Survived a Virus attack

[Nanich]

Hey,

I just survived a virus attack and a bunch of Malware was put on my computer. Most of it is gone but the following still occurs:

My firefox web browser often goes to the wrong webpage when I click on a link.
Sometimes it even opens a new window for varies weird webpages.

I also get audio advertising without a program showing to turn it off. It turn it off I have to end processes from TaskManager which is the IEXPLORER.EXE.

Any help would be great!

 

[Shaba]

Hi Nanich

Click here to download HJTInstall.exe

• Save HJTInstall.exe to your desktop.
• Doubleclick on the HJTInstall.exe icon on your desktop.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed, it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

[Nanich]

Thank yoU!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:50 PM, on 11/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SMART Technologies\Classroom Teacher\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 awareremover2009.microsoft.com
O1 - Hosts: 91.212.127.227 awareremover2009.com
O1 - Hosts: 91.212.127.227 www.awareremover2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Classroom Teacher\NotebookPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O3 - Toolbar: SMART Sync - {8E1233B3-485A-4E51-B77E-9E075A68C588} - C:\Program Files\SMART Technologies\Classroom Teacher\Sync Teacher\SyncIEToolbar.dll
O3 - Toolbar: Fast Browser Search - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll
O4 - HKLM\..\Run: [8877] C:\Documents and Settings\Don\33C.tmp.exe
O4 - HKLM\..\Run: [Bsokukububovid] rundll32.exe "C:\WINDOWS\ekemutokaratiqe.dll",Startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Remote] "C:\Program Files\PowerColor\Real Angel 330\Remote.exe"
O4 - HKLM\..\Run: [Schedule] "C:\Program Files\PowerColor\Real Angel 330\Schedule.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AVG Free Tray Icon.lnk = C:\Program Files\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate1c9c62bfc4ddf28) (gupdate1c9c62bfc4ddf28) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Response Hardware - SMART Technologies - C:\Program Files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTBoardService.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Program Files\Common Files\SMART Technologies\Mirror Driver\MonitorService.exe
O23 - Service: SMART SNMP Agent Service - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe (file missing)
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\WebServer.exe

--
End of file - 7885 bytes

 

[Shaba]

We will continue with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

 

[Nanich]

Here you go! Thanks again!


ComboFix 09-11-27.07 - Don 11/28/2009 8:47.1.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2632 [GMT -8:00]
Running from: c:\documents and settings\Don\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchAssistant.dll
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\ToolBarBHO.dll
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\windows\ekemutokaratiqe.dll
c:\windows\run.log
c:\windows\system32\2306024.exe
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\system volume information\_restore{63A83696-D3B1-49B2-B970-71CBE9E79BD0}\RP247\A0110503.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-28 )))))))))))))))))))))))))))))))
.

2009-11-28 16:53 . 2008-04-14 12:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-28 16:53 . 2008-04-14 12:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-27 22:38 . 2009-11-27 22:38 -------- d-----w- c:\program files\Trend Micro
2009-11-26 01:15 . 2009-11-06 16:51 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 01:15 . 2009-11-02 17:57 3513624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-26 01:15 . 2009-11-02 17:57 2028312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-24 16:00 . 2009-11-24 16:00 53760 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL
2009-11-24 16:00 . 2009-11-24 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-23 15:38 . 2009-11-23 15:38 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{9830D2C5-7C79-41C5-969C-3D9F7E97BD0D}
2009-11-20 20:29 . 2009-11-20 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 20:29 . 2009-11-20 20:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 20:27 . 2009-11-20 20:27 117760 ----a-w- c:\documents and settings\Don\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\documents and settings\Don\Application Data\SUPERAntiSpyware.com
2009-11-20 01:37 . 2004-04-15 05:11 242840 ----a-w- c:\windows\system32\GDI TeletextServer.dll
2009-11-20 01:37 . 2004-01-03 01:29 339968 ----a-w- c:\windows\system32\mpeg2enc.dll
2009-11-20 01:37 . 2003-06-28 22:34 69707 ----a-w- c:\windows\system32\DISP_OPT1.dll
2009-11-20 01:37 . 1998-06-18 02:44 929844 ----a-w- c:\windows\system32\MFC42D.DLL
2009-11-20 01:37 . 1998-06-17 08:00 385100 ----a-w- c:\windows\system32\MSVCRTD.DLL
2009-11-18 22:41 . 2009-11-18 22:41 -------- d-----w- c:\program files\JRE
2009-11-18 22:40 . 2009-11-18 22:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-16 18:41 . 2009-11-16 18:41 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{799FCEF6-870A-454D-A1AD-7CC39161BE85}
2009-11-13 22:52 . 2009-11-13 22:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-11-13 18:07 . 2009-11-13 18:06 147456 --sh--r- C:\pxev.exe
2009-11-13 15:58 . 2009-11-13 15:58 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{22400F1B-A246-4997-83B4-BD1963E86E19}
2009-11-11 01:36 . 2009-11-11 02:12 -------- d-----w- c:\program files\DScaler
2009-11-09 19:37 . 2009-11-10 05:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-09 18:53 . 2009-11-09 20:16 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\xxvqof
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\documents and settings\Don\Application Data\Malwarebytes
2009-11-08 02:29 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 02:29 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 01:06 . 2009-11-28 16:27 120 ----a-w- c:\windows\Rnayak.dat
2009-11-08 01:06 . 2009-11-28 16:27 0 ----a-w- c:\windows\Xhitah.bin
2009-11-08 01:06 . 2009-11-08 01:06 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{A42A97C1-1509-481F-97FF-37F073F7C132}
2009-11-07 22:58 . 2009-11-07 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\df9430b
2009-11-05 20:57 . 2009-11-05 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-05 20:55 . 2009-11-05 20:55 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP
2009-11-05 20:40 . 2009-11-05 20:49 -------- d-----w- c:\program files\Dragon Age
2009-11-05 20:40 . 2009-11-05 20:55 -------- d-----w- c:\program files\Common Files\BioWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 16:27 . 2009-04-26 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-26 05:45 . 2009-01-23 05:33 1 ----a-w- c:\documents and settings\Don\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-20 20:27 . 2009-07-26 23:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-20 01:37 . 2009-01-21 19:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-19 00:26 . 2009-02-07 07:13 -------- d-----w- c:\documents and settings\Don\Application Data\BSW
2009-11-18 23:58 . 2009-01-25 08:37 39376 ----a-w- c:\documents and settings\Don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 22:41 . 2009-01-21 20:11 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-18 22:40 . 2009-01-21 20:10 -------- d-----w- c:\program files\Java
2009-11-11 02:00 . 2009-08-18 18:46 -------- d-----w- c:\program files\Tile3D_40
2009-11-11 01:55 . 2009-04-26 04:53 -------- d-----w- c:\program files\Google
2009-11-11 01:54 . 2009-02-07 07:33 -------- d-----w- c:\program files\Codemasters
2009-11-11 01:52 . 2009-04-05 20:37 -------- d-----w- c:\program files\Steam
2009-11-08 06:32 . 2009-05-02 19:13 -------- d-----w- c:\program files\1701 A.D
2009-11-08 02:49 . 2009-01-21 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-08 02:39 . 2009-07-24 17:53 -------- d-----w- c:\program files\QuickTime
2009-11-07 22:59 . 2009-11-07 22:59 0 ----a-w- c:\documents and settings\Don\33D.tmp
2009-11-07 22:59 . 2009-11-07 22:59 100 ----a-w- c:\documents and settings\Don\33A.tmp
2009-11-07 22:58 . 2009-11-07 22:58 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-07 16:35 . 2009-01-22 02:15 189104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-07 16:30 . 2009-01-22 02:15 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-05 16:17 . 2009-10-05 16:17 -------- d-----w- c:\program files\Microsoft
2009-09-29 19:59 . 2009-09-29 19:59 -------- d-----w- c:\documents and settings\Don\Application Data\SMART Technologies
2009-09-29 04:15 . 2009-09-29 04:15 74240 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JINECELP.dll
2009-09-29 04:15 . 2009-09-29 04:15 73216 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JIWAudio.dll
2009-09-29 04:15 . 2009-09-29 04:15 66048 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JIWMixer.dll
2009-09-29 04:15 . 2009-09-29 04:15 65536 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\46\be777ae-147b1fa5-n\ICE_JNIRegistry.dll
2009-09-29 04:15 . 2009-09-29 04:15 60928 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\46\be777ae-147b1fa5-n\WinPlatform.dll
2009-09-29 03:58 . 2009-09-29 03:58 98816 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\53\6061d535-284d4338-n\WinVideo.dll
2009-09-29 03:58 . 2009-09-29 03:58 74240 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JINECELP.dll
2009-09-29 03:58 . 2009-09-29 03:58 68608 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JIWAudio.dll
2009-09-29 03:58 . 2009-09-29 03:58 66048 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JIWMixer.dll
2009-09-29 03:58 . 2009-09-29 03:58 65536 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-7448b613-n\ICE_JNIRegistry.dll
2009-09-29 03:58 . 2009-09-29 03:58 60928 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-7448b613-n\WinPlatform.dll
2009-09-11 14:18 . 2008-04-14 12:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:42 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 20:37 . 2009-09-01 20:37 1998848 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\181154-18125.dll
2009-09-01 20:36 . 2009-09-01 20:36 242976 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-09-01 20:36 . 2009-09-01 20:36 223584 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2009-09-01 20:36 . 2009-09-01 20:36 997 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-11-24 16:00 53760 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-18 149280]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"Remote"="c:\program files\PowerColor\Real Angel 330\Remote.exe" [2006-03-06 253952]
"Schedule"="c:\program files\PowerColor\Real Angel 330\Schedule.exe" [2006-05-19 94208]

c:\documents and settings\Don\Start Menu\Programs\Startup\
AVG Free Tray Icon.lnk - c:\program files\AVG\AVG8\avgtray.exe [2009-1-21 2029336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 17:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\ResponseSoftwareService.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\UCGui.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\UCService.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\WebServer.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\Sync Teacher\\SMARTSyncTeacher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"13398:TCP"= 13398:TCP:spport
"29653:TCP"= 29653:TCP:spport
"14605:TCP"= 14605:TCP:spport
"6659:TCP"= 6659:TCP:spport
"15609:TCP"= 15609:TCP:spport

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/21/2009 11:33 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/21/2009 11:33 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/21/2009 11:33 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/21/2009 11:33 AM 297752]
R2 Response Hardware;Response Hardware;c:\program files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe [8/11/2009 12:10 PM 30504]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [4/14/2008 4:42 AM 14336]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [1/21/2009 11:07 AM 36864]
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [4/22/2004 10:38 AM 2432]
S2 gupdate1c9c62bfc4ddf28;Google Update Service (gupdate1c9c62bfc4ddf28);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 9:00 PM 133104]
S2 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\program files\Common Files\SMART Technologies\Mirror Driver\MonitorService.exe [1/16/2009 10:03 AM 135680]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/5/2009 12:48 PM 25832]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [5/30/2007 4:34 PM 39424]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe --> c:\program files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe [?]
S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\Classroom Teacher\WebServer.exe [7/23/2009 4:51 PM 1245184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 05:00]

2009-11-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 05:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Google.com/
FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\m6tf3mhu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={1651BD89-383E-6D1B-C9C4-68D795ABED09}&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {A42A97C1-1509-481F-97FF-37F073F7C132} - c:\documents and settings\Don\Local Settings\Application Data\{A42A97C1-1509-481F-97FF-37F073F7C132}
FF - HiddenExtension: XULRunner: {22400F1B-A246-4997-83B4-BD1963E86E19} - c:\documents and settings\Don\Local Settings\Application Data\{22400F1B-A246-4997-83B4-BD1963E86E19}
FF - HiddenExtension: XULRunner: {799FCEF6-870A-454D-A1AD-7CC39161BE85} - c:\documents and settings\Don\Local Settings\Application Data\{799FCEF6-870A-454D-A1AD-7CC39161BE85}
FF - HiddenExtension: XULRunner: {9830D2C5-7C79-41C5-969C-3D9F7E97BD0D} - c:\documents and settings\Don\Local Settings\Application Data\{9830D2C5-7C79-41C5-969C-3D9F7E97BD0D}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
.
------- File Associations -------
.
txtfile=%windir%\NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-8877 - c:\documents and settings\Don\33C.tmp.exe
HKLM-Run-Bsokukububovid - c:\windows\ekemutokaratiqe.dll
AddRemove-Impulse - c:\documents and settings\All Users\Application Data\{AD1633B8-8F63-40E6-8A96-9AF47AC850E1}\Impulse_setup.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-InstallShield_{AFAE2B15-89A0-4215-A030-F7B5B478886B} - c:\program files\InstallShield Installation Information\{AFAE2B15-89A0-4215-A030-F7B5B478886B}\setup.exe
AddRemove-InstallShield_{D80A6A73-E58A-4673-AFF5-F12D7110661F} - c:\program files\InstallShield Installation Information\{D80A6A73-E58A-4673-AFF5-F12D7110661F}\setup.exe
AddRemove-InstallShield_{E48469CC-635E-4FD5-A122-1497C286D217} - c:\program files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-Sins of a Solar Empire - c:\documents and settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}\setup.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-Steam App 10500 - c:\program files\Steam\steam.exe steam://uninstall/10500
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
AddRemove-{1A4052AB-BA77-44F7-8EE7-9F9131BFD7A6} - c:\program files\InstallShield Installation Information\{1A4052AB-BA77-44F7-8EE7-9F9131BFD7A6}\setup.exe
AddRemove-{3108C217-BE83-42E4-AE9E-A56A2A92E549} - c:\program files\InstallShield Installation Information\{3108C217-BE83-42E4-AE9E-A56A2A92E549}\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-28 08:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-606747145-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6f,b3,c7,b1,b2,d8,ed,7a,c8,bb,09,b2,89,68,d6,95,ed,ac,2c,33,01,53,8c,
50,78,5e,47,a3,86,ea,a1,96,27,06,5e,22,0e,2a,30,2c,b0,d7,c1,de,fd,93,db,f7,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-746137067-606747145-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:b7,e1,ed,21,d2,38,df,6c,e3,19,80,da,f2,c2,a5,27,aa,53,be,5d,62,
b7,84,2e,ce,86,fc,62,b3,1e,24,c0,df,e9,2d,82,f5,c4,4e,21,ec,a6,9e,50,a0,85,\
"rkeysecu"=hex:6c,33,7b,3b,e2,25,e6,76,ff,a4,29,b1,81,c5,11,57
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-28 08:56
ComboFix-quarantined-files.txt 2009-11-28 16:56

Pre-Run: 377,553,129,472 bytes free
Post-Run: 379,405,078,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6C8776692CE367067A9A203F99C16BB4


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:49 AM, on 11/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SMART Technologies\Classroom Teacher\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 awareremover2009.microsoft.com
O1 - Hosts: 91.212.127.227 awareremover2009.com
O1 - Hosts: 91.212.127.227 www.awareremover2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Classroom Teacher\NotebookPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: SMART Sync - {8E1233B3-485A-4E51-B77E-9E075A68C588} - C:\Program Files\SMART Technologies\Classroom Teacher\Sync Teacher\SyncIEToolbar.dll
O3 - Toolbar: Fast Browser Search - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Remote] "C:\Program Files\PowerColor\Real Angel 330\Remote.exe"
O4 - HKLM\..\Run: [Schedule] "C:\Program Files\PowerColor\Real Angel 330\Schedule.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AVG Free Tray Icon.lnk = C:\Program Files\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate1c9c62bfc4ddf28) (gupdate1c9c62bfc4ddf28) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Response Hardware - SMART Technologies - C:\Program Files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTBoardService.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Program Files\Common Files\SMART Technologies\Mirror Driver\MonitorService.exe
O23 - Service: SMART SNMP Agent Service - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe (file missing)
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\WebServer.exe

--
End of file - 7717 bytes

 

[Shaba]

Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\Rnayak.dat
c:\windows\Xhitah.bin
c:\windows\system32\drivers\etc\hosts

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

 

[Nanich]

I have not done anything yet. What should I be copy/pasting?

Code:
---------
File::
c:\windows\Rnayak.dat
c:\windows\Xhitah.bin
c:\windows\system32\drivers\etc\hosts
---------


or

File::
c:\windows\Rnayak.dat
c:\windows\Xhitah.bin
c:\windows\system32\drivers\etc\hosts


I Just want to be sure.

Thanks

Don

 

[Shaba]

The latter one, please

 

[Nanich]

Thanks again. The system seems to be working much better already. I have been trying to get rid of "www.fastbrowsersearch.com" but I have not had any luck doing so.

Thanks!

Don




ComboFix 09-11-30.02 - Don 11/30/2009 14:37.2.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2309 [GMT -8:00]
Running from: c:\documents and settings\Don\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Don\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\Rnayak.dat"
"c:\windows\system32\drivers\etc\hosts"
"c:\windows\Xhitah.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Rnayak.dat
c:\windows\system32\drivers\etc\hosts
c:\windows\Xhitah.bin

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-30 )))))))))))))))))))))))))))))))
.

2009-11-28 16:53 . 2008-04-14 12:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-28 16:53 . 2008-04-14 12:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-27 22:38 . 2009-11-27 22:38 -------- d-----w- c:\program files\Trend Micro
2009-11-26 01:15 . 2009-11-06 16:51 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 01:15 . 2009-11-02 17:57 3513624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-26 01:15 . 2009-11-02 17:57 2028312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-24 16:00 . 2009-11-24 16:00 53760 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL
2009-11-24 16:00 . 2009-11-24 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-23 15:38 . 2009-11-23 15:38 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{9830D2C5-7C79-41C5-969C-3D9F7E97BD0D}
2009-11-20 20:29 . 2009-11-20 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 20:29 . 2009-11-20 20:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 20:27 . 2009-11-20 20:27 117760 ----a-w- c:\documents and settings\Don\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\documents and settings\Don\Application Data\SUPERAntiSpyware.com
2009-11-20 01:37 . 2004-04-15 05:11 242840 ----a-w- c:\windows\system32\GDI TeletextServer.dll
2009-11-20 01:37 . 2004-01-03 01:29 339968 ----a-w- c:\windows\system32\mpeg2enc.dll
2009-11-20 01:37 . 2003-06-28 22:34 69707 ----a-w- c:\windows\system32\DISP_OPT1.dll
2009-11-20 01:37 . 1998-06-18 02:44 929844 ----a-w- c:\windows\system32\MFC42D.DLL
2009-11-20 01:37 . 1998-06-17 08:00 385100 ----a-w- c:\windows\system32\MSVCRTD.DLL
2009-11-18 22:41 . 2009-11-18 22:41 -------- d-----w- c:\program files\JRE
2009-11-18 22:40 . 2009-11-18 22:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-16 18:41 . 2009-11-16 18:41 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{799FCEF6-870A-454D-A1AD-7CC39161BE85}
2009-11-13 22:52 . 2009-11-13 22:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-11-13 18:07 . 2009-11-13 18:06 147456 --sh--r- C:\pxev.exe
2009-11-13 15:58 . 2009-11-13 15:58 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{22400F1B-A246-4997-83B4-BD1963E86E19}
2009-11-11 01:36 . 2009-11-11 02:12 -------- d-----w- c:\program files\DScaler
2009-11-09 19:37 . 2009-11-10 05:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-09 18:53 . 2009-11-09 20:16 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\xxvqof
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\documents and settings\Don\Application Data\Malwarebytes
2009-11-08 02:29 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 02:29 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 01:06 . 2009-11-08 01:06 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{A42A97C1-1509-481F-97FF-37F073F7C132}
2009-11-07 22:58 . 2009-11-07 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\df9430b
2009-11-05 20:57 . 2009-11-05 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-05 20:55 . 2009-11-05 20:55 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP
2009-11-05 20:40 . 2009-11-05 20:49 -------- d-----w- c:\program files\Dragon Age
2009-11-05 20:40 . 2009-11-05 20:55 -------- d-----w- c:\program files\Common Files\BioWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-30 18:29 . 2009-04-26 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-29 23:21 . 2009-01-23 05:33 1 ----a-w- c:\documents and settings\Don\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-20 20:27 . 2009-07-26 23:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-20 01:37 . 2009-01-21 19:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-19 00:26 . 2009-02-07 07:13 -------- d-----w- c:\documents and settings\Don\Application Data\BSW
2009-11-18 23:58 . 2009-01-25 08:37 39376 ----a-w- c:\documents and settings\Don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 22:41 . 2009-01-21 20:11 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-18 22:40 . 2009-01-21 20:10 -------- d-----w- c:\program files\Java
2009-11-11 02:00 . 2009-08-18 18:46 -------- d-----w- c:\program files\Tile3D_40
2009-11-11 01:55 . 2009-04-26 04:53 -------- d-----w- c:\program files\Google
2009-11-11 01:54 . 2009-02-07 07:33 -------- d-----w- c:\program files\Codemasters
2009-11-11 01:52 . 2009-04-05 20:37 -------- d-----w- c:\program files\Steam
2009-11-08 06:32 . 2009-05-02 19:13 -------- d-----w- c:\program files\1701 A.D
2009-11-08 02:49 . 2009-01-21 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-08 02:39 . 2009-07-24 17:53 -------- d-----w- c:\program files\QuickTime
2009-11-07 22:59 . 2009-11-07 22:59 0 ----a-w- c:\documents and settings\Don\33D.tmp
2009-11-07 22:59 . 2009-11-07 22:59 100 ----a-w- c:\documents and settings\Don\33A.tmp
2009-11-07 22:58 . 2009-11-07 22:58 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-07 16:35 . 2009-01-22 02:15 189104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-07 16:30 . 2009-01-22 02:15 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-05 16:17 . 2009-10-05 16:17 -------- d-----w- c:\program files\Microsoft
2009-09-29 04:15 . 2009-09-29 04:15 74240 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JINECELP.dll
2009-09-29 04:15 . 2009-09-29 04:15 73216 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JIWAudio.dll
2009-09-29 04:15 . 2009-09-29 04:15 66048 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JIWMixer.dll
2009-09-29 04:15 . 2009-09-29 04:15 65536 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\46\be777ae-147b1fa5-n\ICE_JNIRegistry.dll
2009-09-29 04:15 . 2009-09-29 04:15 60928 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\46\be777ae-147b1fa5-n\WinPlatform.dll
2009-09-29 03:58 . 2009-09-29 03:58 98816 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\53\6061d535-284d4338-n\WinVideo.dll
2009-09-29 03:58 . 2009-09-29 03:58 74240 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JINECELP.dll
2009-09-29 03:58 . 2009-09-29 03:58 68608 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JIWAudio.dll
2009-09-29 03:58 . 2009-09-29 03:58 66048 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JIWMixer.dll
2009-09-29 03:58 . 2009-09-29 03:58 65536 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-7448b613-n\ICE_JNIRegistry.dll
2009-09-29 03:58 . 2009-09-29 03:58 60928 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-7448b613-n\WinPlatform.dll
2009-09-11 14:18 . 2008-04-14 12:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:42 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-28_16.55.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-30 16:06 . 2009-11-30 16:06 16384 c:\windows\Temp\Perflib_Perfdata_5dc.dat
+ 2006-02-28 12:00 . 2009-11-30 16:10 71206 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2009-11-28 16:51 71206 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-11-30 16:10 441014 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-11-28 16:51 441014 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-11-24 16:00 53760 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-18 149280]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"Remote"="c:\program files\PowerColor\Real Angel 330\Remote.exe" [2006-03-06 253952]
"Schedule"="c:\program files\PowerColor\Real Angel 330\Schedule.exe" [2006-05-19 94208]

c:\documents and settings\Don\Start Menu\Programs\Startup\
AVG Free Tray Icon.lnk - c:\program files\AVG\AVG8\avgtray.exe [2009-1-21 2029336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 17:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\ResponseSoftwareService.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\UCGui.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\UCService.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\WebServer.exe"=
"c:\\Program Files\\SMART Technologies\\Classroom Teacher\\Sync Teacher\\SMARTSyncTeacher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"13398:TCP"= 13398:TCP:spport
"29653:TCP"= 29653:TCP:spport
"14605:TCP"= 14605:TCP:spport
"6659:TCP"= 6659:TCP:spport
"15609:TCP"= 15609:TCP:spport
"5562:TCP"= 5562:TCP:spport

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/21/2009 11:33 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/21/2009 11:33 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/21/2009 11:33 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/21/2009 11:33 AM 297752]
R2 Response Hardware;Response Hardware;c:\program files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe [8/11/2009 12:10 PM 30504]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
R3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [4/22/2004 10:38 AM 2432]
S2 gupdate1c9c62bfc4ddf28;Google Update Service (gupdate1c9c62bfc4ddf28);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 9:00 PM 133104]
S2 SMART Mirror Driver Monitor Service;SMART Mirror Driver Monitor Service;c:\program files\Common Files\SMART Technologies\Mirror Driver\MonitorService.exe [1/16/2009 10:03 AM 135680]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [4/14/2008 4:42 AM 14336]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/5/2009 12:48 PM 25832]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [5/30/2007 4:34 PM 39424]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe --> c:\program files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe [?]
S3 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies\Classroom Teacher\WebServer.exe [7/23/2009 4:51 PM 1245184]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-11-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-26 04:53]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 05:00]

2009-11-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 05:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Google.com/
FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\m6tf3mhu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={1651BD89-383E-6D1B-C9C4-68D795ABED09}&q=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {A42A97C1-1509-481F-97FF-37F073F7C132} - c:\documents and settings\Don\Local Settings\Application Data\{A42A97C1-1509-481F-97FF-37F073F7C132}
FF - HiddenExtension: XULRunner: {22400F1B-A246-4997-83B4-BD1963E86E19} - c:\documents and settings\Don\Local Settings\Application Data\{22400F1B-A246-4997-83B4-BD1963E86E19}
FF - HiddenExtension: XULRunner: {799FCEF6-870A-454D-A1AD-7CC39161BE85} - c:\documents and settings\Don\Local Settings\Application Data\{799FCEF6-870A-454D-A1AD-7CC39161BE85}
FF - HiddenExtension: XULRunner: {9830D2C5-7C79-41C5-969C-3D9F7E97BD0D} - c:\documents and settings\Don\Local Settings\Application Data\{9830D2C5-7C79-41C5-969C-3D9F7E97BD0D}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-30 14:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-606747145-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6f,b3,c7,b1,b2,d8,ed,7a,c8,bb,09,b2,89,68,d6,95,ed,ac,2c,33,01,53,8c,
50,78,5e,47,a3,86,ea,a1,96,27,06,5e,22,0e,2a,30,2c,b0,d7,c1,de,fd,93,db,f7,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-746137067-606747145-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:b7,e1,ed,21,d2,38,df,6c,e3,19,80,da,f2,c2,a5,27,aa,53,be,5d,62,
b7,84,2e,ce,86,fc,62,b3,1e,24,c0,df,e9,2d,82,f5,c4,4e,21,ec,a6,9e,50,a0,85,\
"rkeysecu"=hex:6c,33,7b,3b,e2,25,e6,76,ff,a4,29,b1,81,c5,11,57
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-11-30 14:42
ComboFix-quarantined-files.txt 2009-11-30 22:42
ComboFix2.txt 2009-11-28 16:56

Pre-Run: 379,174,871,040 bytes free
Post-Run: 379,157,454,848 bytes free

- - End Of File - - 5568B60314F426F9174C5E1D7D71A1F1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:39 PM, on 11/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerColor\Real Angel 330\Schedule.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SMART Technologies\Classroom Teacher\SMARTBoardService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SMART Notebook Download Plugin - {67BCF957-85FC-4036-8DC4-D4D80E00A77B} - C:\Program Files\SMART Technologies\Classroom Teacher\NotebookPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: SMART Sync - {8E1233B3-485A-4E51-B77E-9E075A68C588} - C:\Program Files\SMART Technologies\Classroom Teacher\Sync Teacher\SyncIEToolbar.dll
O3 - Toolbar: Fast Browser Search - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Remote] "C:\Program Files\PowerColor\Real Angel 330\Remote.exe"
O4 - HKLM\..\Run: [Schedule] "C:\Program Files\PowerColor\Real Angel 330\Schedule.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: AVG Free Tray Icon.lnk = C:\Program Files\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate1c9c62bfc4ddf28) (gupdate1c9c62bfc4ddf28) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Response Hardware - SMART Technologies - C:\Program Files\SMART Technologies\Classroom Teacher\ResponseHardwareService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SMART Board Service - SMART Technologies - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTBoardService.exe
O23 - Service: SMART Mirror Driver Monitor Service - SMART Technologies Inc. - C:\Program Files\Common Files\SMART Technologies\Mirror Driver\MonitorService.exe
O23 - Service: SMART SNMP Agent Service - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe (file missing)
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\WebServer.exe

--
End of file - 7677 bytes

 

[Shaba]

I see

Please next run this CFScript and post back a fresh HijackThis log and a fresh combofix log.

Firefox::
FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\m6tf3mhu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={1651BD89-383E-6D1B-C9C4-68D795ABED09}&q=

 

[Nanich]

Here is the combo fix. I did to reboot as my "Start" bar and desktop did not come back. I will send you the Hijack This is a sec



ComboFix 09-12-01.01 - Don 12/01/2009 19:52.3.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2326 [GMT -8:00]
Running from: c:\documents and settings\Don\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Don\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-11-28 16:53 . 2008-04-14 12:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-28 16:53 . 2008-04-14 12:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-27 22:38 . 2009-11-27 22:38 -------- d-----w- c:\program files\Trend Micro
2009-11-26 01:15 . 2009-11-06 16:51 2064152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-11-26 01:15 . 2009-11-02 17:57 3513624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-11-26 01:15 . 2009-11-02 17:57 2028312 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-11-24 16:00 . 2009-11-24 16:00 53760 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL
2009-11-24 16:00 . 2009-11-24 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SP
2009-11-23 15:38 . 2009-11-23 15:38 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{9830D2C5-7C79-41C5-969C-3D9F7E97BD0D}
2009-11-20 20:29 . 2009-11-20 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-20 20:29 . 2009-11-20 20:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-20 20:27 . 2009-11-20 20:27 117760 ----a-w- c:\documents and settings\Don\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-20 20:27 . 2009-11-20 20:27 -------- d-----w- c:\documents and settings\Don\Application Data\SUPERAntiSpyware.com
2009-11-20 01:37 . 2004-04-15 05:11 242840 ----a-w- c:\windows\system32\GDI TeletextServer.dll
2009-11-20 01:37 . 2004-01-03 01:29 339968 ----a-w- c:\windows\system32\mpeg2enc.dll
2009-11-20 01:37 . 2003-06-28 22:34 69707 ----a-w- c:\windows\system32\DISP_OPT1.dll
2009-11-20 01:37 . 1998-06-18 02:44 929844 ----a-w- c:\windows\system32\MFC42D.DLL
2009-11-20 01:37 . 1998-06-17 08:00 385100 ----a-w- c:\windows\system32\MSVCRTD.DLL
2009-11-18 22:41 . 2009-11-18 22:41 -------- d-----w- c:\program files\JRE
2009-11-18 22:40 . 2009-11-18 22:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-16 18:41 . 2009-11-16 18:41 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{799FCEF6-870A-454D-A1AD-7CC39161BE85}
2009-11-13 22:52 . 2009-11-13 22:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-11-13 18:07 . 2009-11-13 18:06 147456 --sh--r- C:\pxev.exe
2009-11-13 15:58 . 2009-11-13 15:58 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{22400F1B-A246-4997-83B4-BD1963E86E19}
2009-11-11 01:36 . 2009-11-11 02:12 -------- d-----w- c:\program files\DScaler
2009-11-09 19:37 . 2009-11-10 05:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-09 18:53 . 2009-11-09 20:16 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\xxvqof
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\documents and settings\Don\Application Data\Malwarebytes
2009-11-08 02:29 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 02:29 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 02:29 . 2009-11-08 02:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 01:06 . 2009-11-08 01:06 -------- d-----w- c:\documents and settings\Don\Local Settings\Application Data\{A42A97C1-1509-481F-97FF-37F073F7C132}
2009-11-07 22:58 . 2009-11-07 22:58 -------- d-----w- c:\documents and settings\All Users\Application Data\df9430b
2009-11-05 20:57 . 2009-11-05 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-05 20:55 . 2009-11-05 20:55 -------- d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP
2009-11-05 20:40 . 2009-11-05 20:49 -------- d-----w- c:\program files\Dragon Age
2009-11-05 20:40 . 2009-11-05 20:55 -------- d-----w- c:\program files\Common Files\BioWare

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 02:23 . 2009-01-23 05:33 1 ----a-w- c:\documents and settings\Don\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-12-01 19:30 . 2009-04-26 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-30 23:11 . 2009-01-25 08:37 36504 ----a-w- c:\documents and settings\Don\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 22:53 . 2009-09-29 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SMART Technologies
2009-11-20 20:27 . 2009-07-26 23:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-20 01:37 . 2009-01-21 19:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-19 00:26 . 2009-02-07 07:13 -------- d-----w- c:\documents and settings\Don\Application Data\BSW
2009-11-18 22:41 . 2009-01-21 20:11 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-18 22:40 . 2009-01-21 20:10 -------- d-----w- c:\program files\Java
2009-11-11 02:00 . 2009-08-18 18:46 -------- d-----w- c:\program files\Tile3D_40
2009-11-11 01:55 . 2009-04-26 04:53 -------- d-----w- c:\program files\Google
2009-11-11 01:54 . 2009-02-07 07:33 -------- d-----w- c:\program files\Codemasters
2009-11-11 01:52 . 2009-04-05 20:37 -------- d-----w- c:\program files\Steam
2009-11-08 06:32 . 2009-05-02 19:13 -------- d-----w- c:\program files\1701 A.D
2009-11-08 02:49 . 2009-01-21 19:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-08 02:39 . 2009-07-24 17:53 -------- d-----w- c:\program files\QuickTime
2009-11-07 22:59 . 2009-11-07 22:59 0 ----a-w- c:\documents and settings\Don\33D.tmp
2009-11-07 22:59 . 2009-11-07 22:59 100 ----a-w- c:\documents and settings\Don\33A.tmp
2009-11-07 22:58 . 2009-11-07 22:58 361600 ----a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-10-07 16:35 . 2009-01-22 02:15 189104 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-10-07 16:30 . 2009-01-22 02:15 139584 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-10-05 16:17 . 2009-10-05 16:17 -------- d-----w- c:\program files\Microsoft
2009-09-29 04:15 . 2009-09-29 04:15 74240 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JINECELP.dll
2009-09-29 04:15 . 2009-09-29 04:15 73216 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JIWAudio.dll
2009-09-29 04:15 . 2009-09-29 04:15 66048 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\14\450fe1ce-16c28c2f-n\JIWMixer.dll
2009-09-29 04:15 . 2009-09-29 04:15 65536 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\46\be777ae-147b1fa5-n\ICE_JNIRegistry.dll
2009-09-29 04:15 . 2009-09-29 04:15 60928 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\46\be777ae-147b1fa5-n\WinPlatform.dll
2009-09-29 03:58 . 2009-09-29 03:58 98816 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\53\6061d535-284d4338-n\WinVideo.dll
2009-09-29 03:58 . 2009-09-29 03:58 74240 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JINECELP.dll
2009-09-29 03:58 . 2009-09-29 03:58 68608 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JIWAudio.dll
2009-09-29 03:58 . 2009-09-29 03:58 66048 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\56\4d4f6cf8-5d711d8a-n\JIWMixer.dll
2009-09-29 03:58 . 2009-09-29 03:58 65536 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-7448b613-n\ICE_JNIRegistry.dll
2009-09-29 03:58 . 2009-09-29 03:58 60928 ----a-w- c:\documents and settings\Don\Application Data\Sun\Java\Deployment\cache\6.0\15\306e94cf-7448b613-n\WinPlatform.dll
2009-09-11 14:18 . 2008-04-14 12:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2008-04-14 12:42 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-28_16.55.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-01 16:08 . 2009-12-01 16:08 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2006-02-28 12:00 . 2009-12-01 16:12 71206 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2009-11-28 16:51 71206 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2009-12-01 16:12 441014 c:\windows\system32\perfh009.dat
- 2006-02-28 12:00 . 2009-11-28 16:51 441014 c:\windows\system32\perfh009.dat
+ 2009-01-21 10:31 . 2009-12-01 16:07 160344 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-11-24 16:00 53760 ----a-w- c:\documents and settings\All Users\Application Data\SP\sp.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-11 2001648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-18 149280]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"Remote"="c:\program files\PowerColor\Real Angel 330\Remote.exe" [2006-03-06 253952]
"Schedule"="c:\program files\PowerColor\Real Angel 330\Schedule.exe" [2006-05-19 94208]

c:\documents and settings\Don\Start Menu\Programs\Startup\
AVG Free Tray Icon.lnk - c:\program files\AVG\AVG8\avgtray.exe [2009-1-21 2029336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-15 17:25 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port
"13398:TCP"= 13398:TCP:spport
"29653:TCP"= 29653:TCP:spport
"14605:TCP"= 14605:TCP:spport
"6659:TCP"= 6659:TCP:spport
"15609:TCP"= 15609:TCP:spport
"5562:TCP"= 5562:TCP:spport

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/21/2009 11:33 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/21/2009 11:33 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [11/11/2009 10:44 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 10:44 AM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/21/2009 11:33 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/21/2009 11:33 AM 297752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 10:44 AM 7408]
S2 gupdate1c9c62bfc4ddf28;Google Update Service (gupdate1c9c62bfc4ddf28);c:\program files\Google\Update\GoogleUpdate.exe [4/25/2009 9:00 PM 133104]
S2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [4/14/2008 4:42 AM 14336]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/5/2009 12:48 PM 25832]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [5/30/2007 4:34 PM 39424]
S3 SMART SNMP Agent Service;SMART SNMP Agent Service;c:\program files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe --> c:\program files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe [?]
S3 smrtdrv;SMART Technologies Inc. Mirror Driver;c:\windows\system32\drivers\smrtdrv.sys [4/22/2004 10:38 AM 2432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
netsvc REG_MULTI_SZ SPService
.
Contents of the 'Scheduled Tasks' folder

2009-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-12-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-26 04:53]

2009-12-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 05:00]

2009-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 05:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.Google.com/
FF - ProfilePath - c:\documents and settings\Don\Application Data\Mozilla\Firefox\Profiles\m6tf3mhu.default\
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {A42A97C1-1509-481F-97FF-37F073F7C132} - c:\documents and settings\Don\Local Settings\Application Data\{A42A97C1-1509-481F-97FF-37F073F7C132}
FF - HiddenExtension: XULRunner: {22400F1B-A246-4997-83B4-BD1963E86E19} - c:\documents and settings\Don\Local Settings\Application Data\{22400F1B-A246-4997-83B4-BD1963E86E19}
FF - HiddenExtension: XULRunner: {799FCEF6-870A-454D-A1AD-7CC39161BE85} - c:\documents and settings\Don\Local Settings\Application Data\{799FCEF6-870A-454D-A1AD-7CC39161BE85}
FF - HiddenExtension: XULRunner: {9830D2C5-7C79-41C5-969C-3D9F7E97BD0D} - c:\documents and settings\Don\Local Settings\Application Data\{9830D2C5-7C79-41C5-969C-3D9F7E97BD0D}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-01 19:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-606747145-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:6f,b3,c7,b1,b2,d8,ed,7a,c8,bb,09,b2,89,68,d6,95,ed,ac,2c,33,01,53,8c,
50,78,5e,47,a3,86,ea,a1,96,27,06,5e,22,0e,2a,30,2c,b0,d7,c1,de,fd,93,db,f7,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-746137067-606747145-682003330-1004\Software\SecuROM\License information*]
"datasecu"=hex:b7,e1,ed,21,d2,38,df,6c,e3,19,80,da,f2,c2,a5,27,aa,53,be,5d,62,
b7,84,2e,ce,86,fc,62,b3,1e,24,c0,df,e9,2d,82,f5,c4,4e,21,ec,a6,9e,50,a0,85,\
"rkeysecu"=hex:6c,33,7b,3b,e2,25,e6,76,ff,a4,29,b1,81,c5,11,57
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2684)
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-01 19:57
ComboFix-quarantined-files.txt 2009-12-02 03:57
ComboFix2.txt 2009-11-30 22:42
ComboFix3.txt 2009-11-28 16:56

Pre-Run: 380,404,858,880 bytes free
Post-Run: 380,377,788,416 bytes free

- - End Of File - - 7D67C0B0B478BD52CD60BEB8EA2F90AC

 

[Nanich]

Reboot went well. Here is the Hijack This. The Fast Web Browser seems to be gone. Wow things are working so much better!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:57 PM, on 12/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerColor\Real Angel 330\Remote.exe
C:\Program Files\PowerColor\Real Angel 330\Schedule.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Fast Browser Search - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Remote] "C:\Program Files\PowerColor\Real Angel 330\Remote.exe"
O4 - HKLM\..\Run: [Schedule] "C:\Program Files\PowerColor\Real Angel 330\Schedule.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AVG Free Tray Icon.lnk = C:\Program Files\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate1c9c62bfc4ddf28) (gupdate1c9c62bfc4ddf28) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SMART SNMP Agent Service - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe (file missing)

--
End of file - 6819 bytes

 

[Shaba]

I am sorry, I have missed your reply.

Do you still have same issues?

 

[Nanich]

Hey thanks for everything. My system seems to be running much better. So unless something in my logs suggestion otherwise, I think my system is good!

Don

 

[Shaba]

Good

Let's however run this before:

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

 

[Nanich]

Here is the virus scan...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, December 6, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, December 06, 2009 03:59:00
Records in database: 3334432
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 144203
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:51:06


File name / Threat / Threats count
C:\Program Files\1701 A.D\Tools\Tages\DrvSetup_x64.exe Infected: Virus.Win32.Virut.ce 1
C:\Program Files\Realtek\Audio\InstallShield\RtlUpd64.exe Infected: Virus.Win32.Virut.ce 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Infected: Rootkit.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\etc\hosts.vir Infected: Trojan.Win32.Qhost.mhm 1

Selected area has been scanned.


Here is the Hijack This!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:16 AM, on 12/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PowerColor\Real Angel 330\Remote.exe
C:\Program Files\PowerColor\Real Angel 330\Schedule.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: XBTBPos00 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O3 - Toolbar: Fast Browser Search - {1BB22D38-A411-4B13-A746-C2A4F4EC7344} - C:\Program Files\Fast Browser Search\IE\FBStoolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Remote] "C:\Program Files\PowerColor\Real Angel 330\Remote.exe"
O4 - HKLM\..\Run: [Schedule] "C:\Program Files\PowerColor\Real Angel 330\Schedule.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: AVG Free Tray Icon.lnk = C:\Program Files\AVG\AVG8\avgtray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate1c9c62bfc4ddf28) (gupdate1c9c62bfc4ddf28) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SMART SNMP Agent Service - Unknown owner - C:\Program Files\SMART Technologies\Classroom Teacher\SMARTSNMPAgent.exe (file missing)

--
End of file - 6932 bytes

 

[Shaba]

Please click this link-->Jotti

Copy/paste the file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\Program Files\1701 A.D\Tools\Tages\DrvSetup_x64.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

 

[Nanich]

That is a neat little scanner program.




Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.08 -
AhnLab-V3 5.0.0.2 2009.12.08 -
AntiVir 7.9.1.102 2009.12.08 -
Antiy-AVL 2.0.3.7 2009.12.07 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.08 Win64:Vitro
AVG 8.5.0.426 2009.12.08 -
BitDefender 7.2 2009.12.08 Win32.Virtob.Gen.12
CAT-QuickHeal 10.00 2009.12.07 W32.Virut.G
ClamAV 0.94.1 2009.12.08 -
Comodo 3103 2009.12.01 -
DrWeb 5.0.0.12182 2009.12.08 Win32.Virut.56
eSafe 7.0.17.0 2009.12.07 -
eTrust-Vet 35.1.7163 2009.12.07 Win32/Virut.17408
F-Prot 4.5.1.85 2009.12.07 -
F-Secure 9.0.15370.0 2009.12.07 -
Fortinet 4.0.14.0 2009.12.08 -
GData 19 2009.12.08 Win32.Virtob.Gen.12
Ikarus T3.1.1.74.0 2009.12.08 -
Jiangmin 13.0.900 2009.12.02 Win32/Virut.bo
K7AntiVirus 7.10.913 2009.12.07 -
Kaspersky 7.0.0.125 2009.12.08 Virus.Win32.Virut.ce
McAfee 5825 2009.12.07 -
McAfee+Artemis 5825 2009.12.07 -
McAfee-GW-Edition 6.8.5 2009.12.08 -
Microsoft 1.5302 2009.12.08 -
NOD32 4668 2009.12.07 Win32/Virut.NBP
Norman 6.03.02 2009.12.07 -
nProtect 2009.1.8.0 2009.12.07 -
Panda 10.0.2.2 2009.12.08 -
PCTools 7.0.3.5 2009.12.07 Malware.Virut
Rising 22.25.01.01 2009.12.08 -
Sophos 4.48.0 2009.12.08 W32/Scribble-B
Sunbelt 3.2.1858.2 2009.12.08 Virus.Win32.Virut.ce (v)
Symantec 1.4.4.12 2009.12.08 W32.Virut.CF
TheHacker 6.5.0.2.088 2009.12.07 -
TrendMicro 9.100.0.1001 2009.12.07 -
VBA32 3.12.12.0 2009.12.08 -
ViRobot 2009.12.8.2075 2009.12.08 -
VirusBuster 5.0.21.0 2009.12.07 -
Additional information
File size: 432128 bytes
MD5...: 6c6192b19dbfa0e92ab143de69652357
SHA1..: 1b2b5bb8c1f32ac4a7901a0c7cac8edb7d66868b
SHA256: 604889d9aab81702c61912e9f6aee7988a824bc401c572edb0e398defcc6fb0a
ssdeep: 12288:Vx4m2IU/e2qfihJhY5JUduYe9fcq1df+dfg:f4m2IU/e25fhY5wuL9fcq1
df4
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x6e78c
timedatestamp.....: 0x264b26b7 (Fri May 11 20:55:19 1990)
machinetype.......: 0x8664 (AMD64)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb14e 0xb200 6.21 47e8162c05de750b9c63894bc6e3e815
.rdata 0xd000 0x32b6 0x3400 5.27 87a8df3bc853ccd21b450ee7757b1262
.data 0x11000 0x3580 0x1600 1.71 caecfcb078c353c2f9cc21313463d015
.pdata 0x15000 0xb28 0xc00 4.38 f9e8198526eb87c98da2df705e254deb
.rsrc 0x16000 0x58e00 0x58c00 6.32 0dad4735a0f4997dc5e4582f671e9635

( 4 imports )
> COMCTL32.dll: -
> KERNEL32.dll: GetModuleHandleA, FindResourceA, LoadResource, LockResource, FreeResource, GetSystemDirectoryA, GetLastError, DeleteFileA, DeviceIoControl, SetFileAttributesA, SetLastError, WriteFile, CloseHandle, CreateFileA, GetProcAddress, ExitProcess, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlCaptureContext, RtlVirtualUnwind, RtlLookupFunctionEntry, FlsGetValue, FlsSetValue, TlsFree, FlsFree, GetCurrentThreadId, FlsAlloc, GetStdHandle, GetModuleFileNameA, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwindEx, LoadLibraryA, InitializeCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapSetInformation, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, Sleep, HeapSize, MultiByteToWideChar, GetLocaleInfoA, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, HeapReAlloc, FlushFileBuffers
> USER32.dll: MessageBoxA, LoadStringA
> ADVAPI32.dll: RegSetValueExA, ChangeServiceConfigA, CreateServiceA, StartServiceA, RegCreateKeyExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA, OpenServiceA, DeleteService, ControlService, CloseServiceHandle, RegDeleteValueA

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Tag_s SA
copyright....: (c) Tag_s SA. All rights reserved.
product......: Application TagesSetup
description..: TagesSetup
original name: TagesSetup.exe
internal name: TagesSetup
file version.: 5.5.2.1
comments.....: Install/Uninstall Tag_s Drivers
signers......: -
signing date.: -
verified.....: Unsigned

 

[Shaba]

Indeed

Please delete that file and this as well:

C:\Program Files\Realtek\Audio\InstallShield\RtlUpd64.exe

Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

 

[Nanich]

Hey things are working well now. Do you have anything else for me to do or any suggestions?

DOn