GodofWar
2011-06-08, 16:18
Attempting to fix a friends box. Noticed right away the there was a browser hijacker, ran AVG which found two versions of Cryptic & another virus, but couldn't remove the version of cryptic hiding in memory. I tried installing the latest MalwareBytes, but it aborted even in safe mode. Spybot found a few things, but returns a wininit.ini error when attempting to fix.
Hello,
http://forums.spybot.info/showthread.php?t=62963
Hello,
Someone can assist after taking a look at the system.
Please see this FAQ "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) It includes instructions in post #2 on how to provide preliminary DDS logs, which are used for analysis.
Then start a new topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer will advise when available.
If the infection prevents a log being produced please start a new topic there anyway and let them know. :)
Best regards.
Can you produce the DDS logs?
Best regards.Here's the text:
DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Admin at 9:28:15 on 2011-06-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.697 [GMT -5:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HostManager] c:\program files\common files\aol\1193705121\ee\AOLSoftware.exe
mRun: c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFTQUctSkVMVFotMjJGT04tQVlNUFUtMkFCSkwtTQ"&"inst=NzYtODQzMjc5Njc4LU4xKzItWE8zNisxLVNUMSsx"&"prod=94"&"ver=10.0.1375
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.ncnetwork.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273356384515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1273356362781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
TCP: Interfaces\{80443072-5384-4D29-A197-604ECE8884D8} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]
S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-5-8 668912]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-15 24652]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-3 14336]
.
=============== Created Last 30 ================
.
2011-06-04 14:46:29 98816 ----a-w- c:\windows\sed.exe
2011-06-04 14:46:29 518144 ----a-w- c:\windows\SWREG.exe
2011-06-04 14:46:29 256512 ----a-w- c:\windows\PEV.exe
2011-06-04 14:46:29 208896 ----a-w- c:\windows\MBR.exe
2011-06-04 14:46:21 -------- d-s---w- C:\ComboFix
2011-06-03 18:35:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-03 16:26:13 -------- d-----w- c:\program files\Trojan Remover
2011-06-03 16:23:23 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2011-06-03 16:23:23 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-06-03 16:23:23 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-06-03 16:23:23 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-06-03 16:23:23 153088 ----a-w- c:\windows\system32\unrar3.dll
2011-06-03 16:23:20 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software
2011-06-03 16:23:20 -------- d-----w- c:\documents and settings\admin\application data\Simply Super Software
2011-06-03 16:12:45 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-03 16:12:44 -------- d-----w- c:\program files\Trend Micro
2011-06-02 20:04:18 -------- d-----w- c:\program files\Exterminate It!
2011-06-02 18:15:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-06-02 18:15:00 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-06-02 18:10:53 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-06-02 18:10:53 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-06-02 18:10:49 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-06-02 18:10:49 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2011-05-29 22:47:45 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-05-29 20:37:28 81920 ----a-w- c:\windows\eSellerateControl350.dll
2011-05-29 20:37:28 356352 ----a-w- c:\windows\eSellerateEngine.dll
2011-05-29 20:37:25 -------- d-----w- c:\program files\Cryptic Trojan Removal Tool [1]
2011-05-29 19:08:02 -------- d-----w- c:\documents and settings\admin\application data\AVG10
2011-05-29 19:07:21 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-05-29 19:04:33 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-05-29 18:38:54 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-05-29 18:31:10 -------- d-----w- c:\documents and settings\admin\application data\Windows Search
2011-05-29 18:19:23 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2011-05-29 18:16:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 18:04:27 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
2011-05-29 18:04:23 -------- d-----w- c:\documents and settings\admin\local settings\application data\Apple Computer
2011-05-29 18:04:16 -------- d-----w- c:\documents and settings\admin\application data\AVG9
2011-05-29 18:04:12 -------- d-----w- c:\documents and settings\admin\application data\Verizon
2011-05-29 18:03:52 -------- d-----w- c:\documents and settings\admin\application data\VERIZON_BROAD
2011-05-29 18:03:50 -------- d-----w- c:\documents and settings\admin\local settings\application data\AOL
2011-05-29 18:03:29 -------- d-sh--w- c:\documents and settings\admin\IETldCache
.
==================== Find3M ====================
.
2011-04-19 15:26:19 398760 ---ha-r- c:\windows\cpnprt2.cid
2011-04-19 15:26:18 398760 ---h--w- c:\windows\system32\cpnprt2.cid
2011-04-14 07:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 21:20:16 91424 ---ha-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ---ha-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 9:28:55.39 ===============
Edit
C:\ComboFix
Please DO NOT RUN ComboFix without being asked (http://forums.spybot.info/showthread.php?t=16806)
I haven't run ComboFix yet, but the friend is asking for an update on her box, & I haven't heard anything since posting the logs.
------------------------------------
Edit
[I]Merged two posts.
The following information is in the FAQ. ;)
Please do not add posts, [I]helpers look for topics with a zero response.
The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37)
Hello,
http://forums.spybot.info/showthread.php?t=62963
Hello,
Someone can assist after taking a look at the system.
Please see this FAQ "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) It includes instructions in post #2 on how to provide preliminary DDS logs, which are used for analysis.
Then start a new topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and a volunteer will advise when available.
If the infection prevents a log being produced please start a new topic there anyway and let them know. :)
Best regards.
Can you produce the DDS logs?
Best regards.Here's the text:
DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Admin at 9:28:15 on 2011-06-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.697 [GMT -5:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: hpWebHelper Class: {aaae832a-5fff-4661-9c8f-369692d1dcb9} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\plugin\WebHelper.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HostManager] c:\program files\common files\aol\1193705121\ee\AOLSoftware.exe
mRun: c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: "c:\program files\itunes\iTunesHelper.exe"
mRun: [ISUSScheduler] "c:\progra~1\common~1\instal~1\update~1\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=SUFTQUctSkVMVFotMjJGT04tQVlNUFUtMkFCSkwtTQ"&"inst=NzYtODQzMjc5Njc4LU4xKzItWE8zNisxLVNUMSsx"&"prod=94"&"ver=10.0.1375
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.ncnetwork.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273356384515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1273356362781
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
TCP: Interfaces\{80443072-5384-4D29-A197-604ECE8884D8} : DhcpNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]
S2 ServicepointService;ServicepointService;c:\program files\verizon\vsp\ServicepointService.exe [2010-5-8 668912]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-15 24652]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-10 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-3 14336]
.
=============== Created Last 30 ================
.
2011-06-04 14:46:29 98816 ----a-w- c:\windows\sed.exe
2011-06-04 14:46:29 518144 ----a-w- c:\windows\SWREG.exe
2011-06-04 14:46:29 256512 ----a-w- c:\windows\PEV.exe
2011-06-04 14:46:29 208896 ----a-w- c:\windows\MBR.exe
2011-06-04 14:46:21 -------- d-s---w- C:\ComboFix
2011-06-03 18:35:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-06-03 16:26:13 -------- d-----w- c:\program files\Trojan Remover
2011-06-03 16:23:23 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2011-06-03 16:23:23 75264 ----a-w- c:\windows\system32\unacev2.dll
2011-06-03 16:23:23 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2011-06-03 16:23:23 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2011-06-03 16:23:23 153088 ----a-w- c:\windows\system32\unrar3.dll
2011-06-03 16:23:20 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software
2011-06-03 16:23:20 -------- d-----w- c:\documents and settings\admin\application data\Simply Super Software
2011-06-03 16:12:45 388096 ----a-r- c:\documents and settings\admin\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-06-03 16:12:44 -------- d-----w- c:\program files\Trend Micro
2011-06-02 20:04:18 -------- d-----w- c:\program files\Exterminate It!
2011-06-02 18:15:00 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-06-02 18:15:00 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-06-02 18:10:53 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-06-02 18:10:53 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2011-06-02 18:10:49 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-06-02 18:10:49 10368 ----a-w- c:\windows\system32\dllcache\hidusb.sys
2011-05-29 22:47:45 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-05-29 20:37:28 81920 ----a-w- c:\windows\eSellerateControl350.dll
2011-05-29 20:37:28 356352 ----a-w- c:\windows\eSellerateEngine.dll
2011-05-29 20:37:25 -------- d-----w- c:\program files\Cryptic Trojan Removal Tool [1]
2011-05-29 19:08:02 -------- d-----w- c:\documents and settings\admin\application data\AVG10
2011-05-29 19:07:21 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-05-29 19:04:33 -------- d-----w- c:\documents and settings\all users\application data\AVG10
2011-05-29 18:38:54 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-05-29 18:31:10 -------- d-----w- c:\documents and settings\admin\application data\Windows Search
2011-05-29 18:19:23 -------- d-----w- c:\documents and settings\admin\application data\Malwarebytes
2011-05-29 18:16:58 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 18:04:27 -------- d-sh--w- c:\documents and settings\admin\PrivacIE
2011-05-29 18:04:23 -------- d-----w- c:\documents and settings\admin\local settings\application data\Apple Computer
2011-05-29 18:04:16 -------- d-----w- c:\documents and settings\admin\application data\AVG9
2011-05-29 18:04:12 -------- d-----w- c:\documents and settings\admin\application data\Verizon
2011-05-29 18:03:52 -------- d-----w- c:\documents and settings\admin\application data\VERIZON_BROAD
2011-05-29 18:03:50 -------- d-----w- c:\documents and settings\admin\local settings\application data\AOL
2011-05-29 18:03:29 -------- d-sh--w- c:\documents and settings\admin\IETldCache
.
==================== Find3M ====================
.
2011-04-19 15:26:19 398760 ---ha-r- c:\windows\cpnprt2.cid
2011-04-19 15:26:18 398760 ---h--w- c:\windows\system32\cpnprt2.cid
2011-04-14 07:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 21:20:16 91424 ---ha-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ---ha-w- c:\windows\system32\dns-sd.exe
.
============= FINISH: 9:28:55.39 ===============
Edit
C:\ComboFix
Please DO NOT RUN ComboFix without being asked (http://forums.spybot.info/showthread.php?t=16806)
I haven't run ComboFix yet, but the friend is asking for an update on her box, & I haven't heard anything since posting the logs.
------------------------------------
Edit
[I]Merged two posts.
The following information is in the FAQ. ;)
Please do not add posts, [I]helpers look for topics with a zero response.
The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37)