Windows Firewall and Security Center "disabled by Group Policy" after attack

S

Simone

New member
Windows Firewall and Security Center "disabled by Group Policy" after attack

A nasty attack removed AVG and disabled Windows Firewall and Security Center. I re-installed and ran AVG, and also ran Spybot.

I still cannot start Windows Firewall and Security Center, and cannot fix the last 3 problems that Spybot finds. This is making me crazy!

HKLM\Software\Microsoft\Security Center\FirewallOverride (is 1 not 0)

HKLM\System\CurrentControlSet\Services\wscsvc (is 4 not 2)

HKLM\Software\Microsoft\Windows\CurrentVersion\services\del (Win32.Jolee.K)

highjackthis.log attached

Your assistance is greatly appreciated...

Thanks Simone
 
Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
DDS.txt and Attach.txt posted below as requested... thanks!!!

DDS.txt


DDS (Ver_09-03-16.01) - NTFSx86
Run by TW at 0:15:49.46 on Wed 04/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.492 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\TW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cookie Pal] "c:\program files\cpal\CPBrWtch.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [services] c:\windows\services.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229373649531
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229371973000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll
LSA: Notification Packages = scecli mschol32.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-4 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-4 27656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-26 298264]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

=============== Created Last 30 ================

2009-04-27 12:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-26 23:08 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-26 23:02 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-26 20:48 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-26 20:48 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-26 20:48 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-26 20:48 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-26 20:48 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-26 20:48 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-26 20:48 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-26 20:29 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-04-26 20:27 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-26 20:26 <DIR> --d----- c:\windows\system32\URTTEMP
2009-04-26 20:17 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-04-26 20:08 <DIR> --dsh--- c:\documents and settings\tw\PrivacIE
2009-04-26 20:08 <DIR> --dsh--- c:\documents and settings\tw\IECompatCache
2009-04-26 20:04 <DIR> --dsh--- c:\documents and settings\tw\IETldCache
2009-04-26 20:02 <DIR> --d----- c:\windows\ie8updates
2009-04-26 19:59 <DIR> -cd-h--- c:\windows\ie8
2009-04-26 19:57 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-26 18:58 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-26 17:45 138 a------- c:\windows\wininit.ini
2009-04-26 16:04 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-11 13:30 0 a------- c:\windows\Kneniredoxirakip.bin
2009-04-11 13:30 146,944 a------- c:\windows\Dyufulej.dat

==================== Find3M ====================

2009-04-26 23:02 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-26 21:26 15,472 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-20 21:09 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 0:16:24.32 ===============


Attach.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/3/2008 11:26:05 PM
System Uptime: 4/28/2009 11:36:15 PM (1 hours ago)

Motherboard: Dell Inc. | | 0UW744
Processor: Mobile AMD Sempron(tm) Processor 3600+ | Socket M2/S1G1 | 1994/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 20 GiB total, 7.836 GiB free.
D: is CDROM ()
U: is FIXED (NTFS) - 36 GiB total, 18.033 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01F51028&REV_02\4&B216F0A&0&00A4
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01F51028&REV_02\4&B216F0A&0&00A4
Service: bcm4sbxp

==== System Restore Points ===================

RP240: 4/7/2009 11:50:13 AM - System Checkpoint
RP241: 4/8/2009 12:33:34 PM - System Checkpoint
RP242: 4/9/2009 1:05:56 PM - System Checkpoint
RP243: 4/10/2009 1:52:49 PM - System Checkpoint
RP244: 4/11/2009 2:25:08 PM - System Checkpoint
RP245: 4/12/2009 2:50:13 PM - System Checkpoint
RP246: 4/13/2009 4:04:45 PM - System Checkpoint
RP247: 4/14/2009 4:50:42 PM - System Checkpoint
RP248: 4/14/2009 11:39:19 PM - Save
RP249: 4/14/2009 11:40:01 PM - Installed Windows Media Player 11
RP250: 4/14/2009 11:42:34 PM - Software Distribution Service 3.0
RP251: 4/14/2009 11:50:22 PM - Restore Operation
RP252: 4/14/2009 11:54:27 PM - Restore Operation
RP253: 4/14/2009 11:59:00 PM - Backup after 03/13 restore
RP254: 4/16/2009 12:19:42 AM - Restore Operation
RP255: 4/16/2009 12:23:28 AM - Restore Operation
RP256: 4/17/2009 12:31:51 AM - System Checkpoint
RP257: 4/18/2009 1:31:53 AM - System Checkpoint
RP258: 4/19/2009 1:42:28 AM - System Checkpoint
RP259: 4/20/2009 2:31:53 AM - System Checkpoint
RP260: 4/21/2009 3:31:51 AM - System Checkpoint
RP261: 4/22/2009 4:31:53 AM - System Checkpoint
RP262: 4/23/2009 4:32:10 AM - System Checkpoint
RP263: 4/24/2009 4:32:19 AM - System Checkpoint
RP264: 4/25/2009 5:32:22 AM - System Checkpoint
RP265: 4/26/2009 6:32:25 AM - System Checkpoint
RP266: 4/26/2009 3:46:20 PM - Restore Operation
RP267: 4/26/2009 4:15:58 PM - Restore Operation
RP268: 4/26/2009 4:21:00 PM - Restore Operation
RP269: 4/26/2009 4:28:31 PM - Restore Operation
RP270: 4/26/2009 4:30:56 PM - Restore Operation
RP271: 4/26/2009 4:33:53 PM - Restore Operation
RP272: 4/26/2009 4:36:31 PM - Restore Operation
RP273: 4/26/2009 4:38:51 PM - Restore Operation
RP274: 4/26/2009 4:41:29 PM - Restore Operation
RP275: 4/26/2009 7:57:26 PM - Software Distribution Service 3.0
RP276: 4/26/2009 8:01:09 PM - Installed Windows Internet Explorer 8.
RP277: 4/26/2009 8:01:56 PM - Software Distribution Service 3.0
RP278: 4/26/2009 8:25:28 PM - Software Distribution Service 3.0
RP279: 4/26/2009 9:03:58 PM - Printer Driver Microsoft XPS Document Writer Installed
RP280: 4/26/2009 9:28:06 PM - Backup
RP281: 4/26/2009 9:38:03 PM - Installed Windows XP KB941569.
RP282: 4/26/2009 9:38:23 PM - Installed Windows Media Player 11 KB954154.
RP283: 4/26/2009 9:38:47 PM - Installed Windows Media Player KB952069.
RP284: 4/26/2009 9:39:12 PM - Installed Windows Media Player KB952069.
RP285: 4/26/2009 9:52:00 PM - Installed Windows Media Player 11 KB936782_WMP11.
RP286: 4/26/2009 11:02:33 PM - Installed AVG Free 8.5
RP287: 4/27/2009 12:36:23 PM - Software Distribution Service 3.0
RP288: 4/28/2009 1:15:20 PM - System Checkpoint
RP289: 4/29/2009 12:15:26 AM - Avg8 Update

==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.9
Adobe Shockwave Player 11
AI RoboForm (All Users)
Amazon Services Order Notifier
AMD Processor Driver
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 8.5
Bonjour
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Cookie Pal
Critical Update for Windows Media Player 11 (KB959772)
DeductionPro 2008
Dell Resource CD
Dell Support Center (Support Software)
EPSON Printer Software
EPSON Scan
Eraser
ERUNT 1.1j
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
iTunes
Java(TM) 6 Update 11
Kyodai
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Baseline Security Analyzer 2.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.5)
MSXML 6.0 Parser
OpenOffice.org 2.2
PowerDVD 5.7
QuickSet
QuickTime
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SigmaTel Audio
Spybot - Search & Destroy
Synaptics Pointing Device Driver
TaxCut Basic + Efile 2008
Tweak UI
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
User Profile Hive Cleanup Service
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Internet Mail

==== Event Viewer Messages From Past Week ========

4/26/2009 7:22:06 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
4/26/2009 7:15:38 PM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the file specified.

==== End Of File ===========================
 
I rebooted and updated AVG before running dds.scr... I see a couple of unusual entries in DDS.txt:

=============== Created Last 30 ================
2009-04-11 13:30 0 a------- c:\windows\Kneniredoxirakip.bin
2009-04-11 13:30 146,944 a------- c:\windows\Dyufulej.dat

Before I re-installed AVG and ran Microsoft Update, I was able to do a System Restore back to 04-13-09. System Restore would not let me restore back to the dates I tried before 04-13-09.

Unfortunately, it is beyond my knowledge to know what to do next... greatly appreciate your assistance!

Thanks Simone
 
Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Attached are C:\ComboFix.txt and a new dds.txt log per your request.
Looks like Windows Firewall and Security Center are both running now!


C:\ComboFix.txt

ComboFix 09-04-29.01 - TW 04/29/2009 11:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.473 [GMT -7:00]
Running from: c:\documents and settings\TW\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-27 22:52 . 2009-04-27 22:52 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-27 17:52 . 2009-04-27 17:52 -------- d-----w c:\program files\ERUNT
2009-04-27 06:08 . 2009-04-27 18:21 -------- d--h--w C:\$AVG8.VAULT$
2009-04-27 06:02 . 2009-04-27 06:02 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 04:46 . 2009-04-27 04:46 -------- d-----w c:\documents and settings\TW\Local Settings\Application Data\ApplicationHistory
2009-04-27 03:55 . 2009-04-27 03:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-27 03:48 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-27 03:48 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 03:48 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 03:48 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 03:48 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-27 03:48 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 03:48 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-27 03:29 . 2009-04-27 03:29 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-27 03:27 . 2009-04-27 03:27 -------- d-----w c:\windows\system32\LogFiles
2009-04-27 03:26 . 2009-04-27 03:26 -------- d-----w c:\windows\system32\URTTEMP
2009-04-27 03:24 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-27 03:24 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-27 03:24 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-27 03:24 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-27 03:24 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-27 03:24 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-27 03:24 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-27 03:24 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-27 03:24 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-27 03:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-27 03:24 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-27 03:17 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-27 03:08 . 2009-04-27 03:08 -------- d-sh--w c:\documents and settings\TW\PrivacIE
2009-04-27 03:08 . 2009-04-27 03:08 -------- d-sh--w c:\documents and settings\TW\IECompatCache
2009-04-27 03:04 . 2009-04-27 03:04 -------- d-sh--w c:\documents and settings\TW\IETldCache
2009-04-27 03:02 . 2009-04-27 03:02 -------- d-----w c:\windows\ie8updates
2009-04-27 02:59 . 2009-04-27 03:01 -------- dc-h--w c:\windows\ie8
2009-04-27 02:57 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-27 01:58 . 2009-04-27 01:58 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-26 23:04 . 2009-04-26 23:40 -------- d-----w c:\documents and settings\Administrator
2009-04-21 04:21 . 2009-04-26 22:47 -------- d-----w c:\documents and settings\TW\Local Settings\Application Data\{F4F8E28E-5934-4361-B5A6-886343DEE4A1}
2009-04-11 20:30 . 2009-04-14 08:16 0 ----a-w c:\windows\Kneniredoxirakip.bin
2009-04-11 20:30 . 2009-04-26 22:48 -------- d-----w c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}
2009-04-11 20:30 . 2009-04-21 04:22 146944 ----a-w c:\windows\Dyufulej.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 06:02 . 2008-12-04 09:14 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 05:41 . 2008-12-04 08:57 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 04:26 . 2008-12-04 09:25 15472 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-26 22:48 . 2009-02-24 05:50 -------- d-----w c:\program files\TaxCut08
2009-04-26 22:48 . 2008-12-04 09:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-26 22:48 . 2009-03-15 05:02 -------- d-----w c:\program files\Amazon
2009-04-21 04:09 . 2004-08-04 12:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-03-22 22:05 . 2009-02-24 05:52 -------- d-----w c:\program files\DeductionPro 2008
2009-03-12 22:01 . 2009-03-12 22:01 125 ----a-w c:\documents and settings\TW\Local Settings\Application Data\fusioncache.dat
2009-03-12 20:41 . 2008-12-04 09:17 -------- d-----w c:\program files\Kyodai
2009-03-12 20:39 . 2008-12-04 08:54 -------- d-----w c:\program files\Eraser
2009-03-12 06:32 . 2009-03-12 06:32 -------- d-----w c:\program files\MSBuild
2009-03-12 06:32 . 2009-03-12 06:32 -------- d-----w c:\program files\Reference Assemblies
2009-03-08 11:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-07 22:20 . 2009-03-07 22:20 -------- d-----w c:\program files\PDF995
2009-03-07 20:34 . 2009-03-05 20:02 -------- d-----w c:\program files\BOWEP
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-12-04 160592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cookie Pal"="c:\program files\CPal\CPBrWtch.exe" [2002-07-24 20523]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"EPSON Stylus CX6600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-27 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-26 206064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-27 06:02 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-27 325640]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-27 298264]


--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 11:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2544)
c:\windows\system32\CPWATCH.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2009-04-29 12:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 19:00

Pre-Run: 8,287,854,592 bytes free
Post-Run: 8,217,399,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

175


New dds.txt log


DDS (Ver_09-03-16.01) - NTFSx86
Run by TW at 12:12:08.78 on Wed 04/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.517 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\TW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cookie Pal] "c:\program files\cpal\CPBrWtch.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229373649531
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229371973000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-4 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-4 27656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-26 298264]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

=============== Created Last 30 ================

2009-04-29 11:52 <DIR> a-dshr-- C:\cmdcons
2009-04-29 11:50 161,792 a------- c:\windows\SWREG.exe
2009-04-29 11:50 98,816 a------- c:\windows\sed.exe
2009-04-27 12:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-26 23:08 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-26 23:02 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-26 20:48 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-26 20:48 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-26 20:48 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-26 20:48 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-26 20:48 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-26 20:48 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-26 20:48 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-26 20:29 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-04-26 20:27 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-26 20:26 <DIR> --d----- c:\windows\system32\URTTEMP
2009-04-26 20:17 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-04-26 20:08 <DIR> --dsh--- c:\documents and settings\tw\PrivacIE
2009-04-26 20:08 <DIR> --dsh--- c:\documents and settings\tw\IECompatCache
2009-04-26 20:04 <DIR> --dsh--- c:\documents and settings\tw\IETldCache
2009-04-26 20:02 <DIR> --d----- c:\windows\ie8updates
2009-04-26 19:59 <DIR> -cd-h--- c:\windows\ie8
2009-04-26 19:57 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-26 18:58 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-26 17:45 138 a------- c:\windows\wininit.ini
2009-04-26 16:04 221,184 a------- c:\windows\system32\wmpns.dll
2009-04-11 13:30 0 a------- c:\windows\Kneniredoxirakip.bin
2009-04-11 13:30 146,944 a------- c:\windows\Dyufulej.dat

==================== Find3M ====================

2009-04-26 23:02 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-26 21:26 15,472 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-20 21:09 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 12:12:29.78 ===============
 
Hi again :)


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
c:\windows\Kneniredoxirakip.bin
c:\windows\Dyufulej.dat

Folder::
c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. How's the system running?
 
Ran ComboFix without problem, was busy installing software and got called into work. Will get back to you later... greatly appreciate your help!!!

Thanks Simone
 
Completed all requested tasks; Kaspersky Online Scanner report, new dds.txt log and ComboFix log follow.

> How's the system running?

Most excellent! I'm hoping that it really is clean now...

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 01, 2009 02:26:58
Records in database: 2115735
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
U:\

Scan statistics:
Files scanned: 69078
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:09:53

No malware has been detected. The scan area is clean.

The selected area was scanned.


dds.txt log
------------

DDS (Ver_09-03-16.01) - NTFSx86
Run by TW at 22:21:12.81 on Thu 04/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.502 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\CPal\CPBrWtch.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CPal\CPal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\TW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Cookie Pal] "c:\program files\cpal\CPBrWtch.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EPSON Stylus CX6600 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229373649531
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229371973000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-30 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-4 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-4 27656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-26 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]

=============== Created Last 30 ================

2009-04-30 11:29 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-30 11:27 <DIR> --d----- c:\docume~1\tw\applic~1\Foxit
2009-04-30 11:27 <DIR> --d----- c:\program files\Foxit Software
2009-04-30 11:20 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-30 11:20 <DIR> --d----- c:\program files\Lavasoft
2009-04-30 10:49 <DIR> --d----- C:\ComboFix
2009-04-30 01:23 <DIR> --d----- c:\docume~1\tw\applic~1\OpenOffice.org
2009-04-30 01:18 <DIR> --d----- c:\program files\OpenOffice.org 3
2009-04-30 01:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-29 11:52 <DIR> a-dshr-- C:\cmdcons
2009-04-29 11:50 161,792 a------- c:\windows\SWREG.exe
2009-04-29 11:50 98,816 a------- c:\windows\sed.exe
2009-04-27 12:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-04-26 23:08 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-26 23:02 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-26 20:48 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-26 20:48 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-26 20:48 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-26 20:48 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-26 20:48 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-26 20:48 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-04-26 20:48 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-26 20:29 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-04-26 20:27 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-26 20:26 <DIR> --d----- c:\windows\system32\URTTEMP
2009-04-26 20:17 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-04-26 20:08 <DIR> --dsh--- c:\documents and settings\tw\PrivacIE
2009-04-26 20:08 <DIR> --dsh--- c:\documents and settings\tw\IECompatCache
2009-04-26 20:04 <DIR> --dsh--- c:\documents and settings\tw\IETldCache
2009-04-26 20:02 <DIR> --d----- c:\windows\ie8updates
2009-04-26 19:59 <DIR> -cd-h--- c:\windows\ie8
2009-04-26 19:57 105,984 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-04-26 18:58 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-04-26 17:45 138 a------- c:\windows\wininit.ini
2009-04-26 16:04 221,184 a------- c:\windows\system32\wmpns.dll

==================== Find3M ====================

2009-04-30 01:13 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-26 23:02 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-26 21:26 15,472 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-20 21:09 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-07 19:02 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:08 2,189,056 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 22:22:36.17 ===============


ComboFix log
---------------

ComboFix 09-04-29.07 - TW 04/30/2009 10:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.518 [GMT -7:00]
Running from: c:\documents and settings\TW\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TW\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Dyufulej.dat
c:\windows\Kneniredoxirakip.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}
c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}\chrome.manifest
c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}\chrome\content\_cfg.js
c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}\chrome\content\c.js
c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}\chrome\content\overlay.xul
c:\documents and settings\TW\Local Settings\Application Data\{D1F81526-328C-4EFD-8C9B-9B9E28E1AF58}\install.rdf
c:\windows\Dyufulej.dat
c:\windows\Kneniredoxirakip.bin

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 08:23 . 2009-04-30 08:23 -------- d-----w c:\documents and settings\TW\Application Data\OpenOffice.org
2009-04-30 08:18 . 2009-04-30 08:18 -------- d-----w c:\program files\OpenOffice.org 3
2009-04-27 22:52 . 2009-04-27 22:52 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-27 17:52 . 2009-04-27 17:52 -------- d-----w c:\program files\ERUNT
2009-04-27 06:08 . 2009-04-29 22:39 -------- d--h--w C:\$AVG8.VAULT$
2009-04-27 06:02 . 2009-04-27 06:02 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-27 04:46 . 2009-04-27 04:46 -------- d-----w c:\documents and settings\TW\Local Settings\Application Data\ApplicationHistory
2009-04-27 03:55 . 2009-04-27 03:55 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-27 03:48 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-04-27 03:48 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-27 03:48 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-27 03:48 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-27 03:48 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-04-27 03:48 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-04-27 03:48 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-04-27 03:29 . 2009-04-27 03:29 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-27 03:27 . 2009-04-27 03:27 -------- d-----w c:\windows\system32\LogFiles
2009-04-27 03:26 . 2009-04-27 03:26 -------- d-----w c:\windows\system32\URTTEMP
2009-04-27 03:24 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-27 03:24 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-27 03:24 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-27 03:24 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-27 03:24 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-27 03:24 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-27 03:24 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-27 03:24 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-27 03:24 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-27 03:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-27 03:24 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-27 03:17 . 2008-05-01 14:33 331776 -c----w c:\windows\system32\dllcache\msadce.dll
2009-04-27 03:08 . 2009-04-27 03:08 -------- d-sh--w c:\documents and settings\TW\PrivacIE
2009-04-27 03:08 . 2009-04-27 03:08 -------- d-sh--w c:\documents and settings\TW\IECompatCache
2009-04-27 03:04 . 2009-04-27 03:04 -------- d-sh--w c:\documents and settings\TW\IETldCache
2009-04-27 03:02 . 2009-04-27 03:02 -------- d-----w c:\windows\ie8updates
2009-04-27 02:59 . 2009-04-27 03:01 -------- dc-h--w c:\windows\ie8
2009-04-27 02:57 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-04-27 01:58 . 2009-04-27 01:58 -------- d--h--w c:\windows\system32\GroupPolicy
2009-04-26 23:04 . 2009-04-26 23:40 -------- d-----w c:\documents and settings\Administrator
2009-04-21 04:21 . 2009-04-26 22:47 -------- d-----w c:\documents and settings\TW\Local Settings\Application Data\{F4F8E28E-5934-4361-B5A6-886343DEE4A1}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 08:13 . 2008-12-10 23:36 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-27 06:02 . 2008-12-04 09:14 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-27 05:41 . 2008-12-04 08:57 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-27 04:26 . 2008-12-04 09:25 15472 ----a-w c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-04-26 22:48 . 2009-02-24 05:50 -------- d-----w c:\program files\TaxCut08
2009-04-26 22:48 . 2008-12-04 09:59 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-26 22:48 . 2009-03-15 05:02 -------- d-----w c:\program files\Amazon
2009-04-21 04:09 . 2004-08-04 12:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-03-22 22:05 . 2009-02-24 05:52 -------- d-----w c:\program files\DeductionPro 2008
2009-03-12 22:01 . 2009-03-12 22:01 125 ----a-w c:\documents and settings\TW\Local Settings\Application Data\fusioncache.dat
2009-03-12 20:41 . 2008-12-04 09:17 -------- d-----w c:\program files\Kyodai
2009-03-12 20:39 . 2008-12-04 08:54 -------- d-----w c:\program files\Eraser
2009-03-12 06:32 . 2009-03-12 06:32 -------- d-----w c:\program files\MSBuild
2009-03-12 06:32 . 2009-03-12 06:32 -------- d-----w c:\program files\Reference Assemblies
2009-03-08 11:34 . 2004-08-04 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2004-08-04 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2004-08-04 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-07 22:20 . 2009-03-07 22:20 -------- d-----w c:\program files\PDF995
2009-03-07 20:34 . 2009-03-05 20:02 -------- d-----w c:\program files\BOWEP
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 02:02 . 2004-08-03 22:59 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2004-08-04 12:00 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-29_18.58.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-04 09:17 . 2009-04-29 20:23 88590 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-04-29 20:31 . 2009-04-29 20:31 78487 c:\windows\system32\Adobe\uninstaller.exe
+ 2009-03-19 15:15 . 2009-03-19 15:15 58736 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
- 2008-12-11 19:38 . 2008-12-06 06:25 58736 c:\windows\system32\Adobe\Shockwave 11\SYMCCHECKER.DLL
- 2008-12-11 19:38 . 2008-12-06 06:51 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
+ 2009-03-19 15:43 . 2009-03-19 15:43 94208 c:\windows\system32\Adobe\Shockwave 11\SwMenu.dll
- 2008-12-11 19:38 . 2008-12-06 06:25 52288 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2009-03-19 15:15 . 2009-03-19 15:15 52288 c:\windows\system32\Adobe\Shockwave 11\gtapi.dll
+ 2009-03-19 15:56 . 2009-03-19 15:56 67000 c:\windows\system32\Adobe\Director\SwDnld.exe
- 2008-12-11 19:38 . 2008-12-06 07:01 67000 c:\windows\system32\Adobe\Director\SwDnld.exe
+ 2009-04-30 08:18 . 2009-04-30 08:18 11264 c:\windows\assembly\GAC_MSIL\cli_basetypes\1.0.12.0__ce2cb7e279207b9e\cli_basetypes.dll
+ 2009-04-30 08:18 . 2009-04-30 08:18 64000 c:\windows\assembly\GAC_32\cli_cppuhelper\1.0.15.0__ce2cb7e279207b9e\cli_cppuhelper.dll
- 2008-12-11 19:38 . 2008-12-06 06:53 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-03-19 15:45 . 2009-03-19 15:45 9216 c:\windows\system32\Adobe\Shockwave 11\DynaPlayer.dll
+ 2009-04-30 08:18 . 2009-04-30 08:18 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_uretypes\1.1.0.0__ce2cb7e279207b9e\policy.1.0.cli_uretypes.dll
+ 2009-04-30 08:18 . 2009-04-30 08:18 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_ure\15.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_ure.dll
+ 2009-04-30 08:19 . 2009-04-30 08:19 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_oootypes\1.1.0.0__ce2cb7e279207b9e\policy.1.0.cli_oootypes.dll
+ 2009-04-30 08:18 . 2009-04-30 08:18 3072 c:\windows\assembly\GAC_MSIL\policy.1.0.cli_basetypes\12.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_basetypes.dll
+ 2009-04-30 08:18 . 2009-04-30 08:18 7680 c:\windows\assembly\GAC_MSIL\cli_ure\1.0.15.0__ce2cb7e279207b9e\cli_ure.dll
+ 2009-04-30 08:19 . 2009-04-30 08:19 3072 c:\windows\assembly\GAC_32\policy.1.0.cli_cppuhelper\15.0.0.0__ce2cb7e279207b9e\policy.1.0.cli_cppuhelper.dll
+ 2004-08-04 10:00 . 2009-04-30 08:41 598272 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2009-04-29 06:40 598272 c:\windows\system32\perfh009.dat
+ 2004-08-04 10:00 . 2009-04-30 08:41 115236 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2009-04-29 06:40 115236 c:\windows\system32\perfc009.dat
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2008-12-10 23:36 . 2008-12-10 23:36 148888 c:\windows\system32\javaws.exe
+ 2009-04-30 08:14 . 2009-04-30 08:13 148888 c:\windows\system32\javaws.exe
+ 2009-04-30 08:14 . 2009-04-30 08:13 144792 c:\windows\system32\javaw.exe
- 2008-12-10 23:36 . 2008-12-10 23:36 144792 c:\windows\system32\javaw.exe
- 2008-12-10 23:36 . 2008-12-10 23:36 144792 c:\windows\system32\java.exe
+ 2009-04-30 08:14 . 2009-04-30 08:13 144792 c:\windows\system32\java.exe
+ 2008-12-03 16:26 . 2009-04-30 08:36 121336 c:\windows\system32\FNTCACHE.DAT
+ 2009-03-19 15:43 . 2009-03-19 15:43 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
- 2008-12-11 19:38 . 2008-12-06 06:51 114688 c:\windows\system32\Adobe\Shockwave 11\SwInit.exe
+ 2009-03-19 15:55 . 2009-03-19 15:55 460216 c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150595.exe
+ 2009-03-19 15:46 . 2009-03-19 15:46 442368 c:\windows\system32\Adobe\Shockwave 11\Proj.dll
+ 2009-03-19 15:44 . 2009-03-19 15:44 376832 c:\windows\system32\Adobe\Shockwave 11\Plugin.dll
+ 2009-03-19 15:15 . 2009-03-19 15:15 704000 c:\windows\system32\Adobe\Shockwave 11\gi.dll
+ 2009-03-19 15:45 . 2009-03-19 15:45 614400 c:\windows\system32\Adobe\Shockwave 11\Control.dll
+ 2009-03-19 15:55 . 2009-03-19 15:55 202168 c:\windows\system32\Adobe\Director\SwDir.dll
- 2008-12-11 19:38 . 2008-12-06 07:01 202168 c:\windows\system32\Adobe\Director\swdir.dll
+ 2009-03-19 15:45 . 2009-03-19 15:45 131072 c:\windows\system32\Adobe\Director\np32dsw.dll
+ 2009-04-30 08:18 . 2009-04-30 08:18 114688 c:\windows\assembly\GAC_MSIL\cli_uretypes\1.0.1.0__ce2cb7e279207b9e\cli_uretypes.dll
+ 2009-04-30 08:18 . 2009-04-30 08:18 823296 c:\windows\assembly\GAC_MSIL\cli_oootypes\1.0.1.0__ce2cb7e279207b9e\cli_oootypes.dll
+ 2009-03-19 15:20 . 2009-03-19 15:20 1011712 c:\windows\system32\Adobe\Shockwave 11\iml32.dll
+ 2009-03-19 15:15 . 2009-03-19 15:15 1145896 c:\windows\system32\Adobe\Shockwave 11\gt.exe
- 2008-12-11 19:38 . 2008-12-06 06:25 1145896 c:\windows\system32\Adobe\Shockwave 11\gt.exe
+ 2009-03-19 15:24 . 2009-03-19 15:24 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
- 2008-12-11 19:38 . 2008-12-06 06:33 1798144 c:\windows\system32\Adobe\Shockwave 11\dirapi.dll
+ 2009-04-30 08:19 . 2009-04-30 08:19 7424000 c:\windows\Installer\{92B79901-C57D-409F-8D2F-4E5337383569}\soffice.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-12-04 160592]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cookie Pal"="c:\program files\CPal\CPBrWtch.exe" [2002-07-24 20523]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"EPSON Stylus CX6600 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE" [2004-03-01 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-27 1932568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-26 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-30 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-27 06:02 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-27 325640]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-27 298264]


--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 10:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(576)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-30 10:53
ComboFix-quarantined-files.txt 2009-04-30 17:53
ComboFix2.txt 2009-04-29 19:00

Pre-Run: 8,856,788,992 bytes free
Post-Run: 8,850,718,720 bytes free

216
 
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

You may delete dds.scr file and related logs too.




UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top