03 12:22 . 2006-06-27 04:47 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-03 12:22 . 2006-06-27 04:59 -------- d-----w- c:\program files\Roxio
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-31 22:07 . 2005-08-17 01:58 -------- d-----w- c:\program files\RGB
2009-10-31 22:07 . 2006-06-27 04:48 -------- d-----w- c:\program files\NetWaiting
2009-10-31 22:07 . 2006-06-27 04:47 -------- d-----w- c:\program files\Modem Helper
2009-10-31 22:07 . 2005-08-17 01:54 -------- d-----w- c:\program files\ESPNMotion
2009-10-31 22:07 . 2005-08-17 01:51 -------- d-----w- c:\program files\EnglishOtto
2009-10-31 22:07 . 2009-09-18 21:38 -------- d-----w- c:\program files\ATTToolbar
2009-10-31 22:07 . 2009-09-18 21:35 -------- d-----w- c:\program files\ATT-SST
2009-10-31 20:52 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\FAMILY\Application Data\ATTToolbar
2009-10-28 18:39 . 2006-07-01 17:08 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Microsoft Games
2009-10-25 20:04 . 2008-05-22 19:24 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-10-25 20:00 . 2008-05-22 19:31 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Nikon
2009-10-25 20:00 . 2008-05-22 19:25 -------- d-----w- c:\program files\Common Files\Nikon
2009-09-19 21:42 . 2009-09-18 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-19 12:16 . 2009-09-18 21:02 -------- d-----w- c:\program files\Common Files\Motive
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AT&T
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\program files\AT&T
2009-09-18 21:38 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T
2009-09-18 21:36 . 2009-09-18 21:02 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Motive
2009-09-18 21:02 . 2009-09-18 21:02 -------- d-----w- c:\program files\ATT-HSI
2009-09-11 14:03 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2005-08-16 09:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-11-21 22:52 . 2006-11-21 22:52 251 ----a-w- c:\program files\wt3d.ini
2006-07-22 18:35 . 2006-07-22 18:35 35776 ----a-w- c:\program files\MC
2009-07-22 22:53 . 2009-07-22 22:53 8 --sh--r- c:\windows\system32\818DF4476F.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\fapumoke.dll
2009-07-22 22:53 . 2009-07-22 22:53 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\loviheti.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\mekawiba.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\rigivika.dll
.

------- Sigcheck -------

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-11-16_20.51.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-07-02 22:41 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2006-07-02 22:41 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 26488 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\spcustom.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 17272 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spmsg.dll
+ 2005-08-16 09:27 . 2009-11-17 11:36 370488 c:\windows\system32\FNTCACHE.DAT
- 2005-08-16 09:27 . 2009-11-03 12:27 370488 c:\windows\system32\FNTCACHE.DAT
- 2009-05-30 22:42 . 2008-07-09 07:38 382840 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\updspapi.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 755576 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\update.exe
- 2009-05-30 22:42 . 2008-07-09 07:38 231288 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spuninst.exe
+ 2009-11-17 09:03 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB976749-IE7\spuninst\updspapi.dll
+ 2009-11-17 09:03 . 2009-05-26 11:40 231288 c:\windows\ie7updates\KB976749-IE7\spuninst\spuninst.exe
+ 2005-08-16 09:18 . 2009-08-14 12:19 1850112 c:\windows\system32\win32k.sys
+ 2005-08-16 09:18 . 2009-10-21 04:08 3598336 c:\windows\system32\mshtml.dll
- 2005-08-16 09:18 . 2009-08-29 07:36 3598336 c:\windows\system32\mshtml.dll
+ 2007-03-08 13:47 . 2009-08-14 12:19 1850112 c:\windows\system32\dllcache\win32k.sys
- 2006-05-19 15:06 . 2009-08-29 07:36 3598336 c:\windows\system32\dllcache\mshtml.dll
+ 2006-05-19 15:06 . 2009-10-21 04:08 3598336 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-17 09:03 . 2009-08-29 07:36 3598336 c:\windows\ie7updates\KB976749-IE7\mshtml.dll
+ 2009-11-17 09:01 . 2009-11-05 15:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-26 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-09 21:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FAMILY^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\documents and settings\FAMILY\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/26/2008 1:22 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/26/2008 1:22 PM 360584]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [11/2/2009 3:11 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/2/2009 3:10 PM 1195008]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/9/2009 3:30 PM 285392]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/20/2006 4:32 PM 70016]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/2/2009 3:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [11/2/2009 3:11 PM 257432]
S3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: {C314D1CD-1424-49DD-8381-61FFC2B95A50} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\FAMILY\Application Data\Mozilla\Firefox\Profiles\fyoyz5zl.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 06:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000013
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-17 06:12
ComboFix-quarantined-files.txt 2009-11-17 12:12
ComboFix2.txt 2009-11-17 00:43
ComboFix3.txt 2009-11-16 20:57

Pre-Run: 28,542,636,032 bytes free
Post-Run: 28,507,918,336 bytes free

- - End Of File - - 82464413E3FF9CED1164333F741B0155



GooredFix by jpshortstuff (09.11.09.1)
Log created at 06:15 on 17/11/2009 (FAMILY)
Firefox version 3.5.5 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [13:01 04/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:04 02/09/2009]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG9\Firefox" [21:30 09/11/2009]

-=E.O.F=-

peku006
2009-11-17, 15:11
Hi coryr83

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:


Mia::
c:\windows\system32\eventlog.dll

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Thanks peku006

coryr83
2009-11-18, 01:56
ComboFix 09-11-18.04 - FAMILY 11/17/2009 17:41.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.418 [GMT -6:00]
Running from: c:\documents and settings\FAMILY\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\FAMILY\My Documents\Downloads\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\FAMILY\Application Data\AntiVirus Plus

c:\windows\system32\eventlog.dll was missing
Restored copy from - c:\i386\eventlog.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 23:48 . 2004-08-10 10:00 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-11-17 23:48 . 2004-08-10 10:00 55808 ----a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-16 20:49 . 2004-08-10 10:00 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-15 13:34 . 2009-11-15 13:34 -------- d-----w- C:\.jagex_cache_32
2009-11-15 13:29 . 2009-11-15 13:45 63 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences2.dat
2009-11-15 13:29 . 2009-11-15 13:45 38 ----a-w- c:\documents and settings\FAMILY\jagex_runescape_preferences.dat
2009-11-15 00:04 . 2009-11-15 00:04 -------- d-----w- c:\program files\ERUNT
2009-11-13 12:09 . 2009-11-14 00:32 117760 ----a-w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-13 12:07 . 2009-11-13 12:07 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-13 12:06 . 2009-11-13 12:06 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Malwarebytes
2009-11-12 23:06 . 2009-11-09 21:53 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 23:06 . 2009-11-09 21:53 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 23:06 . 2009-11-09 21:53 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 23:06 . 2009-11-09 21:30 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 23:06 . 2009-11-09 21:52 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 23:06 . 2009-11-09 21:30 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-09 21:53 . 2009-11-09 21:30 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-09 21:51 . 2009-11-09 21:30 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 21:51 . 2009-11-09 21:30 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 21:30 . 2009-11-09 21:42 -------- d-----w- C:\$AVG
2009-11-09 21:29 . 2009-11-16 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-04 12:37 . 2009-11-04 12:37 -------- d-----w- c:\program files\Trend Micro
2009-11-03 12:22 . 2009-11-03 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-03 12:16 . 2007-01-18 16:24 26496 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-11-03 12:15 . 2009-11-03 12:15 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-03 12:14 . 2009-11-03 12:14 -------- d-----w- c:\program files\Research In Motion
2009-11-03 12:11 . 2009-11-03 12:11 -------- d-sh--w- c:\windows\ftpcache
2009-11-02 23:48 . 2009-11-02 23:48 -------- d-----w- c:\windows\.jagex_cache_32
2009-11-02 21:11 . 2009-04-06 17:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-11-02 21:11 . 2009-02-10 22:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-11-02 21:10 . 2009-02-18 23:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-11-02 21:10 . 2009-11-02 21:10 -------- d-----w- c:\program files\Agnitum
2009-11-02 21:09 . 2009-11-02 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2009-10-31 23:46 . 2009-11-02 11:23 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-10-28 15:22 . 2009-10-28 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\72421824
2009-10-24 13:19 . 2009-10-25 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\46696334
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-24 02:12 . 2009-11-16 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-24 01:14 . 2009-10-28 16:53 -------- d-----w- c:\program files\mgpkhc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-13 12:08 . 2008-09-29 19:00 -------- d-----w- c:\documents and settings\FAMILY\Application Data\SUPERAntiSpyware.com
2009-11-13 11:02 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-11-13 00:47 . 2006-07-19 20:57 -------- d-----w- c:\program files\Dl_cats
2009-11-10 00:13 . 2006-11-23 22:18 -------- d-----w- c:\program files\Common Files\Sierra On-Line
2009-11-09 21:53 . 2008-09-26 19:22 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-09 21:30 . 2008-09-26 19:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-09 21:30 . 2008-09-26 19:22 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-09 21:29 . 2008-09-26 19:21 -------- d-----w- c:\program files\AVG
2009-11-09 17:42 . 2006-07-04 22:30 -------- d-----w- c:\documents and settings\FAMILY\Application Data\AdobeUM
2009-11-04 13:36 . 2007-04-08 13:51 -------- d-----w- c:\documents and settings\FAMILY\Application Data\InstallShield
2009-11-03 14:05 . 2006-06-30 02:18 102584 ----a-w- c:\documents and settings\FAMILY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-03 12:24 . 2006-06-27 04:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-11-03 12:22 . 2006-06-27 04:47 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-03 12:22 . 2006-06-27 04:59 -------- d-----w- c:\program files\Roxio
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\program files\Common Files\aolshare
2009-11-02 11:35 . 2006-06-27 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-10-31 22:07 . 2005-08-17 01:58 -------- d-----w- c:\program files\RGB
2009-10-31 22:07 . 2006-06-27 04:48 -------- d-----w- c:\program files\NetWaiting
2009-10-31 22:07 . 2006-06-27 04:47 -------- d-----w- c:\program files\Modem Helper
2009-10-31 22:07 . 2005-08-17 01:54 -------- d-----w- c:\program files\ESPNMotion
2009-10-31 22:07 . 2005-08-17 01:51 -------- d-----w- c:\program files\EnglishOtto
2009-10-31 22:07 . 2009-09-18 21:38 -------- d-----w- c:\program files\ATTToolbar
2009-10-31 22:07 . 2009-09-18 21:35 -------- d-----w- c:\program files\ATT-SST
2009-10-31 20:52 . 2009-09-18 21:38 -------- d-----w- c:\documents and settings\FAMILY\Application Data\ATTToolbar
2009-10-28 18:39 . 2006-07-01 17:08 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Microsoft Games
2009-10-25 20:04 . 2008-05-22 19:24 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-10-25 20:00 . 2008-05-22 19:31 -------- d-----w- c:\documents and settings\FAMILY\Application Data\Nikon
2009-10-25 20:00 . 2008-05-22 19:25 -------- d-----w- c:\program files\Common Files\Nikon
2009-09-19 21:42 . 2009-09-18 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-19 12:16 . 2009-09-18 21:02 -------- d-----w- c:\program files\Common Files\Motive
2009-09-11 14:03 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2005-08-16 09:18 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-08-16 09:18 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2005-08-16 09:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2006-11-21 22:52 . 2006-11-21 22:52 251 ----a-w- c:\program files\wt3d.ini
2006-07-22 18:35 . 2006-07-22 18:35 35776 ----a-w- c:\program files\MC
2009-07-22 22:53 . 2009-07-22 22:53 8 --sh--r- c:\windows\system32\818DF4476F.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\fapumoke.dll
2009-07-22 22:53 . 2009-07-22 22:53 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\loviheti.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\mekawiba.dll
2009-08-11 23:31 . 2009-08-11 23:31 3 --sha-w- c:\windows\system32\rigivika.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-16_20.51.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-07-02 22:41 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2006-07-02 22:41 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 26488 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\spcustom.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 17272 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spmsg.dll
+ 2005-08-16 09:27 . 2009-11-17 11:36 370488 c:\windows\system32\FNTCACHE.DAT
- 2005-08-16 09:27 . 2009-11-03 12:27 370488 c:\windows\system32\FNTCACHE.DAT
- 2009-05-30 22:42 . 2008-07-09 07:38 382840 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\updspapi.dll
- 2009-05-30 22:42 . 2008-07-09 07:38 755576 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\update.exe
- 2009-05-30 22:42 . 2008-07-09 07:38 231288 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spuninst.exe
+ 2009-11-17 09:03 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB976749-IE7\spuninst\updspapi.dll
+ 2009-11-17 09:03 . 2009-05-26 11:40 231288 c:\windows\ie7updates\KB976749-IE7\spuninst\spuninst.exe
+ 2005-08-16 09:18 . 2009-08-14 12:19 1850112 c:\windows\system32\win32k.sys
+ 2005-08-16 09:18 . 2009-10-21 04:08 3598336 c:\windows\system32\mshtml.dll
- 2005-08-16 09:18 . 2009-08-29 07:36 3598336 c:\windows\system32\mshtml.dll
+ 2007-03-08 13:47 . 2009-08-14 12:19 1850112 c:\windows\system32\dllcache\win32k.sys
- 2006-05-19 15:06 . 2009-08-29 07:36 3598336 c:\windows\system32\dllcache\mshtml.dll
+ 2006-05-19 15:06 . 2009-10-21 04:08 3598336 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-17 09:03 . 2009-08-29 07:36 3598336 c:\windows\ie7updates\KB976749-IE7\mshtml.dll
+ 2009-11-17 09:01 . 2009-11-05 15:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-06-21 1207080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-26 24576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-09 21:30 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^FAMILY^Start Menu^Programs^Startup^AntiVirus Plus.lnk]
path=c:\documents and settings\FAMILY\Start Menu\Programs\Startup\AntiVirus Plus.lnk
backup=c:\windows\pss\AntiVirus Plus.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/26/2008 1:22 PM 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/26/2008 1:22 PM 360584]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [11/2/2009 3:11 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [11/2/2009 3:10 PM 1195008]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/9/2009 3:30 PM 285392]
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/20/2006 4:32 PM 70016]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [11/2/2009 3:10 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [11/2/2009 3:11 PM 257432]
S3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 23:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
TCP: {C314D1CD-1424-49DD-8381-61FFC2B95A50} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\FAMILY\Application Data\Mozilla\Firefox\Profiles\fyoyz5zl.default\
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-17 17:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1091305534-1932478288-3135451993-1005\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000013
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(956)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(140)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-17 17:53
ComboFix-quarantined-files.txt 2009-11-17 23:53
ComboFix2.txt 2009-11-17 12:12
ComboFix3.txt 2009-11-17 00:43
ComboFix4.txt 2009-11-16 20:57

Pre-Run: 28,503,396,352 bytes free
Post-Run: 28,496,449,536 bytes free

- - End Of File - - 06B722BFD076337C99337F684C74D542

peku006
2009-11-18, 12:45
Hi coryr83

good job :bigthumb:

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) and save it to your desktop.
alternate download link 1 (http://malwarebytes.gt500.org/mbam-setup.exe)
alternate download link 2 (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here (http://www.malwarebytes.org/mbam/database/mbam-rules.exe) and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.

If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the Malwarebytes' Anti-Malware Log
2 a fresh HijackThis log

Thanks peku006

coryr83
2009-11-18, 18:17
Malwarebytes' Anti-Malware 1.41
Database version: 3192
Windows 5.1.2600 Service Pack 2

11/18/2009 8:29:41 AM
mbam-log-2009-11-18 (08-29-41).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 173703
Time elapsed: 30 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c314d1cd-1424-49dd-8381-61ffc2b95a50}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c314d1cd-1424-49dd-8381-61ffc2b95a50}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c314d1cd-1424-49dd-8381-61ffc2b95a50}\NameServer (Trojan.DNSChanger) -> Data: 77.74.48.113 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\46696334 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\72421824 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\FAMILY\Application Data\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loviheti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rigivika.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:53 AM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6642 bytes
Thank you again for your help and time, it seems to be working fine now.
What should i do with the programs you instructed me to download?

peku006
2009-11-18, 18:54
Hi coryr83

What should i do with the programs you instructed me to download?
we removed them all after the computer has been :cleaning:

Looking good :)
Let's make sure we got everything

1 - Clean temp files


Please download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.


NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


Please go here (http://www.eset.com/onlinescan/) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif

Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox. Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006

coryr83
2009-11-18, 20:36
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d4cb2e89616cc2439ce1d960754a04ca
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-11-18 06:01:53
# local_time=2009-11-18 12:01:53 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 308108 308108 0 0
# compatibility_mode=768 16777215 100 0 35195285 35195285 0 0
# compatibility_mode=1024 16777175 100 0 679381 679381 0 0
# compatibility_mode=6912 16777215 100 0 1285374 1285374 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=67005
# found=1
# cleaned=0
# scan_time=2933
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.OF virus 00000000000000000000000000000000 I



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:57 PM, on 11/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6643 bytes

peku006
2009-11-18, 20:49
Hi coryr83

all looks good :D:


Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

How's the computer running now? Any problems?

peku006

coryr83
2009-11-18, 21:12
its working flawlessly, thank you so much for your help!

peku006
2009-11-18, 21:28
Hi coryr83

Your log now appears to be clean. Congratulations! :yahoo:

To remove all of the tools we used and the files and folders they created do the following:

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep ......Malwarebytes' Anti-Malware Scanning Guide (http://www.lognrock.com/forum/index.php?showtopic=6913).

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
This will remove all restore points except the new one you just created.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Here are some things that I think are worth having a look at if you don't already know a bout them:.

Spybot Search and Destroy
Download it from here (http://www.safer-networking.org/en/mirrors/index.html). Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)

SpyWare Blaster
Download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
Find here the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

WinPatrol
Download it from here (http://www.winpatrol.com/download.html)
Here you can find information about how WinPatrol works here (http://www.winpatrol.com/features.html)

FireTrust SiteHound
You can find information and download it from here (http://www.firetrust.com/en/products/sitehound)

MVPS Hosts File from here (http://mvps.org/winhelp2002/hosts.htm)
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Please check out Tony Klein's article "How did I get infected in the first place?" (http://forums.spybot.info/showthread.php?t=279)

Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.


Happy safe surfing! :bigthumb:

peku006

coryr83
2009-11-18, 21:29
did you want me to rerun combo fix? because i was bored and browsing through another thred and saw a message for me....???? it was on Spywere detector posted by ruckus

peku006
2009-11-18, 21:33
Hi
No it was only "typo"

coryr83
2009-11-19, 02:57
i otc but it didnt delete any of the programs or itself.. it did restart the computer....i can delete them manually if that will work. and should i use all the programs you listed or just pick one?

peku006
2009-11-19, 10:18
Hi coryr83

i otc but it didnt delete any of the programs or itself.. it did restart the computer....i can delete them manually if that will work.
we can remove them all so......

Uninstall GooredFix
Click Start >> Run and then copy/paste the following into the box and hit Enter:
"%userprofile%\Desktop\GooredFix.exe" /uninstall
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.

Download OTC (http://oldtimer.geekstogo.com/OTC.exe) by Old Timer and save it to your Desktop.

Double-click OTC.exe
Click the CleanUp! button
Select Yes when the Begin cleanup Process? Prompt appears
If you are prompted to Reboot during the cleanup, select Yes
The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


should i use all the programs you listed or just pick one?
is not intended that you install all of them....Read some information here (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) how to prevent Malware.

peku006

coryr83
2009-11-19, 13:57
No dice, it's saying to make sure I typed the name right.... I copied it straight from your post. Can I just use the recycle bin or the shredder in spy bot or does it require something special?

peku006
2009-11-19, 14:15
Hi coryr83

Can you uninstall it (GooredFix) via the Add Remove Programs in the Control Panel.

Thanks peku006

coryr83
2009-11-20, 02:32
thats a big negative... i just deleted it through the trash can and did a search for any gooredfix files and it came up empty...i think otc isn't working bc im logged on as "Family" instead of "Administrator". and the only problem is that all we've used is family. I don't even know how to log on as administrator...ill monkey around with it and see if i can figure it out... i'll post if i do.

coryr83
2009-11-20, 02:38
just figured out that the family account is the administrator and otc still wont work... you can just tell me which ones to delete and i can do it manually

peku006
2009-11-20, 07:43
Hi coryr83
what needs to be removed GooredFix or Combofix ? or something else ?

peku006

coryr83
2009-11-20, 13:51
umm. I think I got them all. Should I keep ERUNT and get it to make a new registry restore point just in case i get another virus? or just delete it.... and i think thats it. Thanks, once again for all your help i really appreciate it!

peku006
2009-11-22, 19:11
Hi coryr83

erunt is a good program :bigthumb:

peku006

peku006
2009-11-28, 15:17
As this issue appears to be resolved, this topic is now closed

We are pleased to have been some help in getting you clean.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)