Jump to content

Malwarebytes

Malwarebytes wont install

- - - - -
Started by mcs, Oct 09 2009 07:14 PM

52 replies to this topic

#1
mcs
Posted 09 October 2009 - 07:14 PM

    New Member

  • Members
  • Pip
  • 29 posts
mbam.exe is missing from my computer. I tried to uninstall and reinstal the program but I encountered an error. I am also getting this stopsearchclick.com popup. I ran hijackthis and here is the log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:45 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {f9ff7add-5c8b-4ea8-96d1-d1e97e0f5d29} - semasowa.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [zudaruwaj] Rundll32.exe "c:\windows\system32\yilinetu.dll",a
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\Moshe Spira\Application Data\svcst.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254513997062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: LAHESUMO.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL jisipopo.dll c:\windows\system32\yilinetu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: gajiliyiy - {4e786588-e949-4662-b22d-72eab7dbf9e9} - c:\windows\system32\yilinetu.dll
O22 - SharedTaskScheduler: tokatiluy - {4e786588-e949-4662-b22d-72eab7dbf9e9} - c:\windows\system32\yilinetu.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8141 bytes

#2
Tigger93
Posted 09 October 2009 - 09:56 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Hi there. :lol:

Download ComboFix from one of the locations below, and save it to your Desktop as something.exe
[indent] Link 1
Link 2 [/indent]Double click something.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

#3
mcs
Posted 12 October 2009 - 07:05 AM

    New Member

  • Members
  • Pip
  • 29 posts

View PostTigger93, on Oct 9 2009, 05:56 PM, said:

Hi there. :)

Download ComboFix from one of the locations below, and save it to your Desktop as something.exe
[indent] Link 1
Link 2 [/indent]Double click something.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Ok, I ran both. I hope this works. Thanks so much for your help.

hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:00:58 AM, on 10/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {f9ff7add-5c8b-4ea8-96d1-d1e97e0f5d29} - rovokoko.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [zudaruwaj] Rundll32.exe "c:\windows\system32\yilinetu.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254513997062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\yilinetu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: gajiliyiy - {4e786588-e949-4662-b22d-72eab7dbf9e9} - c:\windows\system32\yilinetu.dll
O21 - SSODL: lijubufaz - {6e91dafa-d2f7-4bef-9020-ead895bf6518} - c:\windows\system32\yilinetu.dll
O22 - SharedTaskScheduler: tokatiluy - {4e786588-e949-4662-b22d-72eab7dbf9e9} - c:\windows\system32\yilinetu.dll
O22 - SharedTaskScheduler: gahurihor - {6e91dafa-d2f7-4bef-9020-ead895bf6518} - c:\windows\system32\yilinetu.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7314 bytes


Combofix:

ComboFix 09-10-11.01 - Moshe Spira 10/12/2009 2:50.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.189 [GMT -4:00]
Running from: c:\documents and settings\Moshe Spira\Desktop\something.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\16925225
c:\documents and settings\All Users\Application Data\16925225\16925225.exe
c:\documents and settings\All Users\Application Data\maralixofa.dl
c:\documents and settings\All Users\Application Data\rawize.ban
c:\documents and settings\All Users\Application Data\yqelecep._dl
c:\documents and settings\All Users\Documents\agedaxomuh.bat
c:\documents and settings\All Users\Documents\ketowyli.dll
c:\documents and settings\All Users\Documents\liqulo.reg
c:\documents and settings\Moshe Spira\Application Data\iniasd.txt
c:\documents and settings\Moshe Spira\Application Data\yfyvoryfol.lib
c:\documents and settings\Moshe Spira\Local Settings\Application Data\ikyp.bin
c:\windows\system32\~.exe
c:\windows\system32\fadonidu.dll
c:\windows\system32\honayoto.dll
c:\windows\system32\libinisu.dll
c:\windows\system32\reremeru.dll
c:\windows\system32\tetopamu.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-12 to 2009-10-12 )))))))))))))))))))))))))))))))
.

2009-10-09 22:37 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 22:37 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 22:37 . 2009-10-09 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 18:54 . 2009-10-09 18:54 -------- d-----w- c:\program files\Trend Micro
2009-10-09 18:40 . 2009-10-09 18:40 0 ----a-w- c:\documents and settings\Moshe Spira\settings.dat
2009-10-08 03:49 . 2009-10-12 06:56 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-10-07 19:36 . 2009-10-07 19:36 42114 ----a-w- C:\xyxqavq.exe
2009-10-07 15:45 . 2009-10-07 15:47 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\muvee Technologies
2009-10-07 01:49 . 2009-10-07 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-07 01:48 . 2009-10-07 01:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-07 01:48 . 2009-10-07 01:48 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\SUPERAntiSpyware.com
2009-10-07 01:47 . 2009-10-07 01:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-07 01:44 . 2009-10-07 04:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 01:44 . 2009-10-07 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-07 01:41 . 2009-10-07 01:41 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\Malwarebytes
2009-10-07 01:41 . 2009-10-07 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 00:56 . 2009-10-07 19:36 8704 ----a-w- C:\cgcxo.exe
2009-10-07 00:48 . 2009-10-09 21:21 -------- d-----w- C:\$AVG8.VAULT$
2009-10-06 21:52 . 2009-10-06 21:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-06 21:52 . 2009-10-12 00:13 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-06 21:52 . 2009-10-06 21:52 -------- d-----w- c:\program files\AVG
2009-10-06 21:20 . 2009-10-06 21:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 14:36 . 2009-10-06 14:36 -------- d-sh--w- c:\documents and settings\Moshe Spira\IECompatCache
2009-10-06 05:41 . 2009-10-06 05:41 -------- d-----w- c:\program files\MSXML 4.0
2009-10-06 05:25 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-06 05:21 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-06 05:21 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-06 05:21 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-06 05:21 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-06 05:21 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-06 05:21 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-06 05:21 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-06 05:21 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-06 05:21 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-06 05:21 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-06 05:21 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-06 05:21 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-06 05:20 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-06 05:19 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-10-06 05:18 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-06 03:51 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-06 03:48 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-06 03:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-06 03:46 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-06 03:45 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-06 03:44 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-10-06 03:43 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-06 03:43 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-06 02:45 . 2009-10-06 02:45 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\AdobeUM
2009-10-06 02:44 . 2009-10-06 02:44 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Adobe
2009-10-06 02:44 . 2009-10-06 02:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-06 00:32 . 2009-10-06 02:44 -------- d-----w- C:\Davar
2009-10-06 00:24 . 2009-10-06 21:52 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Kaluach 3
2009-10-06 00:23 . 2009-10-06 00:24 -------- d-----w- c:\program files\Kaluach3
2009-10-06 00:16 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-06 00:12 . 2009-10-06 02:48 -------- d-----w- c:\program files\Microsoft Works
2009-10-06 00:11 . 2009-10-06 00:11 -------- d-----w- c:\program files\MSBuild
2009-10-06 00:06 . 2009-10-06 00:06 -------- d-----w- c:\program files\Microsoft.NET
2009-10-06 00:00 . 2009-10-06 00:09 -------- d-----w- c:\windows\SHELLNEW
2009-10-05 23:59 . 2009-10-05 23:59 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Microsoft Help
2009-10-05 23:59 . 2009-10-07 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-05 23:58 . 2009-10-05 23:58 -------- d-----r- C:\MSOCache
2009-10-05 21:43 . 2009-10-05 21:43 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Google
2009-10-05 21:42 . 2009-10-05 21:42 -------- d-----w- c:\program files\Google
2009-10-05 20:33 . 2006-11-14 20:21 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-10-05 20:33 . 2006-11-14 19:41 143360 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-10-05 20:33 . 2006-11-14 19:40 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-10-05 20:33 . 2006-11-14 19:40 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-10-05 20:33 . 2006-11-14 19:34 199040 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-10-05 20:33 . 2009-10-05 20:33 -------- d-----w- c:\program files\Synaptics
2009-10-05 20:14 . 2009-10-05 20:14 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-05 20:10 . 2009-10-05 20:12 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-05 20:10 . 2009-10-05 20:10 -------- d-----w- c:\windows\system32\LogFiles
2009-10-05 19:53 . 2009-10-05 19:53 -------- d-----w- c:\program files\ATI Technologies
2009-10-05 19:51 . 2009-10-05 20:32 -------- d-----w- C:\swsetup
2009-10-05 19:37 . 2009-10-05 19:37 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\MSNInstaller
2009-10-05 18:58 . 2009-10-05 18:58 -------- d-sh--w- c:\documents and settings\Moshe Spira\PrivacIE
2009-10-05 18:57 . 2009-10-05 18:57 -------- d-sh--w- c:\documents and settings\Moshe Spira\IETldCache
2009-10-05 18:53 . 2009-10-06 05:44 -------- d-----w- c:\windows\ie8updates
2009-10-05 18:50 . 2009-10-05 18:51 -------- dc-h--w- c:\windows\ie8
2009-10-05 18:46 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-05 18:46 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-05 18:45 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-05 18:45 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-05 18:45 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-05 18:45 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-05 17:06 . 2009-10-05 17:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 17:06 . 2009-10-05 17:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 17:06 . 2009-10-05 17:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 17:06 . 2009-10-05 17:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 17:05 . 2009-10-06 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-05 17:01 . 2009-10-05 17:01 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\AVG8
2009-10-05 16:57 . 2009-10-05 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-10-05 16:57 . 2009-10-05 16:57 -------- d-sh--w- c:\windows\ftpcache
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\scripting
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\l2schemas
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\en
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\bits
2009-10-02 22:15 . 2009-10-02 22:15 -------- d-----w- c:\windows\ServicePackFiles
2009-10-02 22:08 . 2009-10-02 22:08 -------- d-----w- c:\windows\EHome
2009-10-02 21:51 . 2004-08-04 02:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-10-02 20:23 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-02 20:23 . 2009-10-06 05:44 -------- d--h--w- c:\windows\$hf_mig$
2009-10-02 20:07 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-10-02 20:06 . 2009-10-02 20:06 -------- d-sh--w- c:\documents and settings\Moshe Spira\UserData
2009-10-02 20:05 . 2005-03-10 09:41 176128 ------w- c:\windows\system32\bcmwlu00.EXE
2009-10-02 20:05 . 2005-03-10 09:41 69632 ------w- c:\windows\system32\bcmwlD2K.EXE
2009-10-02 20:05 . 2005-03-10 09:41 371712 ------w- c:\windows\system32\drivers\BCMWL5.SYS
2009-10-02 19:02 . 2009-10-02 19:02 -------- d-----w- c:\windows\Hewlett-Packard
2009-10-02 19:02 . 2004-12-07 14:46 425984 ----a-w- c:\windows\system32\hpqPres.dll
2009-10-02 19:02 . 2004-12-07 14:45 65536 ----a-w- c:\windows\system32\hpqactn.dll
2009-10-02 19:02 . 2004-12-01 16:46 32768 ----a-w- c:\windows\system32\eabhbrn8.dll
2009-10-02 19:02 . 2004-12-01 16:45 225280 ----a-w- c:\windows\system32\cpqinfo.dll
2009-10-02 18:58 . 2009-10-02 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Apple Computer
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\Apple Computer
2009-10-02 18:53 . 1999-11-10 16:05 86016 ----a-w- c:\windows\unvise32qt.exe
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\program files\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\windows\system32\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\program files\iPod
2009-10-02 18:52 . 2009-10-02 18:53 -------- d-----w- c:\program files\iTunes
2009-10-02 18:52 . 2009-10-02 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-02 18:52 . 2009-10-05 16:57 -------- d-----w- c:\windows\Downloaded Installations
2009-10-02 18:51 . 2009-10-06 05:32 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\ApplicationHistory

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 21:25 . 2009-10-06 21:25 15209 ----a-w- c:\documents and settings\Moshe Spira\Application Data\erupiky.dat
2009-10-06 02:51 . 2009-10-02 14:39 97744 ----a-w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 18:48 . 2009-10-02 18:47 -------- d-----w- c:\program files\CONEXANT
2009-10-02 14:12 . 2009-10-02 14:12 -------- d-----w- c:\program files\microsoft frontpage
2009-10-02 14:09 . 2009-10-02 14:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-09 17:41 . 2009-07-09 17:41 6624 --sha-w- c:\windows\system32\duyagawe.dll
2009-07-12 00:11 . 2009-07-12 00:11 88576 --sha-w- c:\windows\system32\hamidita.dll
2009-07-09 05:41 . 2009-07-09 05:41 60928 --sha-w- c:\windows\system32\jehiyile.dll
2009-07-09 17:41 . 2009-07-09 17:41 6622 --sha-w- c:\windows\system32\jeziluku.dll
2009-07-09 05:39 . 2009-07-09 05:39 114688 --sha-w- c:\windows\system32\jisipopo.dll.tmp
2009-07-12 00:11 . 2009-07-12 00:11 51712 --sha-w- c:\windows\system32\pavogaho.dll
2009-07-12 00:12 . 2009-07-12 00:12 51712 --sha-w- c:\windows\system32\rovokoko.dll
2009-07-09 05:39 . 2009-07-09 05:39 114688 --sha-w- c:\windows\system32\sazuviyu.dll.tmp
2009-07-12 00:11 . 2009-07-12 00:11 1011646 --sha-w- c:\windows\system32\tuluzapa.exe
2009-07-12 00:11 . 2009-07-12 00:11 69120 --sha-w- c:\windows\system32\vatuhora.dll
2009-07-09 05:41 . 2009-07-09 05:41 83968 --sha-w- c:\windows\system32\vihababa.dll
2009-07-09 05:41 . 2009-07-09 05:41 167424 --sha-w- c:\windows\system32\yilinetu.dll
2009-07-09 17:41 . 2009-07-09 17:41 6622 --sha-w- c:\windows\system32\zagodowi.dll
2009-07-09 05:39 . 2009-07-09 05:39 114688 --sha-w- c:\windows\system32\zagotumo.dll.tmp
2009-07-09 05:41 . 2009-07-09 05:41 1011656 --sha-w- c:\windows\system32\zututebu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f9ff7add-5c8b-4ea8-96d1-d1e97e0f5d29}]
2009-07-12 00:12 51712 --sha-w- c:\windows\system32\rovokoko.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-02 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-05 30192]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"zudaruwaj"="c:\windows\system32\yilinetu.dll" [2009-07-09 167424]

c:\documents and settings\Moshe Spira\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{4e786588-e949-4662-b22d-72eab7dbf9e9}"= "c:\windows\system32\yilinetu.dll" [2009-07-09 167424]
"{6e91dafa-d2f7-4bef-9020-ead895bf6518}"= "c:\windows\system32\yilinetu.dll" [2009-07-09 167424]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gajiliyiy"= {4e786588-e949-4662-b22d-72eab7dbf9e9} - c:\windows\system32\yilinetu.dll [2009-07-09 167424]
"lijubufaz"= {6e91dafa-d2f7-4bef-9020-ead895bf6518} - c:\windows\system32\yilinetu.dll [2009-07-09 167424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 17:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 1:06 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 1:06 PM 108552]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/5/2009 1:05 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 1:05 PM 297752]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/2/2009 2:47 PM 200192]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/5/2009 5:42 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKLM-Run-16925225 - c:\docume~1\ALLUSE~1\APPLIC~1\16925225\16925225.exe
HKLM-Run-fulatilusu - reremeru.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 02:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?????? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,02,ac,aa,43,0d,86,40,89,98,ab,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,02,ac,aa,43,0d,86,40,89,98,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1928)
c:\windows\system32\WININET.dll
c:\windows\system32\yilinetu.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-12 2:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-12 06:59

Pre-Run: 15,386,529,792 bytes free
Post-Run: 16,107,487,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

323

#4
Tigger93
Posted 12 October 2009 - 10:15 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
C:\xyxqavq.exe
C:\cgcxo.exe
c:\documents and settings\Moshe Spira\Application Data\erupiky.dat
c:\windows\system32\duyagawe.dll
c:\windows\system32\hamidita.dll
c:\windows\system32\jehiyile.dll
c:\windows\system32\jeziluku.dll
c:\windows\system32\jisipopo.dll.tmp
c:\windows\system32\pavogaho.dll
c:\windows\system32\rovokoko.dll
c:\windows\system32\sazuviyu.dll.tmp
c:\windows\system32\tuluzapa.exe
c:\windows\system32\vatuhora.dll
c:\windows\system32\vihababa.dll
c:\windows\system32\yilinetu.dll
c:\windows\system32\zagodowi.dll
c:\windows\system32\zagotumo.dll.tmp
c:\windows\system32\zututebu.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f9ff7add-5c8b-4ea8-96d1-d1e97e0f5d29}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zudaruwaj"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{4e786588-e949-4662-b22d-72eab7dbf9e9}"=-
"{6e91dafa-d2f7-4bef-9020-ead895bf6518}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"gajiliyiy"=-
"lijubufaz"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

#5
mcs
Posted 13 October 2009 - 03:41 AM

    New Member

  • Members
  • Pip
  • 29 posts
Combofix ran agian after a dragged the file into it then it rebooted and gave me a log. Here it is:

ComboFix 09-10-11.01 - Moshe Spira 10/12/2009 23:19.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.184 [GMT -4:00]
Running from: c:\documents and settings\Moshe Spira\Desktop\something.exe
Command switches used :: c:\documents and settings\Moshe Spira\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\cgcxo.exe"
"c:\documents and settings\Moshe Spira\Application Data\erupiky.dat"
"c:\windows\system32\duyagawe.dll"
"c:\windows\system32\hamidita.dll"
"c:\windows\system32\jehiyile.dll"
"c:\windows\system32\jeziluku.dll"
"c:\windows\system32\jisipopo.dll.tmp"
"c:\windows\system32\pavogaho.dll"
"c:\windows\system32\rovokoko.dll"
"c:\windows\system32\sazuviyu.dll.tmp"
"c:\windows\system32\tuluzapa.exe"
"c:\windows\system32\vatuhora.dll"
"c:\windows\system32\vihababa.dll"
"c:\windows\system32\yilinetu.dll"
"c:\windows\system32\zagodowi.dll"
"c:\windows\system32\zagotumo.dll.tmp"
"c:\windows\system32\zututebu.exe"
"C:\xyxqavq.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cgcxo.exe
c:\documents and settings\Moshe Spira\Application Data\erupiky.dat
c:\windows\system32\duyagawe.dll
c:\windows\system32\hamidita.dll
c:\windows\system32\jehiyile.dll
c:\windows\system32\jeziluku.dll
c:\windows\system32\jisipopo.dll.tmp
c:\windows\system32\pavogaho.dll
c:\windows\system32\rovokoko.dll
c:\windows\system32\sazuviyu.dll.tmp
c:\windows\system32\tuluzapa.exe
c:\windows\system32\vatuhora.dll
c:\windows\system32\vihababa.dll
c:\windows\system32\yilinetu.dll
c:\windows\system32\zagodowi.dll
c:\windows\system32\zagotumo.dll.tmp
c:\windows\system32\zututebu.exe
C:\xyxqavq.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-09 22:37 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 22:37 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 22:37 . 2009-10-09 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 18:54 . 2009-10-09 18:54 -------- d-----w- c:\program files\Trend Micro
2009-10-09 18:40 . 2009-10-09 18:40 0 ----a-w- c:\documents and settings\Moshe Spira\settings.dat
2009-10-08 03:49 . 2009-10-13 03:28 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-10-07 15:45 . 2009-10-07 15:47 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\muvee Technologies
2009-10-07 01:49 . 2009-10-07 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-07 01:48 . 2009-10-07 01:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-07 01:48 . 2009-10-07 01:48 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\SUPERAntiSpyware.com
2009-10-07 01:47 . 2009-10-07 01:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-07 01:44 . 2009-10-07 04:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 01:44 . 2009-10-07 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-07 01:41 . 2009-10-07 01:41 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\Malwarebytes
2009-10-07 01:41 . 2009-10-07 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 00:48 . 2009-10-12 17:33 -------- d-----w- C:\$AVG8.VAULT$
2009-10-06 21:52 . 2009-10-06 21:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-06 21:52 . 2009-10-12 13:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-06 21:52 . 2009-10-06 21:52 -------- d-----w- c:\program files\AVG
2009-10-06 21:20 . 2009-10-06 21:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 14:36 . 2009-10-06 14:36 -------- d-sh--w- c:\documents and settings\Moshe Spira\IECompatCache
2009-10-06 05:41 . 2009-10-06 05:41 -------- d-----w- c:\program files\MSXML 4.0
2009-10-06 05:25 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-06 05:21 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-06 05:21 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-06 05:21 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-06 05:21 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-06 05:21 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-06 05:21 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-06 05:21 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-06 05:21 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-06 05:21 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-06 05:21 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-06 05:21 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-06 05:21 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-06 05:20 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-06 05:19 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-10-06 05:18 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-06 03:51 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-06 03:48 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-06 03:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-06 03:46 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-06 03:45 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-06 03:44 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-10-06 03:43 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-06 03:43 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-06 02:45 . 2009-10-06 02:45 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\AdobeUM
2009-10-06 02:44 . 2009-10-06 02:44 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Adobe
2009-10-06 02:44 . 2009-10-06 02:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-06 00:32 . 2009-10-06 02:44 -------- d-----w- C:\Davar
2009-10-06 00:24 . 2009-10-06 21:52 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Kaluach 3
2009-10-06 00:23 . 2009-10-06 00:24 -------- d-----w- c:\program files\Kaluach3
2009-10-06 00:16 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-06 00:12 . 2009-10-06 02:48 -------- d-----w- c:\program files\Microsoft Works
2009-10-06 00:11 . 2009-10-06 00:11 -------- d-----w- c:\program files\MSBuild
2009-10-06 00:06 . 2009-10-06 00:06 -------- d-----w- c:\program files\Microsoft.NET
2009-10-06 00:00 . 2009-10-06 00:09 -------- d-----w- c:\windows\SHELLNEW
2009-10-05 23:59 . 2009-10-05 23:59 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Microsoft Help
2009-10-05 23:59 . 2009-10-07 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-05 23:58 . 2009-10-05 23:58 -------- d-----r- C:\MSOCache
2009-10-05 21:43 . 2009-10-05 21:43 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Google
2009-10-05 21:42 . 2009-10-05 21:42 -------- d-----w- c:\program files\Google
2009-10-05 20:33 . 2006-11-14 20:21 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-10-05 20:33 . 2006-11-14 19:41 143360 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-10-05 20:33 . 2006-11-14 19:40 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-10-05 20:33 . 2006-11-14 19:40 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-10-05 20:33 . 2006-11-14 19:34 199040 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-10-05 20:33 . 2009-10-05 20:33 -------- d-----w- c:\program files\Synaptics
2009-10-05 20:14 . 2009-10-05 20:14 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-05 20:10 . 2009-10-05 20:12 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-05 20:10 . 2009-10-05 20:10 -------- d-----w- c:\windows\system32\LogFiles
2009-10-05 19:53 . 2009-10-05 19:53 -------- d-----w- c:\program files\ATI Technologies
2009-10-05 19:51 . 2009-10-05 20:32 -------- d-----w- C:\swsetup
2009-10-05 19:37 . 2009-10-05 19:37 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\MSNInstaller
2009-10-05 18:58 . 2009-10-05 18:58 -------- d-sh--w- c:\documents and settings\Moshe Spira\PrivacIE
2009-10-05 18:57 . 2009-10-05 18:57 -------- d-sh--w- c:\documents and settings\Moshe Spira\IETldCache
2009-10-05 18:53 . 2009-10-06 05:44 -------- d-----w- c:\windows\ie8updates
2009-10-05 18:50 . 2009-10-05 18:51 -------- dc-h--w- c:\windows\ie8
2009-10-05 18:46 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-05 18:46 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-05 18:45 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-05 18:45 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-05 18:45 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-05 18:45 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-05 17:06 . 2009-10-05 17:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 17:06 . 2009-10-05 17:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 17:06 . 2009-10-05 17:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 17:06 . 2009-10-05 17:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 17:05 . 2009-10-06 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-05 17:01 . 2009-10-05 17:01 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\AVG8
2009-10-05 16:57 . 2009-10-05 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-10-05 16:57 . 2009-10-05 16:57 -------- d-sh--w- c:\windows\ftpcache
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\scripting
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\l2schemas
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\en
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\bits
2009-10-02 22:15 . 2009-10-02 22:15 -------- d-----w- c:\windows\ServicePackFiles
2009-10-02 22:08 . 2009-10-02 22:08 -------- d-----w- c:\windows\EHome
2009-10-02 21:51 . 2004-08-04 02:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-10-02 20:23 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-02 20:23 . 2009-10-06 05:44 -------- d--h--w- c:\windows\$hf_mig$
2009-10-02 20:07 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-10-02 20:06 . 2009-10-02 20:06 -------- d-sh--w- c:\documents and settings\Moshe Spira\UserData
2009-10-02 20:05 . 2005-03-10 09:41 176128 ------w- c:\windows\system32\bcmwlu00.EXE
2009-10-02 20:05 . 2005-03-10 09:41 69632 ------w- c:\windows\system32\bcmwlD2K.EXE
2009-10-02 20:05 . 2005-03-10 09:41 371712 ------w- c:\windows\system32\drivers\BCMWL5.SYS
2009-10-02 19:02 . 2009-10-02 19:02 -------- d-----w- c:\windows\Hewlett-Packard
2009-10-02 19:02 . 2004-12-07 14:46 425984 ----a-w- c:\windows\system32\hpqPres.dll
2009-10-02 19:02 . 2004-12-07 14:45 65536 ----a-w- c:\windows\system32\hpqactn.dll
2009-10-02 19:02 . 2004-12-01 16:46 32768 ----a-w- c:\windows\system32\eabhbrn8.dll
2009-10-02 19:02 . 2004-12-01 16:45 225280 ----a-w- c:\windows\system32\cpqinfo.dll
2009-10-02 18:58 . 2009-10-02 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Apple Computer
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\Apple Computer
2009-10-02 18:53 . 1999-11-10 16:05 86016 ----a-w- c:\windows\unvise32qt.exe
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\program files\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\windows\system32\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\program files\iPod
2009-10-02 18:52 . 2009-10-02 18:53 -------- d-----w- c:\program files\iTunes
2009-10-02 18:52 . 2009-10-02 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-02 18:52 . 2009-10-05 16:57 -------- d-----w- c:\windows\Downloaded Installations
2009-10-02 18:51 . 2009-10-06 05:32 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\ApplicationHistory
2009-10-02 18:50 . 2009-10-02 18:50 -------- d-----w- c:\windows\system32\URTTemp
2009-10-02 18:49 . 2009-10-09 00:43 -------- d-----w- c:\program files\HPQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 02:51 . 2009-10-02 14:39 97744 ----a-w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 18:48 . 2009-10-02 18:47 -------- d-----w- c:\program files\CONEXANT
2009-10-02 14:12 . 2009-10-02 14:12 -------- d-----w- c:\program files\microsoft frontpage
2009-10-02 14:09 . 2009-10-02 14:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 13:41 . 2009-07-12 13:41 88064 --sha-w- c:\windows\system32\kopurege.dll
2009-07-12 13:41 . 2009-07-12 13:41 38400 --sha-w- c:\windows\system32\redipefe.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-12_06.57.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-10-09 21:08 54528 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-12 07:01 54528 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-12 07:01 384698 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-10-09 21:08 384698 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-02 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-05 30192]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"zudaruwaj"="c:\windows\system32\kopurege.dll" [2009-07-12 88064]
"fulatilusu"="reremeru.dll" [BU]

c:\documents and settings\Moshe Spira\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e2159011-91d0-4562-b35a-ffd40fef6ecc}"= "c:\windows\system32\kopurege.dll" [2009-07-12 88064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"buwufisef"= {e2159011-91d0-4562-b35a-ffd40fef6ecc} - c:\windows\system32\kopurege.dll [2009-07-12 88064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 17:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 1:06 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 1:06 PM 108552]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/5/2009 1:05 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 1:05 PM 297752]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/2/2009 2:47 PM 200192]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/5/2009 5:42 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 23:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????9?8?5?3??@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,02,ac,aa,43,0d,86,40,89,98,ab,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,02,ac,aa,43,0d,86,40,89,98,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3112)
c:\windows\system32\WININET.dll
c:\windows\system32\kopurege.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-10-13 23:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 03:31
ComboFix2.txt 2009-10-12 07:00

Pre-Run: 16,043,864,064 bytes free
Post-Run: 16,631,836,672 bytes free

326


And here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:37:54 PM, on 10/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [fulatilusu] Rundll32.exe "reremeru.dll",s
O4 - HKLM\..\Run: [zudaruwaj] Rundll32.exe "c:\windows\system32\kopurege.dll",a
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254513997062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: c:\windows\system32\kopurege.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: buwufisef - {e2159011-91d0-4562-b35a-ffd40fef6ecc} - c:\windows\system32\kopurege.dll
O22 - SharedTaskScheduler: kupuhivus - {e2159011-91d0-4562-b35a-ffd40fef6ecc} - c:\windows\system32\kopurege.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6931 bytes

#6
mcs
Posted 13 October 2009 - 03:58 AM

    New Member

  • Members
  • Pip
  • 29 posts
Some additional information:

When I boot the computer I receive an error message stating:
RUNDLL
Error loading reremeru.dll
The specific module could not be found

Also, I am still getting pop ups and now IE sometimes redirects me to web pages.

Thanks again for your help.

#7
Tigger93
Posted 13 October 2009 - 09:59 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
That error should hopefully be gone after this. :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote

File::
c:\windows\system32\kopurege.dll
c:\windows\system32\redipefe.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"fulatilusu"=-
"zudaruwaj"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{e2159011-91d0-4562-b35a-ffd40fef6ecc}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"buwufisef"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

#8
mcs
Posted 13 October 2009 - 11:53 PM

    New Member

  • Members
  • Pip
  • 29 posts
Thanks again for your help.

Combofix:

ComboFix 09-10-11.01 - Moshe Spira 10/13/2009 19:39.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.180 [GMT -4:00]
Running from: c:\documents and settings\Moshe Spira\Desktop\something.exe
Command switches used :: c:\documents and settings\Moshe Spira\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\kopurege.dll"
"c:\windows\system32\redipefe.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kopurege.dll
c:\windows\system32\redipefe.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-09 22:37 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 22:37 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 22:37 . 2009-10-09 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-09 18:54 . 2009-10-09 18:54 -------- d-----w- c:\program files\Trend Micro
2009-10-09 18:40 . 2009-10-09 18:40 0 ----a-w- c:\documents and settings\Moshe Spira\settings.dat
2009-10-08 03:49 . 2009-10-13 23:46 -------- d-----w- c:\program files\Blue Coat K9 Web Protection
2009-10-07 15:45 . 2009-10-07 15:47 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\muvee Technologies
2009-10-07 01:49 . 2009-10-07 01:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-07 01:48 . 2009-10-07 01:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-07 01:48 . 2009-10-07 01:48 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\SUPERAntiSpyware.com
2009-10-07 01:47 . 2009-10-07 01:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-07 01:44 . 2009-10-07 04:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-07 01:44 . 2009-10-07 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-07 01:41 . 2009-10-07 01:41 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\Malwarebytes
2009-10-07 01:41 . 2009-10-07 01:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-07 00:48 . 2009-10-12 17:33 -------- d-----w- C:\$AVG8.VAULT$
2009-10-06 21:52 . 2009-10-06 21:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-06 21:52 . 2009-10-12 13:43 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-06 21:52 . 2009-10-06 21:52 -------- d-----w- c:\program files\AVG
2009-10-06 21:20 . 2009-10-06 21:20 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-06 14:36 . 2009-10-06 14:36 -------- d-sh--w- c:\documents and settings\Moshe Spira\IECompatCache
2009-10-06 05:41 . 2009-10-06 05:41 -------- d-----w- c:\program files\MSXML 4.0
2009-10-06 05:25 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-06 05:21 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-06 05:21 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-06 05:21 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-06 05:21 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-06 05:21 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-06 05:21 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-06 05:21 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-06 05:21 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-06 05:21 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-06 05:21 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-06 05:21 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-06 05:21 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-06 05:20 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-06 05:19 . 2008-05-01 14:33 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-10-06 05:18 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-06 03:51 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-06 03:48 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-06 03:48 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-06 03:46 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-06 03:45 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-06 03:44 . 2008-09-04 17:15 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-10-06 03:43 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-06 03:43 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-06 02:45 . 2009-10-06 02:45 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\AdobeUM
2009-10-06 02:44 . 2009-10-06 02:44 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Adobe
2009-10-06 02:44 . 2009-10-06 02:44 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-06 00:32 . 2009-10-06 02:44 -------- d-----w- C:\Davar
2009-10-06 00:24 . 2009-10-06 21:52 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Kaluach 3
2009-10-06 00:23 . 2009-10-06 00:24 -------- d-----w- c:\program files\Kaluach3
2009-10-06 00:16 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2009-10-06 00:12 . 2009-10-06 02:48 -------- d-----w- c:\program files\Microsoft Works
2009-10-06 00:11 . 2009-10-06 00:11 -------- d-----w- c:\program files\MSBuild
2009-10-06 00:06 . 2009-10-06 00:06 -------- d-----w- c:\program files\Microsoft.NET
2009-10-06 00:00 . 2009-10-06 00:09 -------- d-----w- c:\windows\SHELLNEW
2009-10-05 23:59 . 2009-10-05 23:59 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Microsoft Help
2009-10-05 23:59 . 2009-10-07 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-05 23:58 . 2009-10-05 23:58 -------- d-----r- C:\MSOCache
2009-10-05 21:43 . 2009-10-05 21:43 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Google
2009-10-05 21:42 . 2009-10-05 21:42 -------- d-----w- c:\program files\Google
2009-10-05 20:33 . 2006-11-14 20:21 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2009-10-05 20:33 . 2006-11-14 19:41 143360 ----a-w- c:\windows\system32\SynTPAPI.dll
2009-10-05 20:33 . 2006-11-14 19:40 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2009-10-05 20:33 . 2006-11-14 19:40 163840 ----a-w- c:\windows\system32\SynCOM.dll
2009-10-05 20:33 . 2006-11-14 19:34 199040 ----a-w- c:\windows\system32\drivers\SynTP.sys
2009-10-05 20:33 . 2009-10-05 20:33 -------- d-----w- c:\program files\Synaptics
2009-10-05 20:14 . 2009-10-05 20:14 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-05 20:10 . 2009-10-05 20:12 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-05 20:10 . 2009-10-05 20:10 -------- d-----w- c:\windows\system32\LogFiles
2009-10-05 19:53 . 2009-10-05 19:53 -------- d-----w- c:\program files\ATI Technologies
2009-10-05 19:51 . 2009-10-05 20:32 -------- d-----w- C:\swsetup
2009-10-05 19:37 . 2009-10-05 19:37 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\MSNInstaller
2009-10-05 18:58 . 2009-10-05 18:58 -------- d-sh--w- c:\documents and settings\Moshe Spira\PrivacIE
2009-10-05 18:57 . 2009-10-05 18:57 -------- d-sh--w- c:\documents and settings\Moshe Spira\IETldCache
2009-10-05 18:53 . 2009-10-06 05:44 -------- d-----w- c:\windows\ie8updates
2009-10-05 18:50 . 2009-10-05 18:51 -------- dc-h--w- c:\windows\ie8
2009-10-05 18:46 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-10-05 18:46 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-10-05 18:45 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-10-05 18:45 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-10-05 18:45 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-10-05 18:45 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-10-05 17:06 . 2009-10-05 17:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-05 17:06 . 2009-10-05 17:06 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-05 17:06 . 2009-10-05 17:06 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-05 17:06 . 2009-10-05 17:06 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-05 17:05 . 2009-10-06 22:00 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-05 17:01 . 2009-10-05 17:01 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\AVG8
2009-10-05 16:57 . 2009-10-05 16:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2009-10-05 16:57 . 2009-10-05 16:57 -------- d-sh--w- c:\windows\ftpcache
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\scripting
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\l2schemas
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\en
2009-10-02 22:17 . 2009-10-02 22:17 -------- d-----w- c:\windows\system32\bits
2009-10-02 22:15 . 2009-10-02 22:15 -------- d-----w- c:\windows\ServicePackFiles
2009-10-02 22:08 . 2009-10-02 22:08 -------- d-----w- c:\windows\EHome
2009-10-02 21:51 . 2004-08-04 02:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2009-10-02 20:23 . 2009-01-07 22:21 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-02 20:23 . 2009-10-06 05:44 -------- d--h--w- c:\windows\$hf_mig$
2009-10-02 20:07 . 2008-10-16 18:09 43544 ----a-w- c:\windows\system32\wups2.dll
2009-10-02 20:06 . 2009-10-02 20:06 -------- d-sh--w- c:\documents and settings\Moshe Spira\UserData
2009-10-02 20:05 . 2005-03-10 09:41 176128 ------w- c:\windows\system32\bcmwlu00.EXE
2009-10-02 20:05 . 2005-03-10 09:41 69632 ------w- c:\windows\system32\bcmwlD2K.EXE
2009-10-02 20:05 . 2005-03-10 09:41 371712 ------w- c:\windows\system32\drivers\BCMWL5.SYS
2009-10-02 19:02 . 2009-10-02 19:02 -------- d-----w- c:\windows\Hewlett-Packard
2009-10-02 19:02 . 2004-12-07 14:46 425984 ----a-w- c:\windows\system32\hpqPres.dll
2009-10-02 19:02 . 2004-12-07 14:45 65536 ----a-w- c:\windows\system32\hpqactn.dll
2009-10-02 19:02 . 2004-12-01 16:46 32768 ----a-w- c:\windows\system32\eabhbrn8.dll
2009-10-02 19:02 . 2004-12-01 16:45 225280 ----a-w- c:\windows\system32\cpqinfo.dll
2009-10-02 18:58 . 2009-10-02 18:58 -------- d-----w- c:\documents and settings\All Users\Application Data\muvee Technologies
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\Apple Computer
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\Moshe Spira\Application Data\Apple Computer
2009-10-02 18:53 . 1999-11-10 16:05 86016 ----a-w- c:\windows\unvise32qt.exe
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\program files\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\windows\system32\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2009-10-02 18:53 . 2009-10-02 18:53 -------- d-----w- c:\program files\iPod
2009-10-02 18:52 . 2009-10-02 18:53 -------- d-----w- c:\program files\iTunes
2009-10-02 18:52 . 2009-10-02 18:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-02 18:52 . 2009-10-05 16:57 -------- d-----w- c:\windows\Downloaded Installations
2009-10-02 18:51 . 2009-10-06 05:32 -------- d-----w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\ApplicationHistory
2009-10-02 18:50 . 2009-10-02 18:50 -------- d-----w- c:\windows\system32\URTTemp
2009-10-02 18:49 . 2009-10-09 00:43 -------- d-----w- c:\program files\HPQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 02:51 . 2009-10-02 14:39 97744 ----a-w- c:\documents and settings\Moshe Spira\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 18:48 . 2009-10-02 18:47 -------- d-----w- c:\program files\CONEXANT
2009-10-02 14:12 . 2009-10-02 14:12 -------- d-----w- c:\program files\microsoft frontpage
2009-10-02 14:09 . 2009-10-02 14:09 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:37 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-12_06.57.09 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-08-04 12:00 . 2009-10-09 21:08 54528 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-13 03:32 54528 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-10-13 03:32 384698 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-10-09 21:08 384698 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-15 1998576]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-02 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-05 2023704]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-14 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-14 815104]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-05 30192]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

c:\documents and settings\Moshe Spira\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-05 17:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/5/2009 1:06 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/5/2009 1:06 PM 108552]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [1/13/2009 7:39 PM 72992]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/5/2009 1:05 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/5/2009 1:05 PM 297752]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\Blue Coat K9 Web Protection\k9filter.exe [1/13/2009 7:39 PM 1078560]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [10/2/2009 2:47 PM 200192]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 GoogleDesktopManager-090809-085438;Google Desktop Manager 5.9.909.8267;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [10/5/2009 5:42 PM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 19:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????n??|?@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,02,ac,aa,43,0d,86,40,89,98,ab,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,aa,02,ac,aa,43,0d,86,40,89,98,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1828)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2009-10-13 19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 23:49
ComboFix2.txt 2009-10-13 03:32
ComboFix3.txt 2009-10-12 07:00

Pre-Run: 16,797,458,432 bytes free
Post-Run: 16,763,564,032 bytes free

286


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:18 PM, on 10/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254513997062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6659 bytes

#9
Tigger93
Posted 14 October 2009 - 09:24 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Go start > run and type in combofix /u and press OK.

Please update Malwarebytes, run a quick scan and post the log. ;)

#10
mcs
Posted 14 October 2009 - 10:37 PM

    New Member

  • Members
  • Pip
  • 29 posts
It detected to threats. I removed them. Was I supposed to do this and in general am I supposed to remove all the threats detected. Anyways, it seems to be running agian. What was my issue? Is there anything that I should avoid in the future that that this doesnt happen again. Either way, thank you so much for your help.

Here is the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2962
Windows 5.1.2600 Service Pack 3

10/14/2009 6:33:54 PM
mbam-log-2009-10-14 (18-33-54).txt

Scan type: Quick Scan
Objects scanned: 97558
Time elapsed: 11 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Moshe Spira\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#11
Tigger93
Posted 16 October 2009 - 01:11 AM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Yes, you were supposed to remove them. Sorry for not making that clear.

To be sure your clean, please update Malwarebytes one more time, run a quick scan and post the log. <_<

#12
mcs
Posted 16 October 2009 - 03:28 AM

    New Member

  • Members
  • Pip
  • 29 posts
Thats good because I removed it after the first scan. Either way is the most recent scan. Thanks

Malwarebytes' Anti-Malware 1.41
Database version: 2970
Windows 5.1.2600 Service Pack 3

10/15/2009 11:08:31 PM
mbam-log-2009-10-15 (23-08-31).txt

Scan type: Quick Scan
Objects scanned: 101800
Time elapsed: 24 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13
Tigger93
Posted 16 October 2009 - 11:06 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Everything looks good. Are you still having any problems?

#14
mcs
Posted 17 October 2009 - 11:56 PM

    New Member

  • Members
  • Pip
  • 29 posts
I dont seem to. Thanks a million.

#15
mcs
Posted 18 October 2009 - 05:56 AM

    New Member

  • Members
  • Pip
  • 29 posts
I spoke to soon. I was on the web and I got hit with the internet security center virus or whatever it is called. This one even changed the backround to my desktop. I quickly ran malwarbytes and it looks like it removed it. But now I cant get to the google website. I get the error stating that either internet explorer cant display it or that the adress is not valid. Other sites work only google and gmail (which is problematic since that is the email provider i use) dont work. What am I doing wrong? I am not going to any sketch sites? Why do I keep geting infected?

Here is my malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2970
Windows 5.1.2600 Service Pack 3

10/17/2009 11:50:01 PM
mbam-log-2009-10-17 (23-50-01).txt

Scan type: Quick Scan
Objects scanned: 97485
Time elapsed: 16 minute(s), 51 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 7

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\14340624\14340624.exe (Rogue.Multiple.H) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemSecurity2009 (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14340624 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\14340624 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Moshe Spira\Start Menu\Programs\Total Security (Rogue.TotalSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\14340624\14340624 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\14340624\14340624.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\14340624\pc14340624ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Moshe Spira\Start Menu\Programs\Total Security\Total Security 2009.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\csrss.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Moshe Spira\Desktop\Total Security 2009.lnk (Rogue.TotalSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.


Here is alsomy hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:26 AM, on 10/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254513997062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7242 bytes

#16
Tigger93
Posted 18 October 2009 - 07:23 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
I don't see a firewall running. Do you know if you have one running?

If you don't, then please install one a firewall. A free one is:
Comodo

Next thing is your Adobe Reader is very out of date. Please uninstall your current version of Adobe Reader, then download and install the latest version (9.2) from here

After you've done these, please reboot your computer and post a new Malwarebytes log and a new HijackThis log.

#17
mcs
Posted 18 October 2009 - 10:19 PM

    New Member

  • Members
  • Pip
  • 29 posts
I have the Windows firewall running so I am not sure why it would come up as having no firewall. Should I disable it and download Comodo (it weird that it says comodo, I could have sworn that earlier today it said ZoneAlarm. Did you change it?). I also uninstalled my current adobe reader and download the new one.

Here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2977
Windows 5.1.2600 Service Pack 3

10/18/2009 6:14:04 PM
mbam-log-2009-10-18 (18-14-04).txt

Scan type: Quick Scan
Objects scanned: 97665
Time elapsed: 12 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:42 PM, on 10/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254513997062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7903 bytes

#18
Tigger93
Posted 19 October 2009 - 07:28 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Yes, it said ZoneAlarm earlier, but after a quick look I could no longer find ZoneAlarm's free version so I changed it. Sorry for the confusion.

I would recommend installing Comodo's free firewall then disabling Window's firewall. Window's firewall is not a good firewall and does not protect you very well.

#19
mcs
Posted 20 October 2009 - 03:51 AM

    New Member

  • Members
  • Pip
  • 29 posts
I installed Comodo. Google is still not loading. Here are the latest Logs:

Hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:52 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stickies\stickies.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - .DEFAULT Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stickies.lnk = C:\Program Files\Stickies\stickies.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1254513997062
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Unknown owner - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Desktop Manager 5.9.909.8267 (GoogleDesktopManager-090809-085438) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8270 bytes

Malwarebytes:

Malwarebytes' Anti-Malware 1.41
Database version: 2991
Windows 5.1.2600 Service Pack 3

10/19/2009 11:46:13 PM
mbam-log-2009-10-19 (23-46-13).txt

Scan type: Quick Scan
Objects scanned: 100267
Time elapsed: 13 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#20
mcs
Posted 20 October 2009 - 03:53 AM

    New Member

  • Members
  • Pip
  • 29 posts
Also, comodo asks me if I want to run (or maybe connect) with svhost.exe. Should I block it or not? And thanks again for your ongoing help.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us