Virtumonde Infection

Ok. Let's try to nuke that redirector thing :) Some updating before it though.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

______________

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh dds.txt log file in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

_________________

Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
 
Combo Fix:

ComboFix 09-04-19.05 - Mark Xamin 04/19/2009 11:45.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1350 [GMT -4:00]
Running from: c:\documents and settings\Mark Xamin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-19 14:57 . 2009-04-19 14:57 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-18 17:30 . 2009-04-19 14:46 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-04-18 17:30 . 2009-04-18 17:30 155384 ----a-w c:\windows\system32\guard32.dll
2009-04-18 17:30 . 2009-04-18 17:30 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-04-18 17:30 . 2009-04-18 17:30 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-04-18 17:30 . 2009-04-18 17:30 -------- d-----w c:\program files\COMODO
2009-04-18 01:43 . 2009-04-18 01:43 -------- d-----w c:\windows\ie8updates
2009-04-18 01:42 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-16 21:48 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 21:48 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 21:48 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 21:48 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:48 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:48 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:48 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 21:48 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 21:48 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:48 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:48 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:48 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 12:40 . 2009-04-14 12:40 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\Foxit
2009-04-14 12:40 . 2009-04-14 12:40 -------- d-----w c:\program files\Foxit Software
2009-04-10 14:40 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-04-09 20:00 . 2009-04-09 20:00 -------- d-----w c:\program files\Windows Defender
2009-04-09 19:56 . 2009-04-09 19:56 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-09 17:52 . 2009-04-09 17:52 -------- d-----w c:\windows\system32\XPSViewer
2009-04-09 17:52 . 2009-04-09 17:52 -------- d-----w c:\program files\MSBuild
2009-04-09 17:52 . 2009-04-09 17:52 -------- d-----w c:\program files\Reference Assemblies
2009-04-09 17:51 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 17:51 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-09 17:51 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 17:51 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-09 17:51 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 17:51 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-09 17:51 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 17:51 . 2009-04-09 17:51 -------- d-----w C:\635663aed565d5759c71a535
2009-04-09 17:50 . 2009-04-09 19:51 -------- d-----w c:\windows\SxsCaPendDel
2009-04-09 17:44 . 2009-04-09 17:44 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-09 17:03 . 2009-04-09 17:03 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\Malwarebytes
2009-04-09 17:02 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-09 17:02 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 17:02 . 2009-04-09 17:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 17:02 . 2009-04-09 17:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 15:48 . 2009-04-09 15:48 -------- d-sh--w c:\documents and settings\Mark Xamin\PrivacIE
2009-04-09 15:35 . 2009-04-09 15:35 -------- d-sh--w c:\documents and settings\Mark Xamin\IETldCache
2009-04-09 15:23 . 2009-04-09 15:27 -------- dc-h--w c:\windows\ie8
2009-04-09 02:42 . 2009-04-19 02:12 -------- d--h--w C:\$AVG8.VAULT$
2009-04-09 02:23 . 2009-04-09 02:23 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 02:23 . 2009-04-09 02:23 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-09 02:23 . 2009-04-09 02:23 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 02:22 . 2009-04-18 14:23 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-09 02:22 . 2009-04-09 19:49 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\AVGTOOLBAR
2009-04-09 02:22 . 2009-04-09 02:22 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 03:31 . 2009-04-08 03:31 -------- d-----w c:\program files\Safer Networking
2009-04-07 02:56 . 2009-04-17 04:44 -------- d-----w c:\program files\SpywareBlaster
2009-04-07 02:08 . 2009-04-07 02:08 -------- d-----w c:\program files\AVG
2009-04-07 01:47 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-07 01:46 . 2009-04-07 01:46 -------- d-----w c:\program files\ERUNT
2009-04-06 23:38 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-06 23:37 . 2009-04-06 23:37 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-06 23:36 . 2009-04-06 23:38 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-06 23:36 . 2009-04-06 23:36 -------- d-----w c:\program files\Lavasoft
2009-04-06 22:57 . 2009-04-06 22:57 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-06 03:52 . 2009-04-06 03:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 03:52 . 2009-04-06 03:55 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 02:05 . 2009-04-09 02:15 60404 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-06 02:05 . 2009-04-09 02:15 480032 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-06 02:05 . 2009-04-09 02:15 46076 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-06 02:05 . 2009-04-09 02:15 4429856 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-06 01:43 . 2009-04-09 02:15 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\Rogers Online Protection
2009-04-06 01:43 . 2009-04-09 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\Rogers Online Protection
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 15:42 . 2007-10-04 15:22 268 ---ha-w C:\sqmdata03.sqm
2009-04-19 15:42 . 2007-10-04 15:22 244 ---ha-w C:\sqmnoopt03.sqm
2009-04-19 15:37 . 2007-11-18 04:08 1713 --sha-w c:\windows\system32\mmf.sys
2009-04-19 15:37 . 2009-04-07 02:15 4028 ----a-w C:\aaw7boot.log
2009-04-19 15:21 . 2007-10-03 04:08 268 ---ha-w C:\sqmdata02.sqm
2009-04-19 15:21 . 2007-10-03 04:08 244 ---ha-w C:\sqmnoopt02.sqm
2009-04-19 14:57 . 2009-01-19 17:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-19 14:57 . 2007-09-10 10:11 -------- d-----w c:\program files\Java
2009-04-19 14:48 . 2007-09-29 16:25 268 ---ha-w C:\sqmdata01.sqm
2009-04-19 14:48 . 2007-09-29 16:25 244 ---ha-w C:\sqmnoopt01.sqm
2009-04-18 16:02 . 2009-01-28 21:57 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-18 14:21 . 2007-09-10 09:56 28314 ----a-w c:\windows\system32\nvModes.dat
2009-04-17 19:20 . 2009-02-26 18:14 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\FileZilla
2009-04-17 04:44 . 2008-11-18 00:43 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 22:07 . 2007-09-10 10:28 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-14 12:42 . 2007-10-30 08:19 -------- d-----w c:\program files\Common Files\Adobe
2009-04-12 16:30 . 2007-11-25 06:03 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-09 20:00 . 2007-09-10 10:43 54560 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 02:16 . 2007-09-10 10:15 -------- d-----w c:\program files\InstallShield Installation Information
2009-04-09 00:43 . 2009-02-26 18:14 -------- d-----w c:\program files\FileZilla FTP Client
2009-04-06 23:11 . 2009-01-07 15:46 -------- d-----w c:\program files\Pando Networks
2009-04-06 23:11 . 2007-10-30 08:20 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-06 01:48 . 2007-10-23 03:39 -------- d-----w c:\program files\Yahoo!
2009-04-06 01:47 . 2007-09-10 10:34 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 04:28 . 2009-02-13 04:07 -------- d-----w c:\program files\UFile 2008
2009-03-12 21:00 . 2007-09-10 10:34 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-11 14:56 . 2007-09-19 06:02 -------- d-----w c:\program files\Electronic Arts
2009-03-11 02:18 . 2008-09-06 03:29 934792 ------w c:\windows\system32\dllcache\WgaTray.exe
2009-03-11 02:18 . 2008-09-06 03:30 239496 ------w c:\windows\system32\dllcache\wgaLogon.dll
2009-03-08 18:09 . 2007-08-13 23:43 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 18:09 . 2007-08-13 23:39 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 08:41 . 2007-05-04 10:29 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 08:39 . 2007-11-20 21:00 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 08:34 . 2007-09-10 10:09 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 08:34 . 2004-08-11 22:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2007-09-10 10:09 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 08:34 . 2007-08-13 23:54 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 08:34 . 2004-08-11 22:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:34 . 2004-08-11 22:00 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 08:34 . 2007-08-13 23:44 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 08:34 . 2007-09-10 10:09 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 08:34 . 2007-08-13 23:44 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 08:33 . 2007-09-10 10:09 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 08:33 . 2004-08-11 22:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2007-09-10 10:09 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 08:33 . 2004-08-11 22:00 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 08:33 . 2004-08-11 22:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 . 2004-08-11 22:00 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 08:32 . 2004-08-11 22:00 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 08:32 . 2004-08-11 22:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2007-08-13 23:39 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 08:32 . 2004-08-11 22:00 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 08:32 . 2004-08-11 22:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:32 . 2004-08-11 22:00 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 08:32 . 2004-08-11 22:00 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 08:32 . 2007-08-13 23:39 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 08:32 . 2007-09-10 10:09 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 08:32 . 2007-11-20 21:00 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 08:32 . 2007-11-20 21:00 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 08:32 . 2007-09-10 10:09 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 08:24 . 2004-08-11 22:12 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 08:22 . 2007-08-13 23:54 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 08:22 . 2004-08-11 22:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 08:11 . 2007-11-20 21:00 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2004-08-11 22:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 13:59 . 2007-09-29 03:44 268 ---ha-w C:\sqmdata00.sqm
2009-03-05 13:59 . 2007-09-29 03:44 172 ---ha-w C:\sqmnoopt00.sqm
2009-02-27 12:40 . 2007-12-11 06:18 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 01:58 . 2009-02-24 01:58 133 ----a-w c:\documents and settings\Mark Xamin\Local Settings\Application Data\fusioncache.dat
2009-02-23 14:47 . 2008-06-08 17:06 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-02-09 12:10 . 2004-08-11 22:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 05:15 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 22:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-15 05:15 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 01:07 . 2007-11-20 21:00 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-11 22:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 05:15 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 05:15 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-11 22:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-15 05:15 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-11 22:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-23 16:43 . 2009-01-23 16:43 14266 --sha-r C:\SDSignature.txt
2009-01-23 16:43 . 2009-01-23 16:43 12696 --sha-r C:\ExecSignature.txt
2007-09-10 10:43 . 2007-09-17 16:54 42936 ----a-w c:\documents and settings\Mark Xamin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-06 01:13 . 2009-01-06 01:13 49152 --sha-w c:\windows\system32\guteheso.dll.tmp
2009-01-06 01:13 . 2009-01-06 01:13 49152 --sha-w c:\windows\system32\lahozunu.dll.tmp
2009-01-06 01:13 . 2009-01-06 01:13 49152 --sha-w c:\windows\system32\nenunizo.dll.tmp
2008-11-18 00:00 . 2008-11-17 23:36 16384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-09-05 14:43 . 2008-09-05 14:43 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"RogersAgent"="c:\program files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 478968]
"SHS"="c:\program files\Rogers\SelfHealing\SHS.exe" [2007-10-12 5166392]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2007-10-12 136504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"EPSON Stylus CX3800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-03 86016]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 517768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-09 1932568]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-07-03 86016]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\Mark Xamin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-09 02:23 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Xamin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Mark Xamin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"LVCOMS"=c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\WLKEEPER.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel

R1 SDManager;SDManager; [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R3 LiveTurbineMessageService;Turbine Message Service - Live; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-09 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-09 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-09 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2007-11-17 2560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43ddab14-b1f5-11dd-b570-001c230d6511}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL system.exe
\Shell\Explore\command - E:\system.exe
\Shell\Open\command - E:\system.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-04-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-06 19:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
FF - ProfilePath - c:\documents and settings\Mark Xamin\Application Data\Mozilla\Firefox\Profiles\wbj2hsqw.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.ca/
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\Mark Xamin\Application Data\Mozilla\Firefox\Profiles\wbj2hsqw.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 11:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\B405A2EBBFCE91A4C13BDEA4B89DC260]
"1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
1a,40,6d,c3,6d,0e,a9,b1,96
"2"=hex:82,9d,b7,04,75,a2,e0,2a
"3"=hex:51,d8,4e,00,cb,4c,ec,04,18,61,a9,a9,57,7d,f7,5b,f5,bf,a2,61,d9,43,ab,
b6,46,06,77,f4,c0,a9,53,b1,7f,86,4c,1d,9d,99,27,a6,67,fb,80,05,4b,15,e1,e2,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
1a,1a,36,0f,9a,30,e3,f4,57,69,39,43,7c,33,dd,6d,ac,de,22,0d,fb,e8,a3,20,e8,\
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,08,21,24,20,f1,96,6a,
7a,cd,13,31,a6,7d,dc,f4,81,0d,1c,44,d3,0b,59,cb,af
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:00,55,45,ed,a5,df,d5,ac,d5,ed,f1,06,5f,d0,b4,7d,a7,47,6b,f9,90,b5,d3,
45,4a,dd,88,ce,55,62,69,f3,dc,0b,e2,ea,c7,d6,6c,86,dc,4c,a3,35,33,cb,eb,76,\
"13"=hex:43,a7,f7,8f,ae,72,3f,84,b8,48,7c,b0,88,ba,03,da,62,6b,f2,4a,27,9a,d5,
3d
"14"=hex:f8,37,82,69,f0,e8,bd,13
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:3b,f0,65,24,3d,49,33,68,17,11,40,29,1f,41,23,f4
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:50,02,09,44,2d,e7,ad,a2,d9,ac,f7,5e,c8,8d,7b,5d,7e,ca,f6,6a,b8,d8,48,
b0,9b,e4,59,f7,00,01,ed,f4,45,b9,22,87,4f,c3,79,37,61,7e,45,6c,9d,94,af,f1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3040)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-19 11:52
ComboFix-quarantined-files.txt 2009-04-19 15:51

Pre-Run: 48,650,604,544 bytes free
Post-Run: 48,684,228,608 bytes free

375 --- E O F --- 2009-04-16 22:10

DDS Log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Mark Xamin at 12:00:05.59 on Sun 04/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1401 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Rogers\SelfHealing\rogersagent.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Mark Xamin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [RogersAgent] c:\program files\rogers\selfhealing\rogersagent.exe
uRun: [SHS] "c:\program files\rogers\selfhealing\SHS.exe" /background
uRun: [Update Manager] "c:\program files\rogers\update manager\UpdateManager.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [EPSON Stylus CX3800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [EPSON Stylus CX3800 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P35 "EPSON Stylus CX3800 Series (Copy 1)" /O5 "LPT1:" /M "Stylus CX3800"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\markxa~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\markxa~1\applic~1\mozilla\firefox\profiles\wbj2hsqw.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.ca/
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\mark xamin\application data\mozilla\firefox\profiles\wbj2hsqw.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-6 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-8 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-8 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-8 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-8 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-8 298264]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-11-17 2560]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 SDManager;SDManager;\??\c:\program files\spywaredetector\sdmanager.sys --> c:\program files\spywaredetector\SDManager.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
S3 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\turbine\turbine download manager\turbinemessageservice.exe" --> c:\program files\turbine\turbine download manager\TurbineMessageService.exe [?]

=============== Created Last 30 ================

2009-04-19 11:44 161,792 a------- c:\windows\SWREG.exe
2009-04-19 11:44 98,816 a------- c:\windows\sed.exe
2009-04-19 11:44 <DIR> --d----- C:\ComboFix
2009-04-19 10:57 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-18 13:30 155,384 a------- c:\windows\system32\guard32.dll
2009-04-18 13:30 110,992 a------- c:\windows\system32\drivers\cmdguard.sys
2009-04-18 13:30 24,336 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-04-18 13:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-04-18 13:30 <DIR> --d----- c:\program files\COMODO
2009-04-17 21:43 <DIR> --d----- c:\windows\ie8updates
2009-04-17 21:42 105,984 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-14 08:40 <DIR> --d----- c:\docume~1\markxa~1\applic~1\Foxit
2009-04-14 08:40 <DIR> --d----- c:\program files\Foxit Software
2009-04-13 22:30 <DIR> --d----- C:\cmdcons
2009-04-10 10:40 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-04-09 13:52 <DIR> --d----- c:\windows\system32\XPSViewer
2009-04-09 13:51 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 13:51 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-09 13:51 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 13:51 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-09 13:51 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 13:51 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-09 13:51 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 13:51 <DIR> --d----- C:\635663aed565d5759c71a535
2009-04-09 13:50 <DIR> --d----- c:\windows\SxsCaPendDel
2009-04-09 13:03 <DIR> --d----- c:\docume~1\markxa~1\applic~1\Malwarebytes
2009-04-09 13:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-09 13:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 13:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 13:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-09 11:48 <DIR> --dsh--- c:\documents and settings\mark xamin\PrivacIE
2009-04-09 11:35 <DIR> --dsh--- c:\documents and settings\mark xamin\IETldCache
2009-04-09 11:23 <DIR> -cd-h--- c:\windows\ie8
2009-04-08 22:42 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-08 22:23 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-08 22:23 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-08 22:23 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-08 22:22 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-04-08 22:22 <DIR> --d----- c:\docume~1\markxa~1\applic~1\AVGTOOLBAR
2009-04-08 22:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-07 23:31 <DIR> --d----- c:\program files\Safer Networking
2009-04-06 22:56 <DIR> --d----- c:\program files\SpywareBlaster
2009-04-06 22:08 <DIR> --d----- c:\program files\AVG
2009-04-06 21:47 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-06 19:38 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-06 19:37 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-06 19:36 <DIR> --d----- c:\program files\Lavasoft
2009-04-06 18:57 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-05 23:52 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-04-05 23:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-05 22:05 4,429,856 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-04-05 22:05 480,032 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-04-05 22:05 60,404 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-04-05 22:05 46,076 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-04-05 21:43 <DIR> --d----- c:\docume~1\markxa~1\applic~1\Rogers Online Protection
2009-04-05 21:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Rogers Online Protection
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll

==================== Find3M ====================

2009-04-19 11:37 1,713 a--sh--- c:\windows\system32\mmf.sys
2009-04-19 10:57 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-18 10:21 28,314 a------- c:\windows\system32\nvModes.dat
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 10:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-23 10:47 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-02-09 08:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 08:10 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 08:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 08:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 08:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 08:10 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 08:10 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 08:10 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 08:10 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 08:10 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 07:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 07:11 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 07:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 07:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 07:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 06:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 06:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 06:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 06:10 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 15:59 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2008-11-17 20:00 16,384 ac-sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-09-05 10:43 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 12:00:26.51 ===============
 
GooRed Log:

GooredFix v1.92 by jpshortstuff
Log created at 12:01 on 19/04/2009 running Option #2 (Mark Xamin)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{784A24CA-7F5E-44CE-AD83-ACBA20207C33}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord"
 
Hi

Looks like you didn't uninstall old Java versions and get the latest one yet. Please follow instructions in my previous reply to carry on that task. Vulnerable Javas put your system under threat.


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
E:\system.exe

FireFox::
FF - ProfilePath - c:\documents and settings\Mark Xamin\Application Data\Mozilla\Firefox\Profiles\wbj2hsqw.default\
FF - prefs.js: keyword.URL - hxxp://www.wcsearch.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43ddab14-b1f5-11dd-b570-001c230d6511}]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh dds.txt log. Still issues left?


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
I donwloaded the new version of Java and went to remove the older versions. However, when I go to remove, I get the following error:

"The configuration data for this product is corrupt. Contact your support personnel."

If I try to install the update, I get this:

"Error 1714. The older version of Java (TM) 6 Update 13 cannot be removed. Contact your technical support group."

Combo Fix Log:

ComboFix 09-04-19.05 - Mark Xamin 04/19/2009 13:07.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1378 [GMT -4:00]
Running from: c:\documents and settings\Mark Xamin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mark Xamin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
E:\system.exe
.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-19 14:57 . 2009-04-19 14:57 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-18 17:30 . 2009-04-19 14:46 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-04-18 17:30 . 2009-04-18 17:30 155384 ----a-w c:\windows\system32\guard32.dll
2009-04-18 17:30 . 2009-04-18 17:30 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-04-18 17:30 . 2009-04-18 17:30 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-04-18 17:30 . 2009-04-18 17:30 -------- d-----w c:\program files\COMODO
2009-04-18 01:43 . 2009-04-18 01:43 -------- d-----w c:\windows\ie8updates
2009-04-18 01:42 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-16 21:48 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 21:48 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 21:48 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 21:48 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:48 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:48 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:48 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 21:48 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 21:48 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:48 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:48 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:48 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-14 12:40 . 2009-04-14 12:40 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\Foxit
2009-04-14 12:40 . 2009-04-14 12:40 -------- d-----w c:\program files\Foxit Software
2009-04-10 14:40 . 2009-01-09 19:19 1089593 ------w c:\windows\system32\dllcache\ntprint.cat
2009-04-09 20:00 . 2009-04-09 20:00 -------- d-----w c:\program files\Windows Defender
2009-04-09 19:56 . 2009-04-09 19:56 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-09 17:52 . 2009-04-09 17:52 -------- d-----w c:\windows\system32\XPSViewer
2009-04-09 17:52 . 2009-04-09 17:52 -------- d-----w c:\program files\MSBuild
2009-04-09 17:52 . 2009-04-09 17:52 -------- d-----w c:\program files\Reference Assemblies
2009-04-09 17:51 . 2008-07-06 12:06 89088 ------w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 17:51 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-09 17:51 . 2008-07-06 12:06 575488 ------w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 17:51 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-09 17:51 . 2008-07-06 10:50 597504 ------w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 17:51 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-09 17:51 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 17:51 . 2009-04-09 17:51 -------- d-----w C:\635663aed565d5759c71a535
2009-04-09 17:50 . 2009-04-09 19:51 -------- d-----w c:\windows\SxsCaPendDel
2009-04-09 17:44 . 2009-04-09 17:44 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-09 17:03 . 2009-04-09 17:03 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\Malwarebytes
2009-04-09 17:02 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-09 17:02 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 17:02 . 2009-04-09 17:02 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 17:02 . 2009-04-09 17:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 15:48 . 2009-04-09 15:48 -------- d-sh--w c:\documents and settings\Mark Xamin\PrivacIE
2009-04-09 15:35 . 2009-04-09 15:35 -------- d-sh--w c:\documents and settings\Mark Xamin\IETldCache
2009-04-09 15:23 . 2009-04-09 15:27 -------- dc-h--w c:\windows\ie8
2009-04-09 02:42 . 2009-04-19 02:12 -------- d--h--w C:\$AVG8.VAULT$
2009-04-09 02:23 . 2009-04-09 02:23 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 02:23 . 2009-04-09 02:23 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-09 02:23 . 2009-04-09 02:23 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 02:22 . 2009-04-18 14:23 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-09 02:22 . 2009-04-09 19:49 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\AVGTOOLBAR
2009-04-09 02:22 . 2009-04-09 02:22 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-08 03:31 . 2009-04-08 03:31 -------- d-----w c:\program files\Safer Networking
2009-04-07 02:56 . 2009-04-17 04:44 -------- d-----w c:\program files\SpywareBlaster
2009-04-07 02:08 . 2009-04-07 02:08 -------- d-----w c:\program files\AVG
2009-04-07 01:47 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-07 01:46 . 2009-04-07 01:46 -------- d-----w c:\program files\ERUNT
2009-04-06 23:38 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-06 23:37 . 2009-04-06 23:37 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-06 23:36 . 2009-04-06 23:38 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-06 23:36 . 2009-04-06 23:36 -------- d-----w c:\program files\Lavasoft
2009-04-06 22:57 . 2009-04-06 22:57 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-06 03:52 . 2009-04-06 03:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-06 03:52 . 2009-04-06 03:55 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-06 02:05 . 2009-04-09 02:15 60404 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-06 02:05 . 2009-04-09 02:15 480032 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-04-06 02:05 . 2009-04-09 02:15 46076 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-04-06 02:05 . 2009-04-09 02:15 4429856 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-06 01:43 . 2009-04-09 02:15 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\Rogers Online Protection
2009-04-06 01:43 . 2009-04-09 02:15 -------- d-----w c:\documents and settings\All Users\Application Data\Rogers Online Protection
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 16:24 . 2009-02-26 18:14 -------- d-----w c:\documents and settings\Mark Xamin\Application Data\FileZilla
2009-04-19 15:42 . 2007-10-04 15:22 268 ---ha-w C:\sqmdata03.sqm
2009-04-19 15:42 . 2007-10-04 15:22 244 ---ha-w C:\sqmnoopt03.sqm
2009-04-19 15:37 . 2007-11-18 04:08 1713 --sha-w c:\windows\system32\mmf.sys
2009-04-19 15:37 . 2009-04-07 02:15 4028 ----a-w C:\aaw7boot.log
2009-04-19 15:21 . 2007-10-03 04:08 268 ---ha-w C:\sqmdata02.sqm
2009-04-19 15:21 . 2007-10-03 04:08 244 ---ha-w C:\sqmnoopt02.sqm
2009-04-19 14:57 . 2009-01-19 17:18 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-19 14:57 . 2007-09-10 10:11 -------- d-----w c:\program files\Java
2009-04-19 14:48 . 2007-09-29 16:25 268 ---ha-w C:\sqmdata01.sqm
2009-04-19 14:48 . 2007-09-29 16:25 244 ---ha-w C:\sqmnoopt01.sqm
2009-04-18 16:02 . 2009-01-28 21:57 -------- d-----w c:\program files\Mozilla Thunderbird
2009-04-18 14:21 . 2007-09-10 09:56 28314 ----a-w c:\windows\system32\nvModes.dat
2009-04-17 04:44 . 2008-11-18 00:43 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-16 22:07 . 2007-09-10 10:28 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-14 12:42 . 2007-10-30 08:19 -------- d-----w c:\program files\Common Files\Adobe
2009-04-12 16:30 . 2007-11-25 06:03 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-09 20:00 . 2007-09-10 10:43 54560 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-09 02:16 . 2007-09-10 10:15 -------- d-----w c:\program files\InstallShield Installation Information
2009-04-09 00:43 . 2009-02-26 18:14 -------- d-----w c:\program files\FileZilla FTP Client
2009-04-06 23:11 . 2009-01-07 15:46 -------- d-----w c:\program files\Pando Networks
2009-04-06 23:11 . 2007-10-30 08:20 -------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-04-06 01:48 . 2007-10-23 03:39 -------- d-----w c:\program files\Yahoo!
2009-04-06 01:47 . 2007-09-10 10:34 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 04:28 . 2009-02-13 04:07 -------- d-----w c:\program files\UFile 2008
2009-03-12 21:00 . 2007-09-10 10:34 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-03-11 14:56 . 2007-09-19 06:02 -------- d-----w c:\program files\Electronic Arts
2009-03-11 02:18 . 2008-09-06 03:29 934792 ------w c:\windows\system32\dllcache\WgaTray.exe
2009-03-11 02:18 . 2008-09-06 03:30 239496 ------w c:\windows\system32\dllcache\wgaLogon.dll
2009-03-08 18:09 . 2007-08-13 23:43 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 18:09 . 2007-08-13 23:39 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 08:41 . 2007-05-04 10:29 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 08:39 . 2007-11-20 21:00 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 08:34 . 2007-09-10 10:09 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 08:34 . 2004-08-11 22:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2007-09-10 10:09 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 08:34 . 2007-08-13 23:54 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 08:34 . 2004-08-11 22:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:34 . 2004-08-11 22:00 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 08:34 . 2007-08-13 23:44 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 08:34 . 2007-09-10 10:09 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 08:34 . 2007-08-13 23:44 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 08:33 . 2007-09-10 10:09 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 08:33 . 2009-03-08 08:33 18944 ------w c:\windows\system32\dllcache\corpol.dll
2009-03-08 08:33 . 2004-08-11 22:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2007-09-10 10:09 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 08:33 . 2008-05-09 10:53 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 08:33 . 2004-08-11 22:00 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 08:33 . 2008-05-09 10:53 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 08:33 . 2004-08-11 22:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 . 2004-08-11 22:00 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 08:32 . 2004-08-11 22:00 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 08:32 . 2004-08-11 22:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2007-08-13 23:39 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 08:32 . 2004-08-11 22:00 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 08:32 . 2004-08-11 22:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:32 . 2004-08-11 22:00 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 08:32 . 2004-08-11 22:00 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 08:32 . 2007-08-13 23:39 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 08:32 . 2007-09-10 10:09 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 08:32 . 2007-11-20 21:00 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 08:32 . 2007-11-20 21:00 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 08:32 . 2007-09-10 10:09 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 08:24 . 2004-08-11 22:12 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 08:22 . 2007-08-13 23:54 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 08:22 . 2004-08-11 22:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 08:11 . 2007-11-20 21:00 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 14:22 . 2004-08-11 22:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 13:59 . 2007-09-29 03:44 268 ---ha-w C:\sqmdata00.sqm
2009-03-05 13:59 . 2007-09-29 03:44 172 ---ha-w C:\sqmnoopt00.sqm
2009-02-27 12:40 . 2007-12-11 06:18 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-24 01:58 . 2009-02-24 01:58 133 ----a-w c:\documents and settings\Mark Xamin\Local Settings\Application Data\fusioncache.dat
2009-02-23 14:47 . 2008-06-08 17:06 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-02-09 12:10 . 2004-08-11 22:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-11 22:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-11 22:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-11 22:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2008-10-15 05:15 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 22:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2008-10-15 05:15 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-07 01:07 . 2007-11-20 21:00 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 11:11 . 2004-08-11 22:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2008-10-15 05:15 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 11:06 . 2008-10-15 05:15 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 11:06 . 2004-08-11 22:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:39 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 10:32 . 2008-10-15 05:15 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-11 22:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-23 16:43 . 2009-01-23 16:43 14266 --sha-r C:\SDSignature.txt
2009-01-23 16:43 . 2009-01-23 16:43 12696 --sha-r C:\ExecSignature.txt
2007-09-10 10:43 . 2007-09-17 16:54 42936 ----a-w c:\documents and settings\Mark Xamin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-06 01:13 . 2009-01-06 01:13 49152 --sha-w c:\windows\system32\guteheso.dll.tmp
2009-01-06 01:13 . 2009-01-06 01:13 49152 --sha-w c:\windows\system32\lahozunu.dll.tmp
2009-01-06 01:13 . 2009-01-06 01:13 49152 --sha-w c:\windows\system32\nenunizo.dll.tmp
2008-11-18 00:00 . 2008-11-17 23:36 16384 -csha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-09-05 14:43 . 2008-09-05 14:43 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"WeatherEye"="c:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe" [2009-01-16 4519832]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"RogersAgent"="c:\program files\Rogers\SelfHealing\rogersagent.exe" [2007-04-23 478968]
"SHS"="c:\program files\Rogers\SelfHealing\SHS.exe" [2007-10-12 5166392]
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" [2007-10-12 136504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"EPSON Stylus CX3800 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-03 86016]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-03-12 517768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-09 1932568]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2008-07-03 86016]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\documents and settings\Mark Xamin\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-09 02:23 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mark Xamin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Mark Xamin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"LVCOMS"=c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\WLKEEPER.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"94:TCP"= 94:TCP:VRS Recording System Web Control Panel

R1 SDManager;SDManager; [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R3 LiveTurbineMessageService;Turbine Message Service - Live; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-09 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-09 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-09 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2007-11-17 2560]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-04-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2009-04-08 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-06 19:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
FF - ProfilePath - c:\documents and settings\Mark Xamin\Application Data\Mozilla\Firefox\Profiles\wbj2hsqw.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.ca/
FF - component: c:\documents and settings\Mark Xamin\Application Data\Mozilla\Firefox\Profiles\wbj2hsqw.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 13:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\B405A2EBBFCE91A4C13BDEA4B89DC260]
"1"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
1a,40,6d,c3,6d,0e,a9,b1,96
"2"=hex:82,9d,b7,04,75,a2,e0,2a
"3"=hex:51,d8,4e,00,cb,4c,ec,04,18,61,a9,a9,57,7d,f7,5b,f5,bf,a2,61,d9,43,ab,
b6,46,06,77,f4,c0,a9,53,b1,7f,86,4c,1d,9d,99,27,a6,67,fb,80,05,4b,15,e1,e2,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:47,e4,6c,02,68,b4,3b,2b,30,11,db,3c,35,63,21,d4,11,b1,7e,c5,ed,aa,8e,
1a,1a,36,0f,9a,30,e3,f4,57,69,39,43,7c,33,dd,6d,ac,de,22,0d,fb,e8,a3,20,e8,\
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,08,21,24,20,f1,96,6a,
7a,cd,13,31,a6,7d,dc,f4,81,0d,1c,44,d3,0b,59,cb,af
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:00,55,45,ed,a5,df,d5,ac,d5,ed,f1,06,5f,d0,b4,7d,a7,47,6b,f9,90,b5,d3,
45,4a,dd,88,ce,55,62,69,f3,dc,0b,e2,ea,c7,d6,6c,86,dc,4c,a3,35,33,cb,eb,76,\
"13"=hex:43,a7,f7,8f,ae,72,3f,84,b8,48,7c,b0,88,ba,03,da,62,6b,f2,4a,27,9a,d5,
3d
"14"=hex:f8,37,82,69,f0,e8,bd,13
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:3b,f0,65,24,3d,49,33,68,17,11,40,29,1f,41,23,f4
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:50,02,09,44,2d,e7,ad,a2,d9,ac,f7,5e,c8,8d,7b,5d,7e,ca,f6,6a,b8,d8,48,
b0,9b,e4,59,f7,00,01,ed,f4,45,b9,22,87,4f,c3,79,37,61,7e,45,6c,9d,94,af,f1,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2108)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-19 13:10
ComboFix-quarantined-files.txt 2009-04-19 17:10
ComboFix2.txt 2009-04-19 15:52

Pre-Run: 48,611,168,256 bytes free
Post-Run: 48,596,742,144 bytes free

374 --- E O F --- 2009-04-16 22:10
 
Ok, got the older versions uninstalled, redownloaded the new version, and got this:

"Error 25099. Unzipping of core files failed." Retried 3-4 times but got the same error. :(
 
Actually never mind, I figured out what the problem was. Java is now installed properly. :)

Thanks so much for all of your help...I will let you know if I notice any other problems but you're the best for helping me with this.
 
Hi

Glad to hear you got Java installed :)

Let's uninstall those tools we used.

Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Click Start >> Run and then copy/paste the following into the box and hit Enter:
"%userprofile%\Desktop\GooredFix.exe" /uninstall
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.

You may delete dds.scr file and related logs too.
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top