The malware that refused to die

**hatter** · 2009-05-06, 21:05

Greetings and salutations. Thank you very much in advance for helping out with this. First off, two people other than myself run this computer. I don't know whodunnit, but somewhere along the line, this system picked up some particularly persistent malware. At this point, I've spent over a month trying to get rid of it, but it refuses to die. I know I'm missing something somewhere, but at this point, I'm all out of ideas. It is driving me madder than a hatter.

Any help would be hugely appreciated.

The HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:20 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [WinProx32_1] C:\Documents and Settings\LocalService\Application Data\psvrr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FFFBC.exe] C:\WINDOWS\TEMP\_A00FFFBC.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinProx32_1] C:\Documents and Settings\LocalService\Application Data\psvrr.exe (User 'Default user')
O4 - S-1-5-18 Startup: ChkDisk.dll (User 'SYSTEM')
O4 - .DEFAULT Startup: ChkDisk.dll (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://ushousecall02.trendmicro.com/...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206018920343
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\tejoluze.dll C:\WINDOWS\system32\luwapeta.dll C:\WINDOWS\system32\johabuji.dll C:\WINDOWS\system32\nazoduse.dll C:\WINDOWS\system32\yowujeje.dll c:\windows\system32\fuwojake.dll C:\WINDOWS\system32\ c:\windows\system32\vidimofu.dll,C:\WINDOWS\system32\kiduruka.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Roxio File Backup Service (CEEBC40A-FDED-4C59-B354-939132350B01) - Unknown owner - c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8442 bytes

**Shaba** · 2009-05-07, 16:25

Hi hatter

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

**hatter** · 2009-05-07, 18:58

Thank you so much for your help, Shaba. I was running out of keyboards to bash my face into. I hope I got everything disabled that needed to be, but I've been fighting with just about every bit of unpleasant software on the planet for so long, I'm almost certain that I forgot to disable something. If I did, let me know. ComboFix found a fair bit of stuff and my default browser seems to have been switched to IE. It also appears that one of the users of this system has been using file sharing software. Time to remove it and have a nice chat about system security with him.

One other note: I'm having some degree of difficulty disabling some AVG components. The notes linked to on how to disable the avg firewall seem to not be working.

Here is the ComboFix log:

ComboFix 09-05-06.08 - Dennis DeLaet 05/07/2009 10:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2742 [GMT -6:00]
Running from: c:\documents and settings\Dennis DeLaet\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated)
FW: AVG Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dennis DeLaet\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Dennis DeLaet\protect.dll
c:\documents and settings\Dennis DeLaet\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Dennis DeLaet\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\windows\ld08.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthvjooapidjnehuxoqkldjumilerhmosaw.sys
c:\windows\system32\nfr.assembly
c:\windows\system32\nfr.gpref
c:\windows\system32\ovfsthmfraunbkotuvnykikcfotqtlndodjaes.dll
c:\windows\system32\ovfsthposnmgnpyojwkeplcxepdhqjoepyseaq.dll
c:\windows\system32\ovfsthrkwptxcnslcmcvaqfqfjdproypvokcyw.dll
c:\windows\system32\ovfsthwofilmsvsqwakyvanegvyakejetyjaig.dat
c:\windows\system32\ovfsthybxsoiisxhjifkdvwhliqqdlvqphdpel.dat
c:\windows\system32\uhehojos.ini
c:\windows\system32\x64

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthppvuoedotaeylchxxcsrmtumtqgxyjui

((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-07 15:57 . 2009-05-07 15:57 -------- d-----w c:\documents and settings\log
2009-05-07 15:42 . 2009-05-07 15:42 202 ----a-w C:\43214354.bat
2009-04-30 22:55 . 2009-04-30 22:55 -------- d-----w c:\program files\Trend Micro
2009-04-30 22:54 . 2009-04-30 22:54 -------- d-----w c:\program files\ERUNT
2009-04-29 19:22 . 2009-04-29 19:22 -------- d-----w c:\documents and settings\Dennis DeLaet\Application Data\Malwarebytes
2009-04-29 19:22 . 2009-04-06 21:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-29 19:22 . 2009-04-06 21:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-29 19:22 . 2009-04-29 19:22 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-29 19:22 . 2009-04-29 19:22 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 17:20 . 2009-04-21 17:20 -------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-21 17:19 . 2009-04-24 15:59 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-21 17:18 . 2009-04-24 15:59 29208 ----a-w c:\windows\system32\drivers\avgfwdx.sys
2009-04-21 17:18 . 2009-04-24 15:59 50968 ----a-w c:\windows\system32\avgfwdx.dll
2009-04-21 16:48 . 2009-04-21 16:48 -------- d-----w c:\documents and settings\Dennis DeLaet\Application Data\AVG8
2009-04-20 23:43 . 2009-04-21 00:26 -------- d-----w c:\documents and settings\Dennis DeLaet\.housecall6.6
2009-04-20 20:37 . 2009-04-20 20:37 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-20 20:30 . 2009-04-20 20:30 -------- d-----w c:\documents and settings\Dennis DeLaet\Local Settings\Application Data\Mozilla
2009-04-18 18:48 . 2009-04-18 18:48 -------- d-----w c:\documents and settings\Dennis DeLaet\Application Data\acjulkpl
2009-04-18 18:48 . 2009-04-18 18:48 -------- d-----w c:\documents and settings\Dennis DeLaet\Local Settings\Application Data\acjulkpl
2009-04-18 18:45 . 2009-04-18 18:45 -------- d-----w c:\documents and settings\NetworkService\Application Data\acjulkpl
2009-04-18 18:45 . 2009-04-18 18:45 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\acjulkpl
2009-04-16 23:37 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 23:37 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 23:37 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 23:37 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 23:37 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 23:37 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 23:37 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 23:37 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 23:37 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 22:31 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 22:31 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 07:37 . 2009-04-16 07:37 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-16 06:05 . 2009-04-16 06:05 615 ----a-w c:\windows\system32\weJMfGhN4WCNd.vbs
2009-04-16 05:59 . 2009-04-16 06:03 69194 ----a-w c:\windows\system32\ilxvgxvynkkbyqs.dll-uninst.exe
2009-04-16 05:54 . 2009-04-16 05:54 615 ----a-w c:\windows\system32\9C3ooQJMCpYBLJY.vbs
2009-04-16 05:53 . 2009-04-16 05:53 615 ----a-w c:\windows\system32\ebLLhZ8qqOvjBRG.vbs
2009-04-16 05:52 . 2009-04-16 05:52 615 ----a-w c:\windows\system32\UKz9D.vbs
2009-04-16 05:51 . 2009-04-16 05:51 615 ----a-w c:\windows\system32\4oClI.vbs
2009-04-16 05:43 . 2009-04-16 06:21 -------- d-----w c:\documents and settings\Dennis DeLaet\Application Data\Cabos
2009-04-16 05:42 . 2009-04-16 05:42 -------- d-----w c:\program files\Download Access v1.2.7
2009-04-16 03:39 . 2009-04-16 03:45 -------- d-----w c:\program files\LimeWire
2009-04-11 20:20 . 2009-04-11 20:20 -------- d-----w c:\documents and settings\Dennis DeLaet\Application Data\PlayFirst
2009-04-11 20:08 . 2009-04-11 20:08 -------- d-----w c:\windows\Diner Dash 3-in-1
2009-04-11 19:56 . 2009-04-11 19:56 -------- d-----w c:\program files\ReflexiveArcade
2009-04-11 19:38 . 2009-04-11 19:38 40 ----a-w c:\windows\RSoftInfo.dat
2009-04-11 19:34 . 2009-04-11 19:34 -------- d-----w c:\program files\jZip
2009-04-11 19:31 . 2009-04-11 19:31 -------- d-----w c:\documents and settings\Dennis DeLaet\Application Data\Yahoo!
2009-04-11 19:28 . 2009-04-14 16:17 -------- d-----w c:\program files\Yahoo!
2009-04-11 19:20 . 2009-04-11 19:20 15 ----a-w c:\windows\popcinfo.dat
2009-04-09 03:57 . 2009-04-09 04:04 -------- d-----w c:\documents and settings\Dennis DeLaet\Application Data\ZiggyGames
2009-04-08 15:18 . 2009-04-08 15:18 714752 ----a-w c:\windows\system32\nsc3E.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 16:17 . 2006-09-28 01:01 182656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-06 21:01 . 2009-04-01 18:17 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-06 21:00 . 2009-04-01 18:17 -------- d-----w c:\program files\Norton Security Scan
2009-05-06 19:06 . 2009-01-28 19:51 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-26 00:46 . 2009-02-03 17:49 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-26 00:46 . 2009-02-01 01:45 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-24 16:00 . 2009-01-29 17:55 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-24 16:00 . 2009-01-13 20:47 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-20 23:43 . 2009-03-30 21:39 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-04-18 18:45 . 2006-09-28 01:01 -------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-16 18:08 . 2009-01-13 22:03 -------- d-----w c:\program files\Java
2009-04-01 18:20 . 2009-04-01 18:20 -------- d-----w c:\program files\Windows Defender
2009-04-01 18:15 . 2008-12-16 16:34 86840 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-30 21:11 . 2009-01-13 21:28 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-09 11:19 . 2009-01-19 17:14 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2006-09-28 01:01 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-09-28 01:01 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 18:46 . 2009-02-26 18:46 74760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 18:46 . 2009-02-26 18:46 25608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-20 18:09 . 2006-09-28 01:01 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2006-09-28 01:01 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2006-09-28 01:01 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2006-09-28 01:01 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2006-09-28 01:01 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2006-09-28 01:01 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-23 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-24 1947928]
"HPWH myPrintMileage Agent"="c:\program files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe" [2003-09-23 102400]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-26 516440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-05-16 16862720]

c:\documents and settings\Dennis DeLaet\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-24 16:00 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\OpenOffice.org 3\\program\\soffice.bin"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2/26/2009 12:46 PM 25608]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/31/2009 7:45 PM 64160]
R0 mjqhfssv;mjqhfssv;c:\windows\system32\drivers\mjqhfssv.sys [9/27/2006 7:01 PM 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/13/2009 2:47 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/21/2009 11:19 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 11:55 AM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [4/24/2009 9:59 AM 1366904]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2/26/2009 12:46 PM 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2/26/2009 12:46 PM 563720]
R2 CEEBC40A-FDED-4C59-B354-939132350B01;Roxio File Backup Service;c:\program files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe [2/12/2008 9:12 PM 76272]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 3:34 PM 953168]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [4/14/2006 9:07 AM 28933976]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [4/21/2009 11:18 AM 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2/26/2009 12:46 PM 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2/26/2009 12:46 PM 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2/26/2009 12:46 PM 27232]
S0 ceafdqoi;ceafdqoi;c:\windows\system32\drivers\jpfxkncd.sys --> c:\windows\system32\drivers\jpfxkncd.sys [?]
S1 djjkaziz;djjkaziz;\??\c:\windows\system32\drivers\djjkaziz.sys --> c:\windows\system32\drivers\djjkaziz.sys [?]
S1 geomgxdj;geomgxdj;\??\c:\windows\system32\drivers\geomgxdj.sys --> c:\windows\system32\drivers\geomgxdj.sys [?]
S1 htksbqce;htksbqce;\??\c:\windows\system32\drivers\htksbqce.sys --> c:\windows\system32\drivers\htksbqce.sys [?]
S1 ujhwmmdj;ujhwmmdj;\??\c:\windows\system32\drivers\ujhwmmdj.sys --> c:\windows\system32\drivers\ujhwmmdj.sys [?]
S2 hvuqchgs;Remote Access Auto Connection Helper;c:\windows\System32\svchost.exe -k netsvcs [9/27/2006 7:01 PM 14336]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [7/18/2008 7:43 AM 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [7/18/2008 7:43 AM 166384]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [4/21/2009 11:18 AM 29208]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [7/18/2008 7:43 AM 1120752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
hvuqchgs
.
Contents of the 'Scheduled Tasks' folder

2009-05-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 00:45]

2009-05-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-21 02:36]

2009-05-07 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 01:20]

2009-05-06 c:\windows\Tasks\Norton Security Scan for Dennis DeLaet.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 02:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKU-Default-Run-WinProx32_1 - c:\documents and settings\LocalService\Application Data\psvrr.exe
HKU-Default-Run-A00FFFBC.exe - c:\windows\TEMP\_A00FFFBC.exe
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\Dennis DeLaet\Application Data\Mozilla\Firefox\Profiles\wv8ofh5c.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/defaulta.aspx
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 10:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSMonitor.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-07 10:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 16:27

Pre-Run: 222,025,515,008 bytes free
Post-Run: 222,245,613,568 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

260 --- E O F --- 2009-05-07 15:37

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:33 AM, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://ushousecall02.trendmicro.com/...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206018920343
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Roxio File Backup Service (CEEBC40A-FDED-4C59-B354-939132350B01) - Unknown owner - c:\Program Files\Roxio\BackOnTrack\File Backup\FileBackupSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7714 bytes

**Shaba** · 2009-05-07, 19:02

Disabling antivirus was just fine

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

**hatter** · 2009-05-07, 19:11

That was quick.

Here is the list.

Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player 11
AVG 8.5
AVG Identity Protection
Business Contact Manager for Outlook 2007
Business Contact Manager for Outlook 2007
Chinese Simplified Fonts Support For Adobe Reader 8
Critical Update for Windows Media Player 11 (KB959772)
Diner Dash 3-in-1
Download Access v1.2.7
ERUNT 1.1j
Family Feud II
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HouseCall 6.6
hp business inkjet 1100
Intel(R) Graphics Media Accelerator Driver
Japanese Fonts Support For Adobe Reader 8
Java(TM) 6 Update 13
Java(TM) 6 Update 7
jZip
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Accounting 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Small Business Connectivity Components
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.21)
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Norton Security Scan
Norton Security Scan (Symantec Corporation)
OpenOffice.org 3.0
Realtek High Definition Audio Driver
Roxio Activation Module
Roxio BackOnTrack
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio CinePlayer
Roxio Creator XE
Roxio Creator XE
Roxio Express Labeler 3
Roxio File Backup
Roxio Update Manager
Search Assistant Mysidesearch
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Siemens Subscriber Networks SpeedStream DSL
Sonic CinePlayer Decoder Pack
Spybot - Search & Destroy
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Defender
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver

**Shaba** · 2009-05-07, 19:17

Uninstall these:

Diner Dash 3-in-1
Search Assistant Mysidesearch

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

File::
c:\windows\system32\SelfDel.bat
c:\windows\system32\weJMfGhN4WCNd.vbs
c:\windows\system32\ilxvgxvynkkbyqs.dll-uninst.exe
c:\windows\system32\9C3ooQJMCpYBLJY.vbs
c:\windows\system32\ebLLhZ8qqOvjBRG.vbs
c:\windows\system32\UKz9D.vbs
c:\windows\system32\4oClI.vbs
c:\windows\system32\nsc3E.dll

Folder::
c:\program files\LimeWire
c:\windows\Diner Dash 3-in-1

Driver::
ceafdqoi
djjkaziz
geomgxdj
htksbqce
ujhwmmdj

NetSvcs::
hvuqchgs

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**hatter** · 2009-05-07, 19:46

I'm posting on another computer just in case something happens while I write this. After following the instructions in your previous post, I've been staring at an unchanging screen for quite a while. Last time I ran ComboFix, quite a bit of text popped up in the window while it was running. This time, I have a blinking cursor on the top of the window, there is no text whatsoever in said window, and nothing seems to be happening. Is this normal or has something gone haywire?

**Shaba** · 2009-05-07, 19:49

Combofix can be running or might have stalled.

Wait 30-60 minutes and if nothing happens, you can do a hard reboot and let me know if that helped.

**hatter** · 2009-05-07, 22:38

Waited an hour, rebooted, tried again. It would still appear that nothing is happening. I hope I didn't break anything worse than it was already broken. Now the question becomes, where do I go from here?

**Shaba** · 2009-05-08, 05:58

Then you might want to try las known good configuration from boot menu next.
Let me know if it helped.

Thread: The malware that refused to die

Thread Tools

Display

The malware that refused to die

Posting Permissions