Badly Infected Computer (unauthorized access on Paypal account! Help!)

Renorei · Aug 4, 2010

My computer seems to be very infected, and I need help badly. It is an old computer (2004) but it has a 100gb hard drive and 1024 ram, so while I wouldn't expect it to be very fast, it still should have some life left in it. I shall do my best to describe its symptoms and tell you everything I think you should know.

Lately it has been running very slowly in general, and especially when I am on the internet. Recently, I had an experience where I tried to get on the internet and it would give me some kind of message telling me I can't do that. I cannot remember the exact text. A few minutes later, I got a blue screen.

I turned my computer off and turned it back on and chose "Safe Mode with Networking" so I could still access the internet. That was a little faster.

Later, I got e-mails about Paypal purchases made with my Paypal account that I had never made. I called Paypal and I will not be held liable for those purchases. Still, this is very scary. I want to change passwords to everything, but before I do that I want to make sure that my computer is completely safe so the evil doers won't just get my passwords again.

About two days ago I ran a bunch of anti-spyware/malware/virus programs, and found a ton of infected files. I deleted and/or quarantined all of them, which seemed to help for a while, and I thought maybe I was all clear. But now it's back to being as slow as before, so I must be re-infected. Nevertheless, I may have removed some signs of infection, so I wanted you to be aware.

I am pretty much using my computer exclusively in safe mode (with networking) now.

I would love to be able to keep my peer-to-peer software if possible; please just teach me how to use it safely. But if I must get rid of it, so be it; I will get rid of it. I have bittorent. I also have WinRar, don't know if that matters.

In my downloads folder, there are now a bunch of files that end in "-crack.exe". The names begin with the names of programs/files on my computer, such as "Microsoft Office-crack.exe" and "Tall Emu-crack.exe" and "Jasc Software Inc-crack.exe". I do not know what these mean or if they are dangerous.

I backed up my registry with ERUNT.

Here are my DDS logs. The first one is DDS.txt, the second one is Attach.txt. I am copying and pasting them both per the instructions here.

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Rebel at 1:20:56.73 on Wed 08/04/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1552 [GMT -4:00]

AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rebel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\desktop\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BidSlayer]
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\rebel\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Windows Java Runtime] "c:\documents and settings\rebel\java.jar"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\desktop\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185296588953
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: kvxqmtre - {900BE20B-A3F7-487D-B309-2902E1D0D4E4} - No File
SSODL: evgratsm - {79A0198B-B5BA-4849-9512-ED70AACACD58} - No File
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnNDUKB
mASetup: {D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6} - c:\documents and settings\rebel\application data\svchost.exe
uASetup: {D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6} - c:\documents and settings\rebel\application data\svchost.exe
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rebel\applic~1\mozilla\firefox\profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\rebel\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-3-8 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-3-8 28872]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-29 165456]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-3-8 178376]
S2 a2free;a-squared Free Service;c:\desktop\a-squared free\a2service.exe [2009-3-8 1872320]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-29 17744]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-29 40384]
S2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-3-8 1402568]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-29 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-29 40384]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\drivers\ptumwbus.sys --> c:\windows\system32\drivers\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\drivers\ptumwcdf.sys --> c:\windows\system32\drivers\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\drivers\ptumwflt.sys --> c:\windows\system32\drivers\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\drivers\ptumwmdm.sys --> c:\windows\system32\drivers\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\drivers\ptumwnet.sys --> c:\windows\system32\drivers\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\drivers\ptumwvsp.sys --> c:\windows\system32\drivers\PTUMWVsp.sys [?]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2007-7-28 517632]
S3 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-3-8 3321032]

=============== Created Last 30 ================

2010-07-30 00:52:30 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:51:50 137 ----a-w- c:\windows\system32\launch.vbs
2010-07-29 22:58:19 60 ---ha-w- C:\autorun.inf
2010-07-29 22:13:25 0 d-----w- c:\program files\Trend Micro
2010-07-29 22:09:51 0 d-----w- c:\windows\pss
2010-07-29 20:04:35 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software
2010-07-23 03:34:51 18160 ---ha-w- c:\documents and settings\rebel\java.jar
2010-07-22 21:59:23 180224 ---h--w- C:\ntldr.exe
2010-07-21 19:28:16 123041 ----a-w- C:\RunFirst.exe
2010-07-21 19:28:14 0 ----a-w- c:\windows\system32\s4c.vbs
2010-07-21 19:28:13 480 ----a-w- c:\windows\system32\net.vbs
2010-07-21 19:28:13 1034 ----a-w- c:\windows\system32\net.bat
2010-07-10 01:18:50 32133 ----a-w- c:\docume~1\rebel\applic~1\SQLite3.dll
2010-07-10 01:18:48 0 d-----w- c:\windows\sysid

==================== Find3M ====================

2010-06-28 01:54:03 157142 ----a-w- c:\windows\hphins25.dat
2010-06-26 17:46:46 148736 ----a-w- c:\docume~1\alluse~1.win\applic~1\hpe2E3.dll
2010-06-02 20:31:04 45024 ---ha-w- c:\windows\system32\mlfcache.dat

============= FINISH: 1:22:01.85 ===============

And now for Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 7/23/2007 7:02:13 PM
System Uptime: 8/3/2010 11:13:41 PM (2 hours ago)

Motherboard: Dell Inc. | |
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 70.905 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP714: 4/24/2010 9:17:54 AM - System Checkpoint
RP715: 4/25/2010 9:31:25 AM - System Checkpoint
RP716: 4/26/2010 1:00:15 PM - System Checkpoint
RP717: 4/27/2010 1:34:05 PM - System Checkpoint
RP718: 4/28/2010 2:06:57 PM - System Checkpoint
RP719: 4/29/2010 3:42:21 PM - System Checkpoint
RP720: 4/30/2010 3:51:05 PM - System Checkpoint
RP721: 5/1/2010 3:55:43 PM - System Checkpoint
RP722: 5/2/2010 4:00:18 PM - System Checkpoint
RP723: 5/4/2010 12:46:07 PM - System Checkpoint
RP724: 5/5/2010 1:51:17 PM - System Checkpoint
RP725: 5/6/2010 1:52:44 PM - System Checkpoint
RP726: 5/7/2010 2:10:41 PM - System Checkpoint
RP727: 5/8/2010 3:06:58 PM - System Checkpoint
RP728: 5/10/2010 9:38:51 AM - System Checkpoint
RP729: 5/11/2010 10:12:30 AM - System Checkpoint
RP730: 5/12/2010 12:39:17 PM - System Checkpoint
RP731: 5/13/2010 10:09:18 PM - System Checkpoint
RP732: 5/14/2010 11:19:27 PM - System Checkpoint
RP733: 5/16/2010 11:21:23 AM - System Checkpoint
RP734: 5/17/2010 3:33:07 PM - System Checkpoint
RP735: 5/18/2010 3:58:03 PM - System Checkpoint
RP736: 5/20/2010 2:39:50 PM - System Checkpoint
RP737: 5/21/2010 3:05:36 PM - System Checkpoint
RP738: 5/23/2010 12:13:18 PM - System Checkpoint
RP739: 5/24/2010 4:07:34 PM - System Checkpoint
RP740: 5/26/2010 12:04:30 AM - System Checkpoint
RP741: 5/27/2010 1:58:57 AM - System Checkpoint
RP742: 5/28/2010 8:12:21 AM - System Checkpoint
RP743: 5/29/2010 9:20:01 AM - System Checkpoint
RP744: 5/30/2010 10:25:39 AM - System Checkpoint
RP745: 5/31/2010 11:14:08 AM - System Checkpoint
RP746: 6/1/2010 11:33:40 AM - System Checkpoint
RP747: 6/2/2010 5:38:41 PM - System Checkpoint
RP748: 6/4/2010 10:27:21 AM - System Checkpoint
RP749: 6/5/2010 10:31:05 AM - System Checkpoint
RP750: 6/6/2010 11:09:51 AM - System Checkpoint
RP751: 6/7/2010 12:00:23 PM - System Checkpoint
RP752: 6/8/2010 2:52:40 PM - System Checkpoint
RP753: 6/9/2010 2:56:00 PM - System Checkpoint
RP754: 6/10/2010 3:11:41 PM - System Checkpoint
RP755: 6/11/2010 3:35:52 PM - System Checkpoint
RP756: 6/12/2010 3:51:42 PM - System Checkpoint
RP757: 6/13/2010 6:05:24 PM - System Checkpoint
RP758: 6/14/2010 6:11:00 PM - System Checkpoint
RP759: 6/16/2010 12:58:42 AM - System Checkpoint
RP760: 6/17/2010 11:18:36 AM - System Checkpoint
RP761: 6/18/2010 4:05:17 PM - System Checkpoint
RP762: 6/21/2010 5:35:22 PM - System Checkpoint
RP763: 6/22/2010 9:59:08 PM - System Checkpoint
RP764: 6/24/2010 11:11:40 AM - System Checkpoint
RP765: 6/26/2010 12:13:31 AM - System Checkpoint
RP766: 6/26/2010 1:46:30 PM - Installed Cricket Broadband Connect
RP767: 6/27/2010 10:30:53 PM - System Checkpoint
RP768: 6/29/2010 10:40:24 PM - System Checkpoint
RP769: 7/1/2010 8:35:18 PM - System Checkpoint
RP770: 7/2/2010 8:43:35 PM - System Checkpoint
RP771: 7/4/2010 12:24:34 PM - System Checkpoint
RP772: 7/5/2010 12:27:40 PM - System Checkpoint
RP773: 7/6/2010 2:59:08 PM - System Checkpoint
RP774: 7/7/2010 3:43:35 PM - System Checkpoint
RP775: 7/8/2010 6:22:43 PM - System Checkpoint
RP776: 7/9/2010 10:57:18 PM - System Checkpoint
RP777: 7/11/2010 9:25:51 AM - System Checkpoint
RP778: 7/12/2010 9:41:59 AM - System Checkpoint
RP779: 7/13/2010 9:51:30 AM - System Checkpoint
RP780: 7/14/2010 3:39:42 PM - System Checkpoint
RP781: 7/15/2010 6:36:37 PM - System Checkpoint
RP782: 7/17/2010 10:49:40 AM - System Checkpoint
RP783: 7/18/2010 1:44:40 PM - System Checkpoint
RP784: 7/20/2010 11:56:32 AM - System Checkpoint
RP785: 7/21/2010 4:58:27 PM - System Checkpoint
RP786: 7/22/2010 7:05:58 PM - System Checkpoint

==== Hosts File Hijack ======================

Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com
Hosts: 127.0.0.1 www.virustotal.com
Hosts: 127.0.0.1 www.bitdefender.com

==== Installed Programs ======================

32 Bit HP CIO Components Installer
a-squared Free 4.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
Avanquest update
avast! Free Antivirus
BCM V.92 56K Modem
Before You Know It 3.6
BitTorrent
Broadcom 440x 10/100 Integrated Controller
BufferChm
Compatibility Pack for the 2007 Office system
Cricket Broadband Connect
D2500
D2500_Help
Dell ResourceCD
DeviceDiscovery
DeviceManagementQFolder
DJ_SF_03_D2500_ProductContext
DJ_SF_03_D2500_Software
DJ_SF_03_D2500_Software_Min
DNA
ERUNT 1.1j
eSupportQFolder
Google Chrome
GPBaseService
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
HP Deskjet D2500 Printer Driver Software 10.0 Rel .3
HP Imaging Device Functions 10.0
HP Smart Web Printing
HP Solution Center 10.0
HP Update
HPProductAssistant
Jasc Animation Shop 3
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 5
Linksys WUSB100 RangePlus Wireless USB Adapter
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile PhoneTools
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Online Armor 3.0
PANTECH USB Modem V2
PowerDVD
Project64 1.6
QuickTime
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960715)
SmartWebPrintingOC
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Status
Toolbox
TrayApp
UnloadSupport
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6f
WebFldrs XP
WebReg
Windows Communication Foundation
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB839210
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR
XML Paper Specification Shared Components Pack 1.0
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

8/2/2010 11:19:40 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT OADevice OAmon OAnet OMCI RasAcd Rdbss Tcpip tcpipBM
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:19:40 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/2/2010 11:18:37 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/29/2010 6:58:13 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Alwil Software\Avast5\AvastUI.exe. Reference error message: The operation completed successfully. .
7/29/2010 6:56:38 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/29/2010 6:29:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/29/2010 6:23:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi Fips intelppm OADevice OMCI
7/29/2010 6:07:05 PM, error: System Error [1003] - Error code 000000f4, parameter1 00000003, parameter2 892963b0, parameter3 89296524, parameter4 80605688.
7/29/2010 6:06:59 PM, error: System Error [1003] - Error code 1000007e, parameter1 c0000005, parameter2 b1377646, parameter3 f78bebd8, parameter4 f78be8d4.
7/29/2010 6:06:20 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.MFC. Reference error message: The referenced assembly is not installed on your system. .
7/29/2010 6:06:20 PM, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe. Reference error message: The operation completed successfully. .
7/29/2010 6:06:20 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
7/29/2010 6:06:09 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
7/29/2010 6:04:46 PM, error: Service Control Manager [7022] - The Online Armor service hung on starting.
7/29/2010 5:35:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/29/2010 5:33:06 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/29/2010 5:28:52 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 aswSP aswTdi Fips IntelIde intelppm OADevice ohci1394 OMCI
7/29/2010 5:27:24 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/29/2010 3:12:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm OADevice OMCI

==== End Of File ===========================

ken545 · Aug 8, 2010

:snwelcome:

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

In my downloads folder, there are now a bunch of files that end in "-crack.exe". The names begin with the names of programs/files on my computer, such as "Microsoft Office-crack.exe" and "Tall Emu-crack.exe" and "Jasc Software Inc-crack.exe". I do not know what these mean or if they are dangerous.

These are illegal cracked copies of these program, they where downloaded and installed by either you or someone you authorized to use your computer. Please read BEFORE YOU POST and you will see we cant help you unless these programs are uninstalled.

You need to remove you Peer to Peer also, between downloading illegal software and using P2P its a wonder your infected.

If you dont agree to remove them all then this thread will be closed, if you do agree than remove then and run this scan

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Renorei · Aug 9, 2010

Ken, thank you for replying.

I'm willing to remove my peer-to-peer software and anything I've downloaded illegally (mostly movies). But the problem is, most of the stuff in that folder that ends in "-crack.exe" is stuff that I purchased legally and have every right to use. For example, Microsoft Office and Jasc Software Inc., I bought those fair and square; I had them bundled with my computer when I first bought it. Am I going to have to remove those even though I have a right to use them?

Will wait for your reply before I run OTL.

Renorei · Aug 9, 2010

Sorry, meant to put this as well but I can't seem to figure out how to edit my post.

I wanted to add that it's either stuff I purchased legally or stuff that I downloaded as freeware.

ken545 · Aug 9, 2010

Hi,

Run this scan please

Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Renorei · Aug 9, 2010

Thanks Ken. Here's the results from that scan:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\rebel\my documents\downloads\adobe-crack.exe
c:\documents and settings\rebel\my documents\downloads\alwil software-crack.exe
c:\documents and settings\rebel\my documents\downloads\ati technologies-crack.exe
c:\documents and settings\rebel\my documents\downloads\audacity-crack.exe
c:\documents and settings\rebel\my documents\downloads\audible-crack.exe
c:\documents and settings\rebel\my documents\downloads\avanquest update-crack.exe
c:\documents and settings\rebel\my documents\downloads\bittorrent-crack.exe
c:\documents and settings\rebel\my documents\downloads\broadcom-crack.exe
c:\documents and settings\rebel\my documents\downloads\common files-crack.exe
c:\documents and settings\rebel\my documents\downloads\complus applications-crack.exe
c:\documents and settings\rebel\my documents\downloads\cricket broadband connect-crack.exe
c:\documents and settings\rebel\my documents\downloads\cyberlink-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell computer-crack.exe
c:\documents and settings\rebel\my documents\downloads\dell-crack.exe
c:\documents and settings\rebel\my documents\downloads\divx-crack.exe
c:\documents and settings\rebel\my documents\downloads\dna-crack.exe
c:\documents and settings\rebel\my documents\downloads\hp-crack.exe
c:\documents and settings\rebel\my documents\downloads\installshield installation information-crack.exe
c:\documents and settings\rebel\my documents\downloads\intel-crack.exe
c:\documents and settings\rebel\my documents\downloads\internet explorer-crack.exe
c:\documents and settings\rebel\my documents\downloads\jasc software inc-crack.exe
c:\documents and settings\rebel\my documents\downloads\java-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft activesync-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft capicom 2.1.0.2-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft frontpage-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft office-crack.exe
c:\documents and settings\rebel\my documents\downloads\microsoft silverlight-crack.exe
c:\documents and settings\rebel\my documents\downloads\minefield-crack.exe
c:\documents and settings\rebel\my documents\downloads\movie maker-crack.exe
c:\documents and settings\rebel\my documents\downloads\mozilla firefox-crack.exe
c:\documents and settings\rebel\my documents\downloads\msbuild-crack.exe
c:\documents and settings\rebel\my documents\downloads\msecache-crack.exe
c:\documents and settings\rebel\my documents\downloads\msn gaming zone-crack.exe
c:\documents and settings\rebel\my documents\downloads\msxml 6.0-crack.exe
c:\documents and settings\rebel\my documents\downloads\netmeeting-crack.exe
c:\documents and settings\rebel\my documents\downloads\online services-crack.exe
c:\documents and settings\rebel\my documents\downloads\outlook express-crack.exe
c:\documents and settings\rebel\my documents\downloads\pantech-crack.exe
c:\documents and settings\rebel\my documents\downloads\quicktime-crack.exe
c:\documents and settings\rebel\my documents\downloads\reference assemblies-crack.exe
c:\documents and settings\rebel\my documents\downloads\roxio-crack.exe
c:\documents and settings\rebel\my documents\downloads\tall emu-crack.exe
c:\documents and settings\rebel\my documents\downloads\uninstall information-crack.exe
c:\documents and settings\rebel\my documents\downloads\videolan-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows media player-crack.exe
c:\documents and settings\rebel\my documents\downloads\windows nt-crack.exe
c:\documents and settings\rebel\my documents\downloads\windowsupdate-crack.exe
c:\documents and settings\rebel\my documents\downloads\winrar-crack.exe
c:\documents and settings\rebel\my documents\downloads\xerox-crack.exe
c:\documents and settings\rebel\my documents\downloads\yahoo!-crack.exe
c:\program files\jasc software inc\paint shop pro 8\bump maps\cracked desert.pspimage
c:\program files\jasc software inc\paint shop pro 8\patterns\cracked paint.pspimage
c:\program files\jasc software inc\paint shop pro 8\picture frames\black crackle.pspframe
scanner sequence 3.ZZ.11
----- EOF -----

As far as I know, none of these were illegal downloads on my part. Everything was either purchased or downloaded for free.

ken545 · Aug 9, 2010

Where did you purchase this computer ?

ken545 · Aug 9, 2010

Wondering if malware renamed those files.

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

Renorei · Aug 10, 2010

I already had MalWareBytes on my computer, but I updated it before doing this latest scan.

Here's the results:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4413

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

8/10/2010 12:27:41 PM
mbam-log-2010-08-10 (12-27-41).txt

Scan type: Quick scan
Objects scanned: 141173
Time elapsed: 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\evgratsm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kvxqmtre (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\launch.vbs (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\logg.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me457652.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me493391.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me539874.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me619684.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me794827.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rebel\Local Settings\Temp\erase_me905652.exe (Trojan.Agent) -> Quarantined and deleted successfully.

ken545 · Aug 10, 2010

Hi,

Lets do this

Please download ATF Cleaner by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Renorei · Aug 10, 2010

Okay, Combofix log first, then HJT.

ComboFix 10-08-09.03 - Rebel 08/10/2010 14:46:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1625 [GMT -4:00]
Running from: c:\documents and settings\Rebel\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users.WINDOWS\Application Data\hpe2E3.dll
c:\documents and settings\Rebel\Application Data\Microsoft\download.exe
c:\documents and settings\Rebel\Application Data\SQLite3.dll
C:\ntldr.exe
c:\program files\Internet Explorer\SET1F04.tmp
c:\program files\Internet Explorer\SET1F09.tmp
c:\windows\system\wizmo .exe
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lluuiaii.ini
c:\windows\system32\net.bat
c:\windows\system32\net.vbs
c:\windows\system32\Process.exe
c:\windows\system32\s4c.vbs
c:\windows\system32\simuwjmx.ini
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\wdbxuuef.ini
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-10 to 2010-08-10 )))))))))))))))))))))))))))))))
.

2010-08-04 05:19 . 2010-08-04 05:19 -------- d-----w- c:\program files\ERUNT
2010-07-30 00:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-30 00:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-30 00:52 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-30 00:52 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-30 00:52 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-30 00:52 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-30 00:52 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-30 00:52 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-29 22:13 . 2010-07-29 22:13 -------- d-----w- c:\program files\Trend Micro
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\program files\Alwil Software
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-07-21 19:28 . 2010-07-21 19:28 123041 ----a-w- C:\RunFirst.exe
2010-07-21 19:23 . 2010-07-22 22:03 456 ----a-w- c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 18:51 . 2008-10-07 20:33 -------- d-----w- c:\program files\DNA
2010-08-10 18:51 . 2008-10-07 20:33 -------- d-----w- c:\documents and settings\Rebel\Application Data\DNA
2010-08-10 16:13 . 2007-07-23 23:46 -------- d-----w- c:\documents and settings\Rebel\Application Data\BitTorrent
2010-08-04 17:25 . 2007-07-24 17:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 00:49 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\Rebel\Application Data\OnlineArmor
2010-07-29 22:07 . 2007-07-23 23:05 53104 ----a-w- c:\documents and settings\Rebel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-29 21:34 . 2009-09-07 23:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-29 21:33 . 2007-07-23 23:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-29 21:26 . 2005-08-24 11:14 -------- d-sh--r- c:\documents and settings\Rebel\Application Data\Winlog
2010-07-23 01:14 . 2009-09-12 02:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-06-28 02:54 . 2010-06-26 17:46 -------- d-----w- c:\program files\Cricket Broadband Connect
2010-06-28 02:54 . 2010-06-28 02:54 -------- d-----w- c:\program files\Avanquest update
2010-06-28 02:42 . 2010-06-26 17:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2010-06-28 02:08 . 2010-06-28 02:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-06-28 01:54 . 2010-06-28 01:48 157142 ----a-w- c:\windows\hphins25.dat
2010-06-28 01:53 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-06-28 01:52 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP Product Assistant
2010-06-28 01:52 . 2007-09-13 16:14 -------- d-----w- c:\program files\HP
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\program files\Common Files\HP
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2010-06-26 17:46 . 2010-06-26 17:46 -------- d-----w- c:\program files\Common Files\Avanquest software Shared
2010-06-26 13:05 . 2009-12-15 16:29 -------- d-----w- c:\program files\Minefield
2010-06-26 03:57 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-06-26 03:55 . 2009-03-14 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 01:51 . 2009-12-22 04:11 -------- d-----w- c:\documents and settings\Rebel\Application Data\mIRC
2010-06-02 20:31 . 2010-06-02 20:31 45024 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-28 11:34 . 2010-05-28 11:34 503808 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcp71.dll
2010-05-28 11:34 . 2010-05-28 11:34 499712 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\jmc.dll
2010-05-28 11:34 . 2010-05-28 11:34 348160 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-12-15 323392]
"Google Update"="c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-31 136176]
"Windows Java Runtime"="c:\documents and settings\Rebel\java.jar" [2010-07-23 18160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\desktop\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-01 13:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Desktop\\a-squared Free\\a2service.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20648:TCP"= 20648:TCP:*

isabled:BitComet 20648 TCP
"20648:UDP"= 20648:UDP:*

isabled:BitComet 20648 UDP
"58216:TCP"= 58216:TCP:Utorrent port
"32924:UDP"= 32924:UDP:utorrentport 2
"32924:TCP"= 32924:TCP:utorrentport3

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2010 8:53 PM 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/8/2009 10:14 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/8/2009 10:14 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/8/2009 10:14 PM 28872]
R2 a2free;a-squared Free Service;c:\desktop\a-squared Free\a2service.exe [3/8/2009 10:13 PM 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2010 8:53 PM 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/8/2009 10:14 PM 1402568]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys --> c:\windows\system32\DRIVERS\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys --> c:\windows\system32\DRIVERS\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys --> c:\windows\system32\DRIVERS\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys --> c:\windows\system32\DRIVERS\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys --> c:\windows\system32\DRIVERS\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys --> c:\windows\system32\DRIVERS\PTUMWVsp.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/8/2009 10:14 PM 3321032]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}]
c:\documents and settings\Rebel\Application Data\svchost.exe [BU]
.
Contents of the 'Scheduled Tasks' folder

2010-07-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003Core.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]

2010-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003UA.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rebel\Application Data\Mozilla\Firefox\Profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BidSlayer - (no file)
MSConfigStartUp-641f3ac0 - c:\windows\system32\wenabebi.dll
MSConfigStartUp-CPM672c095c - c:\windows\system32\fizelugo.dll
MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
MSConfigStartUp-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
MSConfigStartUp-MSMSGS - c:\program files\Messenger\msmsgs.exe
MSConfigStartUp-renemejiyi - c:\windows\system32\vitesona.dll
ActiveSetup-{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6} - c:\documents and settings\Rebel\Application Data\svchost.exe
AddRemove-Yahoo! Software Update - c:\progra~1\Yahoo!\SOFTWA~1\UNINST~1.EXE
AddRemove-{1C336D20-A089-4818-9C56-96AD81BF5A11} - c:\program files\PANTECH\PANTECH USB Modem V2\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-10 14:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\BCMSMMSG.exe
c:\program files\Java\jre6\bin\javaw.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2010-08-10 14:56:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-10 18:56

Pre-Run: 77,047,287,808 bytes free
Post-Run: 77,218,811,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 59506FFE9124AF9EC36B7B78D679C653

HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:06:11, on 8/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Desktop\a-squared Free\a2service.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Desktop\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Windows Java Runtime] "C:\Documents and Settings\Rebel\java.jar"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185296588953
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Desktop\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 6046 bytes

ken545 · Aug 10, 2010

Hi,

Lets go over a few things.

Utorrent
BitTorrent DNA

You need to uninstall both these programs from Add Remove Programs in the Control Panel. When you use P2P programs, your downloading those files from an unknown source, malware writers are jumping on the band wagon and using programs like these to infect computers. You would be doing your self a big favor by staying away from programs like these, these may be all or partially responsible for the lousy shape your computer was in. I know this Combofix log is confusing to you , but if you look under the open ports section of the log you can see that your firewall is letting things in and out unhindered by anything these programs want to bring in, why have a firewall, its doing you no good :red:

Before we proceed, go and uninstall those programs and then do this, I am sure these files are bad but want to double check before we remove them

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see. If the site says this file has already been checked, have them check it again

C:\RunFirst.exe <--This file
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe <--This file
If the site is busy you can try this one

http://virusscan.jotti.org/en

Renorei · Aug 10, 2010

I'm not sure how to get rid of those programs Ken. Earlier when you asked me to get rid of BitTorrent, I thought I had--I found it under "All Programs" in my Start Menu and clicked "Uninstall". I forgot completely about uTorrent but I figured BitTorrent would be gone.

I did manage to find "DNA" listed under Add/Remove Programs, so I removed that, but I didn't find anything in there about UTorrent. Yet even though I removed "DNA" there is still stuff from BitTorrent in my application data folder, and the same is true of UTorrent, but neither of them seem to have anything left in "Program Files". I deleted everything that I could find associated with them anywhere on my computer, and I also ran a search of my computer looking for them and deleted anything I could find, except those "-crack.exe" things. But how do I know for sure they are completely gone?

Excuse my lack of computer savvy, I just want to make sure I can figure out how to get rid of them completely before I do the next thing.

ken545 · Aug 10, 2010

Thats fine, its important that you upload those files to be checked, we can remove the remnants of the P2P a bit later.

Those cracked programs may just have been renamed by malware, we can look into that later also

Renorei · Aug 10, 2010

The first one:

File name:
RunFirst.exe
Submission date:
2010-08-10 22:17:43 (UTC)
Current status:
queued (#70) queued (#70) analysing finished
Result:
2/ 41 (4.9%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.08.11.00 2010.08.10 -
AntiVir 8.2.4.34 2010.08.10 TR/Dropper.Gen
Antiy-AVL 2.0.3.7 2010.08.10 -
Authentium 5.2.0.5 2010.08.10 -
Avast 4.8.1351.0 2010.08.10 -
Avast5 5.0.332.0 2010.08.10 -
AVG 9.0.0.851 2010.08.10 -
BitDefender 7.2 2010.08.10 -
CAT-QuickHeal 11.00 2010.08.10 -
ClamAV 0.96.0.3-git 2010.08.10 -
Comodo 5708 2010.08.10 -
DrWeb 5.0.2.03300 2010.08.10 -
Emsisoft 5.0.0.37 2010.08.10 -
eSafe 7.0.17.0 2010.08.09 -
eTrust-Vet 36.1.7779 2010.08.10 -
F-Prot 4.6.1.107 2010.08.10 -
Fortinet 4.1.143.0 2010.08.10 -
GData 21 2010.08.10 -
Ikarus T3.1.1.87.0 2010.08.10 -
Jiangmin 13.0.900 2010.08.10 -
Kaspersky 7.0.0.125 2010.08.10 -
McAfee 5.400.0.1158 2010.08.10 -
McAfee-GW-Edition 2010.1 2010.08.10 -
Microsoft 1.6004 2010.08.10 -
NOD32 5356 2010.08.10 -
Norman 6.05.11 2010.08.10 -
nProtect 2010-08-10.01 2010.08.10 -
Panda 10.0.2.7 2010.08.10 -
PCTools 7.0.3.5 2010.08.10 -
Prevx 3.0 2010.08.11 Medium Risk Malware Dropper
Rising 22.60.01.04 2010.08.10 -
Sophos 4.56.0 2010.08.10 -
Sunbelt 6713 2010.08.10 -
SUPERAntiSpyware 4.40.0.1006 2010.08.10 -
Symantec 20101.1.1.7 2010.08.10 -
TheHacker 6.5.2.1.341 2010.08.10 -
TrendMicro 9.120.0.1004 2010.08.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.11 -
VBA32 3.12.12.8 2010.08.10 -
ViRobot 2010.8.9.3978 2010.08.10 -
VirusBuster 5.0.27.0 2010.08.10 -
Additional information
Show all
MD5 : 6aad4c91fbae9e7b890ca07383ae3e47
SHA1 : 2b667c51627442243e3caf2eb508294e0cabaa1b
SHA256: 397b29bf9b40465b502fec492adc1e490099e5e42721e03d8c4be3b18e519f40

The second one:

File name:
Run.exe
Submission date:
2010-08-10 22:29:49 (UTC)
Current status:
queued (#146) queued (#146) analysing finished
Result:
0/ 41 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.08.11.00 2010.08.10 -
AntiVir 8.2.4.34 2010.08.10 -
Antiy-AVL 2.0.3.7 2010.08.10 -
Authentium 5.2.0.5 2010.08.10 -
Avast 4.8.1351.0 2010.08.10 -
Avast5 5.0.332.0 2010.08.10 -
AVG 9.0.0.851 2010.08.10 -
BitDefender 7.2 2010.08.10 -
CAT-QuickHeal 11.00 2010.08.10 -
ClamAV 0.96.0.3-git 2010.08.10 -
Comodo 5708 2010.08.10 -
DrWeb 5.0.2.03300 2010.08.10 -
Emsisoft 5.0.0.37 2010.08.10 -
eSafe 7.0.17.0 2010.08.09 -
eTrust-Vet 36.1.7779 2010.08.10 -
F-Prot 4.6.1.107 2010.08.10 -
Fortinet 4.1.143.0 2010.08.10 -
GData 21 2010.08.11 -
Ikarus T3.1.1.87.0 2010.08.10 -
Jiangmin 13.0.900 2010.08.10 -
Kaspersky 7.0.0.125 2010.08.10 -
McAfee 5.400.0.1158 2010.08.10 -
McAfee-GW-Edition 2010.1 2010.08.10 -
Microsoft 1.6004 2010.08.10 -
NOD32 5356 2010.08.10 -
Norman 6.05.11 2010.08.10 -
nProtect 2010-08-10.01 2010.08.10 -
Panda 10.0.2.7 2010.08.10 -
PCTools 7.0.3.5 2010.08.10 -
Prevx 3.0 2010.08.11 -
Rising 22.60.01.04 2010.08.10 -
Sophos 4.56.0 2010.08.10 -
Sunbelt 6713 2010.08.10 -
SUPERAntiSpyware 4.40.0.1006 2010.08.10 -
Symantec 20101.1.1.7 2010.08.10 -
TheHacker 6.5.2.1.341 2010.08.10 -
TrendMicro 9.120.0.1004 2010.08.10 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.11 -
VBA32 3.12.12.8 2010.08.10 -
ViRobot 2010.8.9.3978 2010.08.10 -
VirusBuster 5.0.27.0 2010.08.10 -

So VirusTotal doesn't show anything for the second one. I tried that one with http://virusscan.jotti.org/en and it didn't find anything either.

ken545 · Aug 11, 2010

Lets look a bit deeper, there was one hit on the first one but I am not a big fan of that site

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:

Code:

:file
C:\RunFirst.exe
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Renorei · Aug 11, 2010

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 09:40 on 11/08/2010 by Rebel (Administrator - Elevation successful)

========== file ==========

C:\RunFirst.exe - File found and opened.
MD5: 6AAD4C91FBAE9E7B890CA07383AE3E47
Created at 19:28 on 21/07/2010
Modified at 19:28 on 21/07/2010
Size: 123041 bytes
Attributes: --a---
FileDescription:
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
OriginalFilename: Win32.exe
InternalName: Win32.exe
LegalCopyright:

c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe - File found and opened.
MD5: 873FD1C1E069F4E21F0D18FB62FB9C79
Created at 19:23 on 21/07/2010
Modified at 22:03 on 22/07/2010
Size: 456 bytes
Attributes: --a---
No version information available.

-=End Of File=-

ken545 · Aug 11, 2010

Lets get rid of them both and after running CF again let me know how your system is running

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Collect::

Code:

Collect::
C:\RunFirst.exe
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe

Folder::
c:\program files\DNA
c:\documents and settings\Rebel\Application Data\DNA
c:\documents and settings\Rebel\Application Data\BitTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20648:TCP"=-
"20648:UDP"=- 
"58216:TCP"=-
"32924:UDP"=-
"32924:TCP"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Renorei · Aug 11, 2010

ComboFix Log:

ComboFix 10-08-10.06 - Rebel 08/11/2010 10:32:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1580 [GMT -4:00]
Running from: c:\documents and settings\Rebel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rebel\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Bitdefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

file zipped: c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe
file zipped: C:\RunFirst.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Rebel\Application Data\Microsoft\Run.exe
C:\RunFirst.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-10 21:35 . 2010-08-10 21:35 -------- d-----w- c:\documents and settings\Rebel\Application Data\U3
2010-08-10 19:03 . 2010-08-10 19:03 388096 ----a-r- c:\documents and settings\Rebel\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-04 05:19 . 2010-08-04 05:19 -------- d-----w- c:\program files\ERUNT
2010-07-30 00:53 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-07-30 00:53 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-07-30 00:52 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-07-30 00:52 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-07-30 00:52 . 2010-06-28 20:32 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-07-30 00:52 . 2010-06-28 20:32 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-07-30 00:52 . 2010-06-28 20:32 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-07-30 00:52 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-30 00:52 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-07-29 22:13 . 2010-07-29 22:13 -------- d-----w- c:\program files\Trend Micro
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\program files\Alwil Software
2010-07-29 20:04 . 2010-07-29 20:04 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-10 21:30 . 2007-09-13 16:14 -------- d-----w- c:\program files\HP
2010-08-10 21:12 . 2010-06-28 01:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\HP
2010-08-10 21:07 . 2010-06-26 17:46 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\BVRP Software
2010-08-10 21:07 . 2007-07-23 23:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 17:25 . 2007-07-24 17:48 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-30 00:49 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\Rebel\Application Data\OnlineArmor
2010-07-29 22:07 . 2007-07-23 23:05 53104 ----a-w- c:\documents and settings\Rebel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-29 21:34 . 2009-09-07 23:55 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
2010-07-29 21:26 . 2005-08-24 11:14 -------- d-sh--r- c:\documents and settings\Rebel\Application Data\Winlog
2010-07-23 01:14 . 2009-09-12 02:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2010-06-28 02:54 . 2010-06-28 02:54 -------- d-----w- c:\program files\Avanquest update
2010-06-28 02:08 . 2010-06-28 02:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\WEBREG
2010-06-28 01:51 . 2010-06-28 01:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2010-06-26 13:05 . 2009-12-15 16:29 -------- d-----w- c:\program files\Minefield
2010-06-26 03:57 . 2009-03-09 02:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
2010-06-26 03:55 . 2009-03-14 14:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-14 01:51 . 2009-12-22 04:11 -------- d-----w- c:\documents and settings\Rebel\Application Data\mIRC
2010-06-02 20:31 . 2010-06-02 20:31 45024 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-28 11:34 . 2010-05-28 11:34 503808 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcp71.dll
2010-05-28 11:34 . 2010-05-28 11:34 499712 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\jmc.dll
2010-05-28 11:34 . 2010-05-28 11:34 348160 ----a-w- c:\documents and settings\Rebel\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-392c5e37-n\msvcr71.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-10_18.52.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-11 13:24 . 2010-08-11 13:24 16384 c:\windows\Temp\Perflib_Perfdata_b4.dat
+ 2007-04-17 05:45 . 2009-08-06 23:24 44768 c:\windows\system32\wups2.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
+ 2010-08-10 18:54 . 2009-08-06 23:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2010-08-10 18:54 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 71448 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 71448 c:\windows\system32\perfc009.dat
+ 2007-07-23 22:57 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
+ 2004-08-04 10:00 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
+ 2004-08-04 10:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
+ 2004-08-04 10:00 . 2010-08-10 21:31 441422 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2010-03-22 03:57 441422 c:\windows\system32\perfh009.dat
+ 2007-04-17 05:43 . 2009-08-06 23:23 215920 c:\windows\system32\muweb.dll
+ 2007-07-25 13:11 . 2009-08-06 23:23 274288 c:\windows\system32\mucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2007-07-23 22:57 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2004-08-04 10:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
+ 2007-07-23 22:57 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2010-08-10 19:03 . 2010-08-10 19:03 1094656 c:\windows\Installer\ace31.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-31 136176]
"Windows Java Runtime"="c:\documents and settings\Rebel\java.jar" [2010-07-23 18160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-03 45056]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\desktop\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-01 13:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=
"c:\\Desktop\\a-squared Free\\a2service.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/29/2010 8:53 PM 165456]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [3/8/2009 10:14 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [3/8/2009 10:14 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [3/8/2009 10:14 PM 28872]
R2 a2free;a-squared Free Service;c:\desktop\a-squared Free\a2service.exe [3/8/2009 10:13 PM 1872320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/29/2010 8:53 PM 17744]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [3/8/2009 10:14 PM 1402568]
S3 PTUMWBus;PANTECH USB Modem V2 Composite Device Driver;c:\windows\system32\DRIVERS\PTUMWBus.sys --> c:\windows\system32\DRIVERS\PTUMWBus.sys [?]
S3 PTUMWCDF;PANTECH USB Modem V2 Installation CD;c:\windows\system32\DRIVERS\PTUMWCDF.sys --> c:\windows\system32\DRIVERS\PTUMWCDF.sys [?]
S3 PTUMWFLT;PTUMWNET Filter Driver;c:\windows\system32\DRIVERS\PTUMWFLT.sys --> c:\windows\system32\DRIVERS\PTUMWFLT.sys [?]
S3 PTUMWMdm;PANTECH USB Modem V2 Modem Driver;c:\windows\system32\DRIVERS\PTUMWMdm.sys --> c:\windows\system32\DRIVERS\PTUMWMdm.sys [?]
S3 PTUMWNET;PANTECH USB Modem V2 WWAN Driver;c:\windows\system32\DRIVERS\PTUMWNET.sys --> c:\windows\system32\DRIVERS\PTUMWNET.sys [?]
S3 PTUMWVsp;PANTECH USB Modem V2 Diagnostic Port;c:\windows\system32\DRIVERS\PTUMWVsp.sys --> c:\windows\system32\DRIVERS\PTUMWVsp.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [3/8/2009 10:14 PM 3321032]

--- Other Services/Drivers In Memory ---

*Deregistered* - BMLoad

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{D0BEBE8C-F1C4-BF41-7FA8-EECECBFECCF6}]
c:\documents and settings\Rebel\Application Data\svchost.exe [BU]
.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003Core.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1229272821-1409082233-725345543-1003UA.job
- c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 17:05]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Rebel\Application Data\Mozilla\Firefox\Profiles\3idjaz6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - plugin: c:\documents and settings\Rebel\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-11 10:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-11 10:38:22
ComboFix-quarantined-files.txt 2010-08-11 14:38
ComboFix2.txt 2010-08-10 18:56

Pre-Run: 77,736,235,008 bytes free
Post-Run: 77,725,990,912 bytes free

- - End Of File - - 4B72D0990FA5E47324CCCF815D64D4C5

HJT Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:28:36, on 8/11/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Desktop\a-squared Free\a2service.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Desktop\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rebel\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Windows Java Runtime] "C:\Documents and Settings\Rebel\java.jar"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Desktop\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1185296588953
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Desktop\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5837 bytes

One thing to note, Ken, after Combofix ran it wanted to do some kind of analysis online, but at the time, my internet connection wasn't working (which I didn't realize until then), so it told me to try again later, and that a file or something had been created somewhere that would allow me to do this analysis later. Is this something I need to do? If so, where would I find this file and what would I do in order to do this analysis?

ken545 · Aug 11, 2010

Not sure, it may have wanted to analyze the files we removed.

Is your internet working now oK ?

You posted the original Combofix log, I need to see the one you just ran

C:\Combofix.txt <--It should be here, post the one with todays date

Badly Infected Computer (unauthorized access on Paypal account! Help!)

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert