Multiple iexplorer.exe process running.Thanks

[grimaceivxx]

Hello, thanks in advance for the help again... haha. First off I have avira free edition and avg the other day avira blocked some malware I kept getting notifications of a threat blocked and ran the scan with that found some hidden objects but nothing really... then a I.E. window popped up with some fake game sites etc... that only happened one time. I then ran spy bot and it found many cookie and tracker entries no Trojans or what appeared to be threats, ran it again it it said nothing was found BUT, when I view my processes in the task manager I have up to 7 iexplorer.exe process running and they are eating up memory and obviously a sign of a problem. thanks again.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Grimace at 15:46:10.91 on Tue 07/13/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1018 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
svchost.exe 4
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgemc.exe
svchost.exe 4
C:\Windows\system32\WUDFHost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Grimace\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\users\grimace\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\grimace\appdata\roaming\mozilla\firefox\profiles\0oy2l2qs.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/\r
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-6 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-6 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-6 242896]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-4-21 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-4-21 267432]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-3-14 916760]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-14 308064]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-4-21 60936]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-7-12 1153368]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000va.sys [2010-7-5 836384]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2004-10-6 283904]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2010-1-5 43392]
S3 dhdusb.NTx86;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\drivers\bcmusbdhdlh.sys [2010-3-18 238072]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-1-6 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-13 06:14:03 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-07-13 04:13:13 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-13 04:13:13 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-05 22:32:16 836384 ----a-w- c:\windows\system32\drivers\ae1000va.sys
2010-07-05 22:31:52 0 d-----w- c:\programdata\Cisco Systems
2010-07-03 10:08:36 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2010-07-03 10:08:34 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-07-03 10:08:34 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-07-03 10:08:14 0 d-----w- c:\users\grimace\appdata\roaming\TuneUp Software
2010-07-03 10:07:40 0 d-----w- c:\program files\TuneUp Utilities 2010
2010-07-03 10:06:44 0 d-----w- c:\programdata\TuneUp Software
2010-07-03 10:06:38 0 d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-07-01 06:47:07 0 d-----w- c:\users\grimace\.BayPhoto
2010-07-01 06:46:53 0 d-----w- c:\users\grimace\.roescache
2010-06-24 05:57:26 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 05:57:25 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 05:57:25 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 05:57:25 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 05:57:25 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 05:55:56 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-24 05:55:56 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-18 07:15:15 0 d-----w- c:\program files\iPod
2010-06-18 07:09:51 0 d-----w- c:\program files\Bonjour
2010-06-13 23:58:10 0 d-----w- c:\programdata\Google
2010-06-13 23:53:36 0 d-----w- c:\users\grimace\appdata\roaming\GetRightToGo

==================== Find3M ====================

2010-07-05 22:32:46 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-05 22:32:46 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-05 22:32:45 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-03 02:24:37 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-18 23:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13:48 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 05:06:46 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 05:06:46 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-29 05:06:46 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-04-23 14:13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-20 03:47:44 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-07 10:45:46 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-07 05:12:59 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-01-07 03:30:46 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-02-21 19:49:52 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:47:44.73 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 1/4/2010 8:54:36 PM
System Uptime: 7/13/2010 3:38:16 PM (0 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz | Microprocessor | 1795/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 932 GiB total, 733.968 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable

==== Disabled Device Manager Items =============

Class GUID: {ff646f80-8def-11d2-9449-00105a075f6b}
Description: pcouffin device ...
Device ID: ROOT\PCOUFFIN\0000
Manufacturer:
Name: pcouffin device ...
PNP Device ID: ROOT\PCOUFFIN\0000
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
Avira AntiVir Personal - Free Antivirus
Bay Photo
Bonjour
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DVDFab Platinum 4.0.3.6 Beta Registered by AxMan
Dynex Wireless G USB Network Adapter Setup
ERUNT 1.1j
GIMP 2.6.8
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java(TM) 6 Update 17
LimeWire 5.5.8
Logitech Desktop Messenger
Logitech QuickCam Driver Package
Logitech Vid
Logitech Webcam Software
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.6)
MSVCRT
NVIDIA Drivers
QuickTime
Security Update for CAPICOM (KB931906)
Spybot - Search & Destroy
TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.0.3
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

7/8/2010 6:50:59 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SENS service.
7/7/2010 7:13:46 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer MIKE-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7251C68D-ABF4-49F2-8D3D-CFB903282A. The master browser is stopping or an election is being forced.
7/13/2010 2:58:36 PM, Error: EventLog [6008] - The previous system shutdown at 2:57:09 PM on 7/13/2010 was unexpected.
7/12/2010 8:09:18 PM, Error: volsnap [27] - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
7/12/2010 6:45:35 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.51 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2010 6:37:49 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.50 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2010 6:36:14 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.5 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2010 6:21:32 PM, Error: bowser [8003] - The master browser has received a server announcement from the computer MAC002241304566 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{7251C68D-ABF4-49F2-8D3D-CF. The master browser is stopping or an election is being forced.
7/12/2010 6:21:25 PM, Error: iaStorV [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
7/12/2010 1:04:40 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy41.
7/12/2010 1:04:34 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy37.
7/12/2010 1:04:22 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy36.
7/12/2010 1:04:16 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy35.
7/12/2010 1:04:09 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy34.
7/12/2010 1:04:01 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy31.
7/12/2010 1:03:55 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy28.
7/12/2010 1:03:50 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy27.
7/12/2010 1:03:45 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy26.
7/11/2010 3:46:24 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 10.0.0.3 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 2:36:02 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.10 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 10.0.0.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 2:23:02 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.4 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 10:32:31 PM, Error: EventLog [6008] - The previous system shutdown at 10:30:03 PM on 7/11/2010 was unexpected.
7/11/2010 1:19:46 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.112 for the Network Card with network address 00259CF8202D has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
7/11/2010 1:16:29 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service.

==== End Of File ===========================

 

[shelf life]

hi,

Your log is a few days old. Post back if you still need help.

 

[grimaceivxx]

Heya Shelf, I do still need assistance yes... Im close to just wiping it all but, I'd really prefer not to ya know? Anyways yes please your help would be much appreciated I got Trojans and all kinds of nastyness going on... thanks again.

 

[shelf life]

Ok. Lets see if Malwarebytes can dig up anything. Also you can uninstall one of your AV: AVG or Avast, via the add/remove programs panel. Two is not better than one with AV.

Run Malwarebytes and see if your malware signs improve by browsing a few web pages.

If so--> just post the malwarebytes log.

If not--> We will use Combofix. There is a guide to read first. Read the guide then apply the directions on your own machine. Post the combofix log along with the Malwarebytes log.

Guide to using Combofix

 

[grimaceivxx]

Thanks for the speedy reply, yeah found a trojan in a file for something I should know better to dl and still having many iexplorer.exe files running in the background and my computer has a lot of trouble trying to shut down etc anyway....

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4334

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

7/20/2010 11:14:52 PM
mbam-log-2010-07-20 (23-14-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 283618
Time elapsed: 1 hour(s), 17 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Grimace\Documents\Downloads\TuneUP.Utilities.2010.Incl.Serial.WinAll-iND\keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.




ComboFix 10-07-20.03 - Grimace 07/20/2010 23:56:12.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1007 [GMT -7:00]
Running from: c:\users\Grimace\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Grimace\AppData\Roaming\inst.exe
c:\users\Grimace\AppData\Roaming\Microsoft\~DFK955d9c.tmp
c:\users\Grimace\AppData\Roaming\Microsoft\~DFK98e745.tmp
c:\users\Grimace\AppData\Roaming\Microsoft\1eaadjc.dll
c:\users\Grimace\AppData\Roaming\Microsoft\bass.dll
c:\users\Grimace\AppData\Roaming\Microsoft\kfgresk.dll
c:\users\Grimace\AppData\Roaming\Microsoft\mjcriu.dll
c:\users\Grimace\AppData\Roaming\Microsoft\peaadje.dll
c:\users\Grimace\AppData\Roaming\Microsoft\qwadjb.dll
c:\users\Grimace\AppData\Roaming\Microsoft\rsaadjd.dll
c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-06-21 to 2010-07-21 )))))))))))))))))))))))))))))))
.

2010-07-21 06:48 . 2010-07-21 06:52 -------- d-----w- C:\32788R22FWJFW
2010-07-21 04:36 . 2010-07-21 04:36 -------- d-----w- c:\users\Grimace\AppData\Roaming\Malwarebytes
2010-07-21 04:36 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-21 04:36 . 2010-07-21 04:36 -------- d-----w- c:\programdata\Malwarebytes
2010-07-21 04:36 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-21 04:36 . 2010-07-21 06:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 05:55 . 2010-07-20 05:55 -------- d-----w- c:\program files\iPod
2010-07-13 22:44 . 2010-07-13 22:44 -------- d-----w- c:\program files\ERUNT
2010-07-13 04:13 . 2010-07-13 06:08 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-13 04:13 . 2010-07-13 04:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-12 05:37 . 2010-07-12 05:37 -------- d-----w- c:\users\test\AppData\Roaming\Avira
2010-07-12 05:29 . 2010-07-12 05:29 -------- d-----w- c:\users\test\AppData\Roaming\TuneUp Software
2010-07-12 04:06 . 2010-07-12 04:06 0 ----a-w- c:\windows\nsreg.dat
2010-07-05 22:32 . 2010-02-12 20:36 836384 ----a-w- c:\windows\system32\drivers\ae1000va.sys
2010-07-05 22:31 . 2010-07-05 22:31 -------- d-----w- c:\programdata\Cisco Systems
2010-07-03 10:08 . 2009-10-30 22:08 29512 ----a-w- c:\windows\system32\TURegOpt.exe
2010-07-03 10:08 . 2009-10-30 22:01 21320 ----a-w- c:\windows\system32\authuitu.dll
2010-07-03 10:08 . 2009-10-30 22:01 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-07-03 10:08 . 2010-07-03 10:08 -------- d-----w- c:\users\Grimace\AppData\Roaming\TuneUp Software
2010-07-03 10:07 . 2010-07-03 10:08 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-07-03 10:06 . 2010-07-03 10:07 -------- d-----w- c:\programdata\TuneUp Software
2010-07-03 10:06 . 2010-07-03 10:06 -------- d-sh--w- c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-07-01 06:47 . 2010-07-01 06:53 -------- d-----w- c:\users\Grimace\.BayPhoto
2010-07-01 06:46 . 2010-07-01 06:53 -------- d-----w- c:\users\Grimace\.roescache
2010-06-24 06:05 . 2010-06-24 06:05 -------- d-----w- c:\program files\Microsoft.NET
2010-06-24 05:57 . 2009-11-08 17:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 05:57 . 2009-11-08 17:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 05:57 . 2009-11-08 17:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 05:57 . 2009-11-08 17:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 05:57 . 2009-11-08 17:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-24 05:55 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-24 05:55 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 06:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-21 04:02 . 2010-01-07 04:07 -------- d-----w- c:\programdata\avg9
2010-07-21 03:54 . 2010-07-21 03:54 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-07-21 03:53 . 2010-07-21 03:53 1373536 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-07-21 03:53 . 2010-07-21 03:53 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2010-07-21 03:53 . 2010-07-21 03:53 921440 ----a-w- c:\programdata\avg9\update\backup\avgemc.exe
2010-07-21 03:53 . 2010-07-21 03:53 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-20 05:55 . 2010-05-22 18:30 -------- d-----w- c:\program files\iTunes
2010-07-20 05:55 . 2010-01-06 07:12 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 05:51 . 2010-07-20 05:51 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-17 22:13 . 2010-01-07 05:35 -------- d-----w- c:\users\Grimace\AppData\Roaming\uTorrent
2010-07-17 02:35 . 2010-07-17 02:35 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-07-17 02:35 . 2010-07-17 02:35 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-07-17 02:34 . 2010-07-17 02:34 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-07-17 02:34 . 2010-07-17 02:34 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-07-17 02:34 . 2010-07-17 02:34 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-07-17 02:34 . 2010-07-17 02:34 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-07-12 05:28 . 2010-07-12 05:28 49168 ----a-w- c:\users\test\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-03 10:08 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-07-01 05:26 . 2010-01-06 06:50 -------- d-----w- c:\users\Grimace\AppData\Roaming\vlc
2010-06-23 07:26 . 2010-01-10 07:27 -------- d-----w- c:\users\Grimace\AppData\Roaming\LimeWire
2010-06-18 07:09 . 2010-06-18 07:09 -------- d-----w- c:\program files\Bonjour
2010-06-14 00:57 . 2010-01-09 03:19 -------- d-----w- c:\program files\Google
2010-06-13 23:57 . 2010-01-10 10:57 -------- d-----w- c:\program files\Yahoo!
2010-06-13 23:54 . 2010-06-13 23:53 -------- d-----w- c:\users\Grimace\AppData\Roaming\GetRightToGo
2010-06-13 21:14 . 2010-05-07 06:06 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-06-13 21:14 . 2010-05-07 06:02 -------- d-----w- c:\programdata\DivX
2010-06-13 21:14 . 2010-06-13 21:14 56997 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-06-13 21:14 . 2010-06-13 21:14 56765 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-06-13 21:14 . 2010-01-09 03:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-06-13 21:14 . 2010-01-09 03:19 -------- d-----w- c:\program files\DivX
2010-06-13 21:14 . 2010-06-13 21:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-06-13 21:14 . 2010-06-13 21:14 57715 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54644 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-06-13 21:13 . 2010-06-13 21:13 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-06-13 21:12 . 2010-05-07 06:06 1062184 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-06-13 21:12 . 2010-05-07 06:06 895256 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-06-10 07:50 . 2010-02-04 07:56 -------- d-----w- c:\program files\DVDFab Platinum 4
2010-06-05 23:42 . 2010-01-22 04:57 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-09 02:40 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 02:40 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 02:35 . 2010-01-05 09:22 -------- d-----w- c:\programdata\NVIDIA
2010-05-21 21:14 . 2010-01-05 06:36 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 23:35 . 2010-05-18 23:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-07 06:05 . 2010-05-07 06:05 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-05-07 06:05 . 2010-05-07 06:05 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-05-04 05:59 . 2010-06-09 02:39 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 02:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 02:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 02:39 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-09 02:39 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 05:06 . 2010-04-29 05:06 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-29 05:06 . 2010-04-29 05:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-04-29 05:06 . 2010-04-29 05:06 1060864 ----a-w- c:\windows\system32\MFC71.dll
2010-04-23 14:13 . 2010-05-27 02:54 2048 ----a-w- c:\windows\system32\tzres.dll
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Grimace^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Grimace^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\users\Grimace\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-16 14:41 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2009-07-16 23:35 5458704 ----a-w- c:\program files\Logitech\Logitech Vid\Vid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2009-10-14 21:36 2793304 ----a-w- c:\program files\Logitech\Logitech WebCam Software\LWS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-11-10 23:39 5244216 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-27 00:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-04-14 10:33 13687328 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-04-14 10:33 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 04:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 12:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):50,24,0f,40,84,8f,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-896808877-2054827027-2505662573-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2004-10-06 283904]
R3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2005-03-16 43392]
R3 dhdusb.NTx86;Dynex Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\bcmusbdhdlh.sys [2008-01-08 238072]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2009-10-30 1021256]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\DRIVERS\ae1000va.sys [2010-02-12 836384]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-07-21 c:\windows\Tasks\User_Feed_Synchronization-{3F263493-9286-4D04-9058-1926A0A96C40}.job
- c:\windows\system32\msfeedssync.exe [2010-06-09 04:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\users\Grimace\AppData\Roaming\Mozilla\Firefox\Profiles\0oy2l2qs.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/\r
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ANIWZCS2Service - c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
MSConfigStartUp-D-Link AirPlus XtremeG - c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
MSConfigStartUp-LogitechCommunicationsManager - c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,be,f0,84,01,43,cb,49,b3,b4,14,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7a,be,f0,84,01,43,cb,49,b3,b4,14,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\WUDFHost.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2010-07-21 00:14:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-21 07:14

Pre-Run: 772,156,325,888 bytes free
Post-Run: 772,248,948,736 bytes free

- - End Of File - - BBBAEF364A69327283E4309CA6B726EF
:thanks:

 

[shelf life]

ok good. We will get one more down load to use. Its called RootRepeal:


Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

FYI: cracks, keygens etc are very popular for carrying malware payloads.

 

[grimaceivxx]

Hello... soo I was trying all night to run the RootRepeal program but was unsuccessful that link was bad you posted got a 403 error when navigating to it. googled them, got the program up it would freeze or just shut down. sometimes a dialog box would pop up after 30min or so if scanning it would really just be the outline of a dialog box it would actually show up as my desktop image but with the outline of a box... like it wasn't loading all the way sigh.. any other idears? kaspersky or something? Thanks very much for taking the time to help a brother out! :bigthumb:

 

[shelf life]

I guess the that link is no good anymore. Before going on, how is your machine running now? Any more popups, re-directs etc?

 

[grimaceivxx]

Hey... machine is running so so it wont shut down or restart properly but, navigating the web seems to be almost normal still a little clunky. Today when I went to start it up the desktop never appeared just the white cursor from the mouse against the black background shut it off and it came back.Avira was doing a scan and found a virus in a java temp folder... still a lot of the explorer processes running...I've attached a screen shot of my process from task manager.

 

[shelf life]

did you uninstall one of your antivirus apps?

The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy41.
7/12/2010 1:04:34 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume \Device\HarddiskVolumeShadowCopy37.

See this link

Do you have several tabs open in Internet Explorer?
Reboot your machine and dont use Internet Explorer. Wait 5 or so minutes then check task manager and see if IE is running "on its own"

 

[grimaceivxx]

hey shelf... errrgg did the disc check yesterday took about 5 or 6 hours when I went back to my computer it was off so I switched it on and I after I singed in I received a notification saying windows is recovering from a unexpected shut down... so Im not sure what happened I'll try to run it again today. Computer is running terrible though firefox wouldn't open today, it said it was running in the process's but the browser would never open restart many times nothing finally turned it off waited a bit and it worked. But yes I did uninstall avg so I am running only 1 anti virus app. i am still having many of the iexplorer.exe files running and now something is odd I have 15 svchost.exe process running I don't think I've ever had that many at once before but, I may be mistaken? thanks have a good weekend.

 

[shelf life]

We will get two downloads the first is Gmer:
You can follow the directions posted here at step number 8. Post the gmer log.

Next is MBRCheck.exe:

Please download MBRcheck.exe to your desktop:

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post the log.

 

[grimaceivxx]

Hi Shelf... soo still having problems trying to run these rootkit programs I wasn't able to run that first one awhile ago and now this one keeps freezing up and shutting down right when it attempts to scan something labeled "shadow copy" right when it changes to that it locks up here is the MBR log though it seemed small but thats all there was?...(thats what she said):laugh: :fear:
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 

[shelf life]

thats all there was?

the MBRcheck log is pretty short compared to other logs.

We need to write a new master boot record to your drive.
We will use the recovery console to do it.
---------------------------
I removed the instructions which are for XP. The RC is a little different in Vista. I will post back.

 

[grimaceivxx]

Wow really?? Do you think that was something caused by the virus or some other problem that occurred? Everything was running good up until I got that ish! Anyways thanks again Mr Life... or Mrs I guess??? :rockon:

 

[shelf life]

Do you think that was something caused by the virus or some other problem that occurred?

Yes caused by on board malware. Rather than the Vista Recovery environment we will use the options in the tool itself to write a new master boot record:

Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
again at the bottom of the screen it will say:

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

This time around just continue with the options;
Enter 'Y' and click enter:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 0
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 3

Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes

Done! Press ENTER to exit...

If your machine dosnt reboot on its own, please restart it.
Boot up normally, back at the windows desktop rerun MBRcheck.exe

Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).

It will open a black window, please do not fix anything this time (if it gives you an option).

Exit that window and it will produce a log (MBRCheck_date_time).
Please post that log when you reply.

 

[grimaceivxx]

Okay thanks a lot again I really really appreciate this I work CS for a company and I do tech support etc. for our programs and stuff so I kinda know what you're going through but, not really but I do really appreciate it and I did donate enough probably buy like 5 or so 40oz hahah thanks again :bigthumb:
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 

[shelf life]

your welcome. that log looks just like the first one you posted. did you copy/paste the first (older) one in by mistake?

Run MBRcheck again and the txt file it generates on your desktop should have the current date and time stamp in its name.

 

[grimaceivxx]

Hey here is a fresh one just did it but, looks the same? I dunno
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 

[shelf life]

The two logs are the same. Ok we will do two things:

One is you can run combofix again and post its log. It has probably been updated by now and will prompt you to update it when you launch it.

Two: we will use RootRepeal. Before you run it temporarily disable your Antivirus and any anti-malware app that may be running.

Please download: RootRepeal

http://ad13.geekstogo.com/RootRepeal.exe

Click the icon on your desktop to start.
Click on the Report tab at the bottom of the window
Next, Click on the Scan button
In the Select Scan Window check everything:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click the OK button
In the next dialog window select all the drives that are listed
Click OK to start the scan

May take some time to complete.
When done click the Save Report button.
Save the report to your desktop
To Exit RootRepeal: click File>Exit
Post the report in your reply

soo still having problems trying to run these rootkit programs

What are you trying to run? some software emulators can cause problems with these apps.