Jump to content

Malwarebytes

Malware Doctor recurrent infection with monitoring on

- - - - -
Started by jterhag, May 22 2009 06:14 PM

6 replies to this topic

#1
jterhag
Posted 22 May 2009 - 06:14 PM

    New Member

  • Members
  • Pip
  • 4 posts
Hello - here are log files for hijackthis and malwarebytes... Malware doctor continues to infect system with Monitoring function on.

Malwarebytes' Anti-Malware 1.36
Database version: 2158
Windows 5.1.2600 Service Pack 3

5/22/2009 11:05:06 AM
mbam-log-2009-05-22 (11-05-06).txt

Scan type: Quick Scan
Objects scanned: 88043
Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Johnny\protect.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined

and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) ->

Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Johnny\protect.dll (Spyware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnny\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) ->

Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Johnny\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:57 AM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Zune\ZuneNss.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
\?\globalroot\C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb127\Dealio.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-18\..\Run: [SYS32DLL] SYS32DLL (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [svc] c:\program Files\ThunMail\testabd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [SYS32DLL] SYS32DLL (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb127\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....026/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab
O18 - Protocol: bw+0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: offline-8876480 - {51A40AF8-9ECC-4004-A417-C2EAA08BAB23} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL C:\WINDOWS\system32\nibatapu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 25671 bytes

#2
miekiemoes
Posted 23 May 2009 - 07:33 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Also, please uninstall the Dealio Toolbar and Ask Toolbar, this also for the same reason. Both are not recommended.

And, I notice from your log that there's more than 1 Antivirus installed. AVG and Symantec
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.
Not sure if you have purchased Spyware Doctor, but in case you didn't, I suggest you uninstall it as well.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3
jterhag
Posted 23 May 2009 - 10:51 PM

    New Member

  • Members
  • Pip
  • 4 posts
Hello - thanks so much for all of the useful information. Here is the combofix log file.

ComboFix 09-05-23.04 - Johnny 05/23/2009 15:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1524 [GMT -7:00]
Running from: c:\documents and settings\Johnny\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Johnny\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\Johnny\protect.dll
c:\documents and settings\Johnny\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Johnny\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\Application Data\1055860099.exe
c:\documents and settings\LocalService\Application Data\916653139.exe
c:\documents and settings\LocalService\protect.dll
c:\windows\install.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\drivers\ovfsthjkwpunpdncxrujovmtmvxqhtjbqvxqma.sys
c:\windows\system32\lmn_setup.exe
c:\windows\system32\odiyivah.ini
c:\windows\system32\ovfsthdbojqtfbpptfvuqsaqmlxehtpotgdyih.dat
c:\windows\system32\ovfsthmxpuyjgpulgruyrwckxggumwvhiodgqj.dat
c:\windows\system32\ovfsthoxlnewwklrtosadxqtphoxogobuoixfi.dll
c:\windows\system32\ovfsthpabiefbnkxiyyuqduspbmoetpmymkgrj.dll
c:\windows\system32\ovfsthpdrqebdvbrdrqaixhhpykniajjvcbduy.dll
c:\windows\system32\sft.res
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthtlwlnklvrjntymrrnskbgrqlxetewsrs
-------\Legacy_ASHEVTSVC
-------\Service_AshEvtSvc


((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-22 18:00 . 2009-05-22 18:00 -------- d-----w c:\program files\Trend Micro
2009-05-22 15:21 . 2009-05-22 15:21 32768 ----a-w c:\windows\system32\avast!Antivirus.exe
2009-05-21 18:35 . 2009-05-21 18:35 136 ----a-w c:\windows\system32\vp_setup.exe.bat
2009-05-21 18:20 . 2009-05-21 18:20 29184 ----a-w c:\windows\system32\lklf32.dll
2009-05-21 18:11 . 2009-05-21 18:11 390664 ----a-w c:\documents and settings\Johnny\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-21 18:07 . 2009-05-23 20:54 29184 ----a-w c:\windows\system32\jhxm32.dll
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Johnny\Application Data\Malwarebytes
2009-05-20 17:39 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-20 17:39 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 19:17 . 2009-05-12 16:14 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-18 19:17 . 2009-05-12 16:14 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-18 19:17 . 2009-05-12 16:13 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-18 19:17 . 2009-05-12 16:13 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-18 19:17 . 2009-05-12 16:13 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-18 19:17 . 2009-05-12 16:14 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-18 19:16 . 2009-05-12 16:13 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-18 19:16 . 2009-05-12 16:13 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-17 16:33 . 2009-05-17 16:33 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2009-05-17 16:32 . 2009-05-17 16:32 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Creative
2009-05-07 02:39 . 2009-05-09 03:06 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-05-07 02:39 . 2009-05-09 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-05-07 02:39 . 2009-05-07 02:39 -------- d-----w c:\program files\Common Files\iS3
2009-05-02 17:45 . 2009-05-02 17:45 -------- d-----w c:\program files\Safari
2009-04-29 06:43 . 2008-04-14 00:12 23552 ----a-w c:\windows\system32\wdmaud.drv
2009-04-29 06:43 . 2008-04-13 18:45 49408 ----a-w c:\windows\system32\drivers\stream.sys
2009-04-29 06:43 . 2008-04-14 00:11 4096 ----a-w c:\windows\system32\ksuser.dll
2009-04-29 06:43 . 2008-04-13 19:19 146048 ----a-w c:\windows\system32\drivers\portcls.sys
2009-04-29 06:43 . 2008-04-13 19:16 141056 ----a-w c:\windows\system32\drivers\ks.sys
2009-04-29 06:43 . 2008-04-13 18:45 60160 ----a-w c:\windows\system32\drivers\drmk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 22:42 . 2009-04-22 18:18 -------- d-----w c:\program files\PeerGuardian2
2009-05-23 22:11 . 2009-04-16 21:39 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-23 21:50 . 2007-07-01 16:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-23 21:48 . 2007-07-01 16:47 -------- d-----w c:\program files\Symantec
2009-05-23 21:45 . 2008-10-31 19:50 -------- d-----w c:\program files\Norton Security Scan
2009-05-23 21:44 . 2008-07-06 21:11 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-23 21:39 . 2007-11-05 06:36 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-23 05:09 . 2008-07-06 21:07 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-21 18:17 . 2009-04-14 18:21 -------- d-----w c:\documents and settings\Johnny\Application Data\DNA
2009-05-21 18:06 . 2009-04-14 18:21 -------- d-----w c:\program files\DNA
2009-05-20 22:57 . 2008-06-18 20:32 -------- d-----w c:\documents and settings\Johnny\Application Data\OpenOffice.org2
2009-05-12 16:14 . 2009-04-16 21:40 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-12 16:14 . 2009-04-16 21:40 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-12 16:14 . 2009-04-16 21:39 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-12 16:14 . 2009-04-16 21:40 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-07 00:24 . 2006-09-13 01:17 -------- d-----w c:\program files\PC Wizard 2006
2009-04-23 19:14 . 2006-09-05 07:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-23 18:49 . 2007-02-02 15:43 -------- d-----w c:\documents and settings\Johnny\Application Data\Apple Computer
2009-04-23 16:28 . 2008-11-29 00:07 -------- d-----w c:\program files\ATI
2009-04-23 07:30 . 2009-04-23 07:30 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-04-23 07:14 . 2008-11-28 23:02 -------- d-----w c:\program files\ATI Technologies
2009-04-22 20:33 . 2009-04-14 18:22 -------- d-----w c:\documents and settings\Johnny\Application Data\BitTorrent
2009-04-22 18:33 . 2009-04-22 17:21 -------- d-----w c:\program files\RegCure
2009-04-22 16:57 . 2006-09-07 16:30 1984 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-16 21:39 . 2009-04-16 21:39 -------- d-----w c:\documents and settings\Johnny\Application Data\AVGTOOLBAR
2009-04-16 21:39 . 2009-04-16 21:39 -------- d-----w c:\program files\AVG
2009-04-16 18:12 . 2009-04-16 18:12 -------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-04-16 18:08 . 2009-04-16 18:08 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-16 04:15 . 2009-04-16 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\JpegSizer
2009-04-16 04:15 . 2009-04-16 04:15 -------- d-----w c:\program files\JpegSizer 6
2009-04-14 18:22 . 2009-04-14 18:21 -------- d-----w c:\program files\BitTorrent
2009-04-07 18:41 . 2006-09-08 00:42 -------- d-----w c:\program files\Common Files\Adobe
2009-03-28 04:23 . 2009-03-28 04:23 18648 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-24 18:40 . 2008-06-18 20:33 1 ----a-w c:\documents and settings\Johnny\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-03-18 04:05 . 2008-11-29 00:06 593920 ------w c:\windows\system32\ati2sgag.exe
2009-03-16 21:33 . 2008-08-23 09:16 3597312 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-03-16 20:27 . 2008-10-29 02:23 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-03-16 20:26 . 2008-08-23 09:16 328704 ----a-w c:\windows\system32\ati2dvag.dll
2009-03-16 20:17 . 2008-10-29 01:49 307200 ----a-w c:\windows\system32\atiiiexx.dll
2009-03-16 20:17 . 2008-10-29 02:11 204800 ----a-w c:\windows\system32\atipdlxx.dll
2009-03-16 20:16 . 2008-10-29 02:11 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-03-16 20:16 . 2008-10-29 02:11 26112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-03-16 20:16 . 2008-10-29 02:11 43520 ----a-w c:\windows\system32\ati2edxx.dll
2009-03-16 20:16 . 2008-10-29 02:10 155648 ----a-w c:\windows\system32\ati2evxx.dll
2009-03-16 20:15 . 2008-10-29 02:09 602112 ----a-w c:\windows\system32\ati2evxx.exe
2009-03-16 20:13 . 2008-10-29 02:07 53248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-03-16 20:06 . 2008-08-23 09:16 3820736 ----a-w c:\windows\system32\ati3duag.dll
2009-03-16 20:04 . 2008-10-29 02:10 11563008 ----a-w c:\windows\system32\atioglxx.dll
2009-03-16 19:53 . 2008-08-23 09:16 2675328 ----a-w c:\windows\system32\ativvaxx.dll
2009-03-16 19:40 . 2009-03-16 19:40 49664 ----a-w c:\windows\system32\atimpc32.dll
2009-03-16 19:40 . 2008-10-29 01:25 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-03-16 19:36 . 2008-10-29 01:21 475136 ----a-w c:\windows\system32\atikvmag.dll
2009-03-16 19:35 . 2008-10-29 01:18 303104 ----a-w c:\windows\system32\atiok3x2.dll
2009-03-16 19:35 . 2009-03-16 19:35 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-03-16 19:35 . 2008-10-29 01:19 131072 ----a-w c:\windows\system32\atiadlxx.dll
2009-03-16 19:34 . 2009-03-16 19:34 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-03-16 19:34 . 2008-10-29 01:19 17408 ----a-w c:\windows\system32\atitvo32.dll
2009-03-16 19:34 . 2008-10-29 01:18 53248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-03-16 19:33 . 2009-03-16 19:33 3264512 ----a-w c:\windows\system32\aticaldd.dll
2009-03-16 19:28 . 2008-08-23 09:16 630784 ----a-w c:\windows\system32\ati2cqag.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 19:56 . 2009-03-03 19:56 118784 ----a-w c:\windows\system32\atibtmon.exe
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 21:39 . 2008-08-14 17:42 184394 ----a-w c:\windows\system32\atiicdxx.dat
2008-10-05 05:18 . 2008-07-06 21:31 2568551 ----a-w c:\program files\ssapi.log
2008-10-05 04:43 . 2008-10-05 03:37 4000043 ----a-w c:\program files\ssapi.log.bak
2008-07-06 21:07 . 2008-07-06 21:07 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-21 19:54 . 2009-01-21 19:54 28488 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-01-21 19:54 . 2009-01-21 19:54 183696 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-01-21 19:54 . 2009-01-21 19:54 99216 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]
2009-05-23 20:54 29184 ----a-w c:\windows\system32\jhxm32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 58488]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-29 136600]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-12 1947928]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-18 61440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-17 90112]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-02-21 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-02-21 19456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-12 16:14 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Johnny^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Johnny\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PerfectOptimizer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1194247461\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"j:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"j:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [1/25/2007 8:57 PM 215856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/16/2009 2:40 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/16/2009 2:40 PM 108552]
R2 avast!Antivirus;avast!Antivirus;c:\windows\System32\avast!Antivirus.exe -k netsvcs --> c:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/16/2009 2:39 PM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/16/2009 2:39 PM 298776]
R3 Alpham1;Ideazon Merc USB Human Interface Device;c:\windows\system32\drivers\Alpham1.sys [7/23/2007 10:56 AM 42624]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device;c:\windows\system32\drivers\Alpham2.sys [3/20/2007 12:49 PM 18432]
R3 HabuFltr;Habu Mouse;c:\windows\system32\drivers\habu.sys [9/3/2008 7:33 PM 27776]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/20/2009 10:39 AM 15504]
R3 vhidmini;Virtual Hid Device;c:\windows\system32\drivers\vhidmini.sys [5/27/2008 1:21 PM 12672]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/20/2009 10:39 AM 179856]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/6/2008 2:07 PM 29744]
S3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [6/13/2008 2:37 PM 48896]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [5/27/2008 1:57 PM 14592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-06 05:31]

2009-05-23 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Johnny.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-20 22:32]

2009-05-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for Johnny.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-20 22:32]

2009-05-23 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-02-14 06:20]

2009-05-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-02-14 06:20]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-svc - c:\program files\ThunMail\testabd.exe
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Johnny\Application Data\Mozilla\Firefox\Profiles\swwqcbio.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.blizzard.com/us/jobopp/csr.html
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-23 15:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3792)
c:\windows\system32\ctagent.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\AOL\acs\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\avast!Antivirus.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\Zune\ZuneNss.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CTxfispi.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
c:\program files\Creative\ShareDLL\CADI\NotiMan.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-05-23 15:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-23 22:44

Pre-Run: 74,609,381,376 bytes free
Post-Run: 74,688,598,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional Edition" /fastdetect /noexecute=optin /usepmtimer
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

338 --- E O F --- 2009-05-14 16:16

#4
miekiemoes
Posted 24 May 2009 - 08:18 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\SelfDel.bat
Collect::[8]
c:\windows\system32\jhxm32.dll
c:\windows\system32\lklf32.dll
c:\windows\system32\vp_setup.exe.bat
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingc...e.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.


After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5
jterhag
Posted 24 May 2009 - 08:54 PM

    New Member

  • Members
  • Pip
  • 4 posts
Here is the contents of the latest combofix file:

ComboFix 09-05-24.01 - Johnny 05/24/2009 13:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2366 [GMT -7:00]
Running from: c:\documents and settings\Johnny\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Johnny\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
* Created a new restore point

FILE ::
c:\windows\system32\SelfDel.bat

file zipped: c:\windows\system32\vp_setup.exe.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\SelfDel.bat
c:\windows\system32\vp_setup.exe.bat

.
((((((((((((((((((((((((( Files Created from 2009-04-24 to 2009-05-24 )))))))))))))))))))))))))))))))
.

2009-05-22 18:00 . 2009-05-22 18:00 -------- d-----w c:\program files\Trend Micro
2009-05-22 15:21 . 2009-05-22 15:21 32768 ----a-w c:\windows\system32\avast!Antivirus.exe
2009-05-21 18:11 . 2009-05-21 18:11 390664 ----a-w c:\documents and settings\Johnny\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Johnny\Application Data\Malwarebytes
2009-05-20 17:39 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-20 17:39 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-18 19:17 . 2009-05-12 16:14 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-18 19:17 . 2009-05-12 16:14 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-18 19:17 . 2009-05-12 16:13 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-18 19:17 . 2009-05-12 16:13 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-18 19:17 . 2009-05-12 16:13 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-18 19:17 . 2009-05-12 16:14 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-18 19:16 . 2009-05-12 16:13 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-18 19:16 . 2009-05-12 16:13 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-05-17 16:33 . 2009-05-17 16:33 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\ATI
2009-05-17 16:32 . 2009-05-17 16:32 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Creative
2009-05-07 02:39 . 2009-05-09 03:06 -------- d-----w c:\documents and settings\All Users\Application Data\SITEguard
2009-05-07 02:39 . 2009-05-09 17:40 -------- d-----w c:\documents and settings\All Users\Application Data\STOPzilla!
2009-05-07 02:39 . 2009-05-07 02:39 -------- d-----w c:\program files\Common Files\iS3
2009-05-02 17:45 . 2009-05-02 17:45 -------- d-----w c:\program files\Safari
2009-04-29 06:43 . 2008-04-14 00:12 23552 ----a-w c:\windows\system32\wdmaud.drv
2009-04-29 06:43 . 2008-04-13 18:45 49408 ----a-w c:\windows\system32\drivers\stream.sys
2009-04-29 06:43 . 2008-04-14 00:11 4096 ----a-w c:\windows\system32\ksuser.dll
2009-04-29 06:43 . 2008-04-13 19:19 146048 ----a-w c:\windows\system32\drivers\portcls.sys
2009-04-29 06:43 . 2008-04-13 19:16 141056 ----a-w c:\windows\system32\drivers\ks.sys
2009-04-29 06:43 . 2008-04-13 18:45 60160 ----a-w c:\windows\system32\drivers\drmk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-24 16:11 . 2009-04-22 18:18 -------- d-----w c:\program files\PeerGuardian2
2009-05-24 06:10 . 2008-07-06 21:07 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 22:11 . 2009-04-16 21:39 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-23 21:50 . 2007-07-01 16:47 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-23 21:48 . 2007-07-01 16:47 -------- d-----w c:\program files\Symantec
2009-05-23 21:45 . 2008-10-31 19:50 -------- d-----w c:\program files\Norton Security Scan
2009-05-23 21:44 . 2008-07-06 21:11 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-23 21:39 . 2007-11-05 06:36 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-05-21 18:17 . 2009-04-14 18:21 -------- d-----w c:\documents and settings\Johnny\Application Data\DNA
2009-05-21 18:06 . 2009-04-14 18:21 -------- d-----w c:\program files\DNA
2009-05-20 22:57 . 2008-06-18 20:32 -------- d-----w c:\documents and settings\Johnny\Application Data\OpenOffice.org2
2009-05-12 16:14 . 2009-04-16 21:40 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-12 16:14 . 2009-04-16 21:40 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-12 16:14 . 2009-04-16 21:39 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-12 16:14 . 2009-04-16 21:40 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-07 00:24 . 2006-09-13 01:17 -------- d-----w c:\program files\PC Wizard 2006
2009-04-23 19:14 . 2006-09-05 07:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-23 18:49 . 2007-02-02 15:43 -------- d-----w c:\documents and settings\Johnny\Application Data\Apple Computer
2009-04-23 16:28 . 2008-11-29 00:07 -------- d-----w c:\program files\ATI
2009-04-23 07:30 . 2009-04-23 07:30 -------- d-----w c:\documents and settings\All Users\Application Data\ATI
2009-04-23 07:14 . 2008-11-28 23:02 -------- d-----w c:\program files\ATI Technologies
2009-04-22 20:33 . 2009-04-14 18:22 -------- d-----w c:\documents and settings\Johnny\Application Data\BitTorrent
2009-04-22 18:33 . 2009-04-22 17:21 -------- d-----w c:\program files\RegCure
2009-04-22 16:57 . 2006-09-07 16:30 1984 ----a-w c:\windows\system32\d3d9caps.dat
2009-04-16 21:39 . 2009-04-16 21:39 -------- d-----w c:\documents and settings\Johnny\Application Data\AVGTOOLBAR
2009-04-16 21:39 . 2009-04-16 21:39 -------- d-----w c:\program files\AVG
2009-04-16 18:12 . 2009-04-16 18:12 -------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2009-04-16 04:15 . 2009-04-16 04:15 -------- d-----w c:\documents and settings\All Users\Application Data\JpegSizer
2009-04-16 04:15 . 2009-04-16 04:15 -------- d-----w c:\program files\JpegSizer 6
2009-04-14 18:22 . 2009-04-14 18:21 -------- d-----w c:\program files\BitTorrent
2009-04-07 18:41 . 2006-09-08 00:42 -------- d-----w c:\program files\Common Files\Adobe
2009-03-28 04:23 . 2009-03-28 04:23 18648 ---ha-w c:\windows\system32\mlfcache.dat
2009-03-24 18:40 . 2008-06-18 20:33 1 ----a-w c:\documents and settings\Johnny\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-03-18 04:05 . 2008-11-29 00:06 593920 ------w c:\windows\system32\ati2sgag.exe
2009-03-16 21:33 . 2008-08-23 09:16 3597312 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2009-03-16 20:27 . 2008-10-29 02:23 442368 ----a-w c:\windows\system32\ATIDEMGX.dll
2009-03-16 20:26 . 2008-08-23 09:16 328704 ----a-w c:\windows\system32\ati2dvag.dll
2009-03-16 20:17 . 2008-10-29 01:49 307200 ----a-w c:\windows\system32\atiiiexx.dll
2009-03-16 20:17 . 2008-10-29 02:11 204800 ----a-w c:\windows\system32\atipdlxx.dll
2009-03-16 20:16 . 2008-10-29 02:11 155648 ----a-w c:\windows\system32\Oemdspif.dll
2009-03-16 20:16 . 2008-10-29 02:11 26112 ----a-w c:\windows\system32\Ati2mdxx.exe
2009-03-16 20:16 . 2008-10-29 02:11 43520 ----a-w c:\windows\system32\ati2edxx.dll
2009-03-16 20:16 . 2008-10-29 02:10 155648 ----a-w c:\windows\system32\ati2evxx.dll
2009-03-16 20:15 . 2008-10-29 02:09 602112 ----a-w c:\windows\system32\ati2evxx.exe
2009-03-16 20:13 . 2008-10-29 02:07 53248 ----a-w c:\windows\system32\ATIDDC.DLL
2009-03-16 20:06 . 2008-08-23 09:16 3820736 ----a-w c:\windows\system32\ati3duag.dll
2009-03-16 20:04 . 2008-10-29 02:10 11563008 ----a-w c:\windows\system32\atioglxx.dll
2009-03-16 19:53 . 2008-08-23 09:16 2675328 ----a-w c:\windows\system32\ativvaxx.dll
2009-03-16 19:40 . 2009-03-16 19:40 49664 ----a-w c:\windows\system32\atimpc32.dll
2009-03-16 19:40 . 2008-10-29 01:25 49664 ----a-w c:\windows\system32\amdpcom32.dll
2009-03-16 19:36 . 2008-10-29 01:21 475136 ----a-w c:\windows\system32\atikvmag.dll
2009-03-16 19:35 . 2008-10-29 01:18 303104 ----a-w c:\windows\system32\atiok3x2.dll
2009-03-16 19:35 . 2009-03-16 19:35 45056 ----a-w c:\windows\system32\aticalrt.dll
2009-03-16 19:35 . 2008-10-29 01:19 131072 ----a-w c:\windows\system32\atiadlxx.dll
2009-03-16 19:34 . 2009-03-16 19:34 45056 ----a-w c:\windows\system32\aticalcl.dll
2009-03-16 19:34 . 2008-10-29 01:19 17408 ----a-w c:\windows\system32\atitvo32.dll
2009-03-16 19:34 . 2008-10-29 01:18 53248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2009-03-16 19:33 . 2009-03-16 19:33 3264512 ----a-w c:\windows\system32\aticaldd.dll
2009-03-16 19:28 . 2008-08-23 09:16 630784 ----a-w c:\windows\system32\ati2cqag.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 19:56 . 2009-03-03 19:56 118784 ----a-w c:\windows\system32\atibtmon.exe
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 21:39 . 2008-08-14 17:42 184394 ----a-w c:\windows\system32\atiicdxx.dat
2008-10-05 05:18 . 2008-07-06 21:31 2568551 ----a-w c:\program files\ssapi.log
2008-10-05 04:43 . 2008-10-05 03:37 4000043 ----a-w c:\program files\ssapi.log.bak
2008-07-06 21:07 . 2008-07-06 21:07 122880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-01-21 19:54 . 2009-01-21 19:54 28488 ----a-w c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-01-21 19:54 . 2009-01-21 19:54 183696 ----a-w c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-01-21 19:54 . 2009-01-21 19:54 99216 ----a-w c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-23_22.41.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-24 16:06 . 2009-05-24 16:06 16384 c:\windows\Temp\Perflib_Perfdata_40c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-01-30 1432064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-08-28 58488]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 77824]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-29 136600]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-06-03 204800]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-12 1947928]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-03-18 61440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-06 185896]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-08-17 90112]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-02-21 19968]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-02-21 19456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-12 16:14 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Johnny^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\documents and settings\Johnny\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\sandra.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\RpcSandraSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2007.SP1\\Win32\\RpcDataSrv.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Logitech\\Harmony Remote\\PatchHelper.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1194247461\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"j:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"j:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Si3132r5;SiI-3132 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3132r5.sys [1/25/2007 8:57 PM 215856]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/16/2009 2:40 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/16/2009 2:40 PM 108552]
R2 avast!Antivirus;avast!Antivirus;c:\windows\System32\avast!Antivirus.exe -k netsvcs --> c:\windows\System32\avast!Antivirus.exe -k netsvcs [?]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/16/2009 2:39 PM 298776]
R3 Alpham1;Ideazon Merc USB Human Interface Device;c:\windows\system32\drivers\Alpham1.sys [7/23/2007 10:56 AM 42624]
R3 Alpham2;Ideazon Merc MM USB Human Interface Device;c:\windows\system32\drivers\Alpham2.sys [3/20/2007 12:49 PM 18432]
R3 HabuFltr;Habu Mouse;c:\windows\system32\drivers\habu.sys [9/3/2008 7:33 PM 27776]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/20/2009 10:39 AM 15504]
R3 vhidmini;Virtual Hid Device;c:\windows\system32\drivers\vhidmini.sys [5/27/2008 1:21 PM 12672]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/16/2009 2:39 PM 908568]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/20/2009 10:39 AM 179856]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/6/2008 2:07 PM 29744]
S3 JmtFltr;n52te;c:\windows\system32\drivers\JmtFltr.sys [6/13/2008 2:37 PM 48896]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\drivers\USBICP.sys [5/27/2008 1:57 PM 14592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-06 05:31]

2009-05-24 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Johnny.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-20 22:32]

2009-05-23 c:\windows\Tasks\Malwarebytes' Scheduled Update for Johnny.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-20 22:32]

2009-05-24 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-02-14 06:20]

2009-05-21 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-02-14 06:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Johnny\Application Data\Mozilla\Firefox\Profiles\swwqcbio.default\
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-24 13:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-05-24 13:46
ComboFix-quarantined-files.txt 2009-05-24 20:46
ComboFix2.txt 2009-05-23 22:44

Pre-Run: 74,633,641,984 bytes free
Post-Run: 74,602,242,048 bytes free

265 --- E O F --- 2009-05-14 16:16
Upload was successful

#6
miekiemoes
Posted 24 May 2009 - 08:56 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Hi,

Can you submit the following file as well please?

c:\windows\system32\avast!Antivirus.exe

Submit it here: http://www.bleepingc...e.php?channel=8
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7
miekiemoes
Posted 09 June 2009 - 07:55 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 7,127 posts
  • Gender:Female
  • Location:Belgium
Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Mieke Verburgh
Assistant Director of Research

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us