Jump to content

They Keep Coming Back. . .

Niksanyl

By Niksanyl
in Resolved Malware Removal Logs

 Share

Recommended Posts

Niksanyl

Niksanyl

Posted
Posted

I've been fighting this for a few days. I finally found this forum! I'm posting my malware log, and hijack this log here. Thank you so much in advance for your help. I've cleaned and removed with malwarebytes, but it keeps coming back. I'm getting popups that say application failed to start because framedyn.dll was not found.

Thank You!!!

Niksa.

Malwarebytes' Anti-Malware 1.41

Database version: 2948

Windows 5.1.2600 Service Pack 2

10/14/2009 9:54:52 AM

mbam-log-2009-10-14 (09-54-44).txt

Scan type: Quick Scan

Objects scanned: 118192

Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 1

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\mepolove.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\najihate.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{1de33cdb-74e5-4674-adc8-5637e403a309} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tuweyodem (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\15827326 (Rogue.Multiple.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{1de33cdb-74e5-4674-adc8-5637e403a309} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\fofojowil (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mepolove.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\mepolove.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Documents and Settings\All Users\Application Data\15827326 (Rogue.Multiple.H) -> No action taken.

Files Infected:

c:\WINDOWS\system32\mepolove.dll (Trojan.Vundo.H) -> No action taken.

C:\Documents and Settings\All Users\Application Data\15827326\15827326.bat (Rogue.Multiple.H) -> No action taken.

C:\Documents and Settings\All Users\Application Data\15827326\15827326.exe (Rogue.Multiple.H) -> No action taken.

C:\WINDOWS\system32\dehaseha.exe (Rogue.SecurityTool) -> No action taken.

C:\WINDOWS\system32\fufugose.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\najihate.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\yarobefe.dll (Trojan.Vundo) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:55:03 AM, on 10/14/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

C:\Program Files\iPod Access for Windows\iPAHelper.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe

C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe

C:\PROGRA~1\SYMANT~1\vptray.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe

C:\Program Files\Sandboxie\SbieSvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe

C:\Program Files\TechSmith\Jing\Jing.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Lyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\cmd.exe

C:\Documents and Settings\Lyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Lyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Lyn\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\taskkill.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Lyn\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.131.160.19:85

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O1 - Hosts: ::1 localhost

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: CmjBrowserHelperObject Object - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll

O2 - BHO: CmjBrowserHelperObject Object - {6FE6A929-59D1-4763-91AD-29B61CFFB35B} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Flash and Media Capture Helper - {E8803722-A7F5-45C5-B39A-A8B244486EC2} - C:\Program Files\Common Files\MetaProducts\fmcapt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O3 - Toolbar: Flash and Media Capture Bar - {650EB965-8A1D-41C9-A941-0578F5CFC569} - C:\Program Files\Common Files\MetaProducts\fmcapt.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [QuickBooksDB] C:\Program Files\Intuit\QuickBooks 2006\QBDBMgrN.exe -n QB_DELL521_16 -qs -gd ALL -gk all -gp 4096 -gu all -ch 64M -c 32M -x tcpip(BroadcastListener=NO;port=10160) -ti 0 -ec simple -ct- -qi -qw -oe DBStartup.log -tl 120 -u -y

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe

O4 - HKLM\..\Run: [ultraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 8\MMReminderService.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [15827326] C:\Documents and Settings\All Users\Application Data\15827326\15827326.exe

O4 - HKLM\..\Run: [tuweyodem] Rundll32.exe "c:\windows\system32\mepolove.dll",a

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [RCUI] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCUI.exe"

O4 - HKCU\..\Run: [RCHotKey] "C:\PROGRA~1\RINGCE~1\RINGCE~1\RCHotKey.exe"

O4 - HKCU\..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe

O4 - HKCU\..\Run: [iBP] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save ℑ with Flash and Media Capture - res://C:\Program Files\Common Files\MetaProducts\FMCapt.dll/saveimg.htm

O8 - Extra context menu item: Save &media files with Flash and Media Capture - res://C:\Program Files\Common Files\MetaProducts\FMCapt.dll/savemedia.htm

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.32.0\gears.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Send to Mindjet MindManager - {2F72393D-2472-4F82-B600-ED77F354B7FF} - C:\Program Files\Mindjet\MindManager 8\Mm8InternetExplorer.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Send to Mindjet MindManager - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Save Media files - {F6F76DF4-FD65-4DE7-942F-4BD5DE9B1C6B} - C:\Program Files\Common Files\MetaProducts\fmcapt.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (RingCentral Message Player Control) - https://service.ringcentral.com/ActiveX/Rin...sage_Player.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B87B9FA-2A31-4199-8144-53A56D4EAD11}: NameServer = 68.105.28.12,68.105.29.11

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: c:\windows\system32\fubiwuda.dll c:\windows\system32\bametusi.dll c:\windows\system32\mepolove.dll,najihate.dll

O21 - SSODL: yoyavorif - {3f4401b5-6d20-4c82-a826-9954e5033f48} - c:\windows\system32\fubiwuda.dll (file missing)

O21 - SSODL: doyipuwar - {0153fe57-e1bb-40f8-b867-bd65aa2b2014} - c:\windows\system32\bametusi.dll (file missing)

O21 - SSODL: fofojowil - {1de33cdb-74e5-4674-adc8-5637e403a309} - c:\windows\system32\mepolove.dll

O22 - SharedTaskScheduler: jugezatag - {3f4401b5-6d20-4c82-a826-9954e5033f48} - c:\windows\system32\fubiwuda.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {0153fe57-e1bb-40f8-b867-bd65aa2b2014} - c:\windows\system32\bametusi.dll (file missing)

O22 - SharedTaskScheduler: jugezatag - {1de33cdb-74e5-4674-adc8-5637e403a309} - c:\windows\system32\mepolove.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe

O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPAHelper.exe - Unknown owner - C:\Program Files\iPod Access for Windows\iPAHelper.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe

O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PD91Engine.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O23 - Service: WinAutomation Service - Softomotive - C:\Program Files\WinAutomation\WinAutomation.ServiceAgent.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 21401 bytes

Link to post
Share on other sites
Niksanyl

Niksanyl

Posted
  • Author
Posted

Combo Fix Log

ComboFix 09-10-14.09 - Lyn 10/15/2009 0:53.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.1912 [GMT -5:00]

Running from: c:\documents and settings\Lyn\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Lyn\Application Data\.#

c:\documents and settings\Lyn\Application Data\.#\MBX@14BC@3C4180.###

c:\documents and settings\Lyn\Application Data\.#\MBX@14BC@3C41B0.###

c:\documents and settings\Lyn\Application Data\.#\MBX@14BC@3C41E0.###

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\INSTALL.LOG

c:\program files\WinPCap\NetMonInstaller.exe

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\program files\WinPCap\Uninstall.exe

c:\windows\Installer\4c5d917.msi

c:\windows\Installer\WMEncoder.msi

c:\windows\system32\azip32.dll

c:\windows\system32\bajibuli.dll.tmp

c:\windows\system32\bszip.dll

c:\windows\system32\bunamige.dll

c:\windows\system32\drivers\npf.sys

c:\windows\system32\dzgtactx.dll

c:\windows\system32\fitelote.dll

c:\windows\system32\fokolemu.dll

c:\windows\system32\FTPx.dll

c:\windows\system32\fujewipe.dll

c:\windows\system32\geyujaje.dll

c:\windows\system32\gihujasu.dll.tmp

c:\windows\system32\Ijl11.dll

c:\windows\system32\jimujopu.dll.tmp

c:\windows\system32\MabryObj.dll

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\sifolomu.dll.tmp

c:\windows\system32\uuddc32.dll

c:\windows\system32\verelojo.dll

c:\windows\system32\WanPacket.dll

c:\windows\system32\witupavi.dll.tmp

c:\windows\system32\wopuyajo.dll

c:\windows\system32\wpcap.dll

c:\windows\WINDOWS

E:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))

.

2009-10-14 16:00 . 2009-10-14 21:37 -------- d-----w- C:\$AVG8.VAULT$

2009-10-14 15:40 . 2009-10-14 15:40 -------- d-----w- c:\documents and settings\Lyn\Local Settings\Application Data\AVG Security Toolbar

2009-10-14 15:33 . 2009-10-14 15:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-10-14 15:33 . 2009-10-14 15:33 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-10-14 15:33 . 2009-10-14 15:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-10-14 15:33 . 2009-10-14 15:33 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-10-14 15:33 . 2009-10-14 21:36 -------- d-----w- c:\windows\system32\drivers\Avg

2009-10-14 15:33 . 2009-10-15 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-10-14 15:33 . 2009-10-14 15:33 -------- d-----w- c:\program files\AVG

2009-10-14 15:33 . 2009-10-14 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-10-14 15:19 . 2009-10-14 15:19 -------- d-----w- c:\documents and settings\Lyn\Application Data\AVG8

2009-10-12 18:55 . 2009-10-13 02:21 311240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-10-12 15:55 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-10-09 22:10 . 2009-10-12 14:12 -------- d-----w- c:\program files\new

2009-10-09 22:08 . 2009-10-09 22:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2009-10-08 14:12 . 2009-10-08 14:12 -------- d-----w- c:\program files\Holidaysoft

2009-10-07 16:59 . 2009-10-07 16:59 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-10-07 16:59 . 2009-10-07 16:59 -------- d-----w- c:\program files\MSECACHE

2009-10-05 21:56 . 2009-10-05 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultimate Keyword Theme Extractor

2009-10-05 21:56 . 2009-10-05 21:56 -------- d-----w- c:\program files\Ultimate Keyword Theme Extractor

2009-10-05 21:13 . 2009-10-05 21:13 -------- d-----w- c:\program files\The Action Machine

2009-10-05 19:15 . 2009-08-02 03:58 116736 ----a-w- c:\program files\Patch.exe

2009-10-05 19:15 . 2009-10-05 19:18 -------- d-----w- c:\program files\SENuke2

2009-10-05 15:20 . 2009-10-05 15:20 -------- d-----w- c:\documents and settings\Lyn\Application Data\main.A4DFDCFEC27B9ED82C6EDE429CFFCA2BC46859DA.1

2009-10-05 15:20 . 2009-10-05 15:20 -------- d-----w- c:\program files\StomperNet

2009-10-02 14:54 . 2009-10-02 14:54 -------- d-----w- c:\program files\Market Samurai

2009-09-30 20:18 . 2009-09-30 20:18 -------- d-----w- c:\program files\iPod

2009-09-29 14:33 . 2009-09-29 14:33 -------- d-----w- c:\documents and settings\Lyn\Application Data\Malwarebytes

2009-09-29 14:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-29 14:33 . 2009-09-29 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-29 14:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-29 14:33 . 2009-10-12 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 21:54 . 2009-09-29 14:45 -------- d-----w- c:\program files\pkrovg

2009-09-21 16:32 . 2009-09-21 16:32 -------- d-----w- c:\documents and settings\Lyn\Local Settings\Application Data\Downloaded Installations

2009-09-18 14:51 . 2009-09-18 14:51 -------- d-----w- c:\documents and settings\Lyn\Application Data\Artisteer

2009-09-18 14:49 . 2009-09-18 14:49 -------- d-----w- c:\program files\Artisteer 2

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-16 17:54 . 2007-11-05 14:47 -------- d-----w- c:\documents and settings\Lyn\Application Data\Azureus

2009-10-15 06:01 . 2008-01-09 17:37 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-10-15 06:01 . 2008-01-09 17:37 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2009-10-15 06:00 . 2007-02-27 20:44 -------- d-----w- c:\program files\Symantec AntiVirus

2009-10-14 21:30 . 2008-01-09 19:53 -------- d-----w- c:\documents and settings\Lyn\Application Data\Skype

2009-10-13 15:21 . 2008-02-06 21:08 -------- d-----w- c:\documents and settings\Lyn\Application Data\MXSkypeRec

2009-10-12 19:26 . 2009-01-22 20:55 256 ----a-w- c:\windows\system32\pool.bin

2009-10-12 19:01 . 2007-04-19 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-10-09 19:35 . 2008-03-28 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\RingCentral

2009-10-07 17:00 . 2007-11-26 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Light-O-Rama

2009-10-07 17:00 . 2007-11-02 18:23 -------- d-----w- c:\program files\Light-O-Rama

2009-10-05 16:12 . 2007-09-24 21:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-01 21:59 . 2008-05-08 18:10 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5

2009-09-30 20:19 . 2009-07-28 21:04 -------- d-----w- c:\program files\iTunes

2009-09-30 20:18 . 2007-07-12 14:20 -------- d-----w- c:\program files\Common Files\Apple

2009-09-30 15:37 . 2009-06-17 14:19 -------- d-----w- c:\program files\SENuke

2009-09-29 14:21 . 2008-08-13 20:00 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-28 15:13 . 2008-01-14 05:00 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-24 16:31 . 2007-05-06 04:18 -------- d-----w- c:\documents and settings\Lyn\Application Data\IBP

2009-09-23 18:29 . 2007-03-02 16:46 -------- d-----w- c:\program files\EditPlus 2

2009-09-14 14:49 . 2007-06-12 18:43 -------- d-----w- c:\documents and settings\Lyn\Application Data\Apple Computer

2009-09-11 13:04 . 2009-09-11 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-11 13:01 . 2007-04-02 16:34 -------- d-----w- c:\program files\QuickTime Alternative

2009-09-10 17:01 . 2009-09-10 17:01 27 ---ha-w- c:\documents and settings\All Users\Application Data\.cf09c0bf45c88abfee981785fbc1f8dc.dat

2009-09-10 17:01 . 2009-09-10 17:01 -------- d-----w- c:\documents and settings\Lyn\Application Data\ScreenSteps

2009-09-10 17:01 . 2009-09-10 17:01 -------- d-----w- c:\program files\ScreenSteps 2

2009-09-08 22:02 . 2007-04-23 15:18 -------- d-----w- c:\program files\Google

2009-08-31 21:43 . 2009-08-31 21:22 -------- d-----w- c:\documents and settings\Lyn\Application Data\W Photo Studio Viewer

2009-08-29 01:07 . 2007-05-10 19:01 -------- d-----w- c:\program files\Common Files\Research In Motion

2009-08-28 21:02 . 2009-08-28 21:02 256 ----a-w- c:\documents and settings\Lyn\pool.bin

2009-08-25 21:19 . 2009-02-02 22:41 -------- d-----w- c:\documents and settings\Lyn\Application Data\Roxio

2009-08-24 18:25 . 2007-05-07 15:36 -------- d-----w- c:\program files\Java

2009-07-25 10:23 . 2008-11-06 19:44 411368 ----a-w- c:\windows\system32\deploytk.dll

2007-06-11 14:09 . 2007-06-11 14:09 1124 ----a-w- c:\program files\mdac.log

2007-11-02 16:09 . 2007-11-01 18:16 80 --sh--r- c:\windows\system32\0C05E5229D.dll

2009-07-14 14:14 . 2009-07-14 14:14 1078818 --sha-w- c:\windows\system32\gitemati.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-01 160592]

"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2009-05-04 479232]

"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2008-03-19 32768]

"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-06-30 2893064]

"IBP"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2005-06-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickBooksDB"="c:\program files\Intuit\QuickBooks 2006\QBDBMgrN.exe" [2005-10-20 126976]

"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-10-08 125368]

"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2005-05-15 187904]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]

"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-11-14 37656]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-14 2023704]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-01 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-10-14 15:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gaim.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Gaim.lnk

backup=c:\windows\pss\Gaim.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk

backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lyn^Start Menu^Programs^Startup^RescueTime.lnk]

path=c:\documents and settings\Lyn\Start Menu\Programs\Startup\RescueTime.lnk

backup=c:\windows\pss\RescueTime.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=

"c:\\Program Files\\Kayako\\LiveResponse\\LiveResponse.exe"=

"c:\\Program Files\\IBP 9\\IBP.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\IBP 10\\IBP.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/14/2009 10:33 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/14/2009 10:33 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/14/2009 10:33 AM 297752]

R2 bt878kp;bt878kp;c:\windows\system32\drivers\Bt878KP.sys [10/20/2008 11:22 AM 11720]

R2 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [6/4/2009 5:41 PM 451904]

R2 MSSQL$PROVIDUSSTD;SQL Server (PROVIDUSSTD);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 8:29 AM 29178224]

R2 PD91Agent;PD91Agent;c:\program files\RAXCO\PerfectDisk\PD91Agent.exe [7/18/2008 3:02 PM 693512]

R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [5/18/2009 8:13 AM 185640]

R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [6/2/2005 2:54 PM 10496]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/29/2007 8:46 AM 24652]

R2 WinAutomation Service;WinAutomation Service;c:\program files\WinAutomation\WinAutomation.ServiceAgent.exe [5/8/2009 9:39 AM 147096]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/2/2009 8:01 PM 102448]

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [11/15/2008 12:29 PM 102912]

R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [5/14/2005 7:41 PM 3328]

S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [12/10/2008 12:10 AM 24636]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2009 10:57 AM 133104]

S3 PD91Engine;PD91Engine;c:\program files\RAXCO\PerfectDisk\PD91Engine.exe [7/18/2008 3:02 PM 910600]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C6A2FF75-66A2-B6E1-6F3A-AC957B0FD49C}]

c:\windows\Windows\svchost.exe s

.

Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 15:57]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 15:57]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1343024091-725345543-1003Core.job

- c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-28 18:06]

2009-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1343024091-725345543-1003UA.job

- c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-28 18:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.inkcarts.com/

uInternet Settings,ProxyServer = 203.131.160.19:85

uInternet Settings,ProxyOverride = <local>

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save ℑ with Flash and Media Capture - c:\program files\Common Files\MetaProducts\FMCapt.dll/saveimg.htm

IE: Save &media files with Flash and Media Capture - c:\program files\Common Files\MetaProducts\FMCapt.dll/savemedia.htm

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{F6F76DF4-FD65-4DE7-942F-4BD5DE9B1C6B} - {B3DA38C9-7C7B-4C32-8A65-8745B3B6085E} - c:\program files\Common Files\MetaProducts\fmcapt.dll

TCP: {4B87B9FA-2A31-4199-8144-53A56D4EAD11} = 68.105.28.12,68.105.29.11

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} - hxxps://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab

FF - ProfilePath - c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFF12.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

BHO-{3744b637-84da-49ac-a492-9e2855cbe57a} - verelojo.dll

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKLM-Run-nozudufote - wopuyajo.dll

SharedTaskScheduler-{3f4401b5-6d20-4c82-a826-9954e5033f48} - c:\windows\system32\fubiwuda.dll

SharedTaskScheduler-{0153fe57-e1bb-40f8-b867-bd65aa2b2014} - c:\windows\system32\bametusi.dll

SSODL-yoyavorif-{3f4401b5-6d20-4c82-a826-9954e5033f48} - c:\windows\system32\fubiwuda.dll

SSODL-doyipuwar-{0153fe57-e1bb-40f8-b867-bd65aa2b2014} - c:\windows\system32\bametusi.dll

AddRemove-DataPig Excel Explosion 3.0_is1 - c:\dpee\unins000.exe

AddRemove-Excel MS Access Import - c:\program files\Excel MS Access Import

AddRemove-RapidOS Digital Surveillance System_is1 - c:\program files\RapidOS 2.4.2

AddRemove-WinPcapInst - c:\program files\WinPcap\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-15 01:05

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(452)

c:\program files\UltraMon\RTSUltraMonHook.dll

c:\progra~1\RINGCE~1\RINGCE~1\RCHotKeyHook.dll

c:\windows\system32\ieframe.dll

c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\windows\system32\gearsec.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\program files\iPod Access for Windows\iPAHelper.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Norton Ghost\Agent\VProSvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Sandboxie\SbieSvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\program files\TeamViewer\Version4\TeamViewer.exe

c:\program files\RealVNC\VNC4\winvnc4.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\progra~1\SYMANT~1\VPTray.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe

c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\program files\UltraMon\UltraMonTaskbar.exe

.

**************************************************************************

.

Completion time: 2009-10-15 1:19 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-15 06:19

Pre-Run: 40,179,703,808 bytes free

Post-Run: 43,022,393,344 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

423

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=27796&st=0entry143632
DIRLOOK::
c:\Program Files\new
c:\Program Files\SENuke2
c:\Program Files\pkrovg
COLLECT:
c:\windows\system32\gitemati.exe
c:\Program Files\Patch.exe
REGISTRY::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{C6A2FF75-66A2-B6E1-6F3A-AC957B0FD49C}]

Save this as "CFScript"

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip

Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4

---------------

## Post the ComboFix log before proceeding to this step

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------

In your next post, please include fresh logs from:

  1. Online scan
  2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Link to post
Share on other sites
Niksanyl

Niksanyl

Posted
  • Author
Posted

Sorry. Here is the C:\ComboFix.txt file

ComboFix 09-10-18.04 - Lyn 10/19/2009 9:26.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.1967 [GMT -5:00]

Running from: c:\documents and settings\Lyn\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Lyn\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\axaltocm.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))

.

2009-10-14 16:00 . 2009-10-18 15:56 -------- d-----w- C:\$AVG8.VAULT$

2009-10-14 15:40 . 2009-10-14 15:40 -------- d-----w- c:\documents and settings\Lyn\Local Settings\Application Data\AVG Security Toolbar

2009-10-14 15:33 . 2009-10-14 15:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-10-14 15:33 . 2009-10-14 15:33 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-10-14 15:33 . 2009-10-14 15:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-10-14 15:33 . 2009-10-14 15:33 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-10-14 15:33 . 2009-10-19 13:21 -------- d-----w- c:\windows\system32\drivers\Avg

2009-10-14 15:33 . 2009-10-15 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-10-14 15:33 . 2009-10-14 15:33 -------- d-----w- c:\program files\AVG

2009-10-14 15:33 . 2009-10-14 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-10-14 15:19 . 2009-10-14 15:19 -------- d-----w- c:\documents and settings\Lyn\Application Data\AVG8

2009-10-12 18:55 . 2009-10-13 02:21 311240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-10-12 15:55 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-10-09 22:10 . 2009-10-12 14:12 -------- d-----w- c:\program files\new

2009-10-09 22:08 . 2009-10-09 22:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2009-10-08 14:12 . 2009-10-08 14:12 -------- d-----w- c:\program files\Holidaysoft

2009-10-07 16:59 . 2009-10-07 16:59 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-10-07 16:59 . 2009-10-07 16:59 -------- d-----w- c:\program files\MSECACHE

2009-10-05 21:56 . 2009-10-05 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultimate Keyword Theme Extractor

2009-10-05 21:56 . 2009-10-05 21:56 -------- d-----w- c:\program files\Ultimate Keyword Theme Extractor

2009-10-05 21:13 . 2009-10-05 21:13 -------- d-----w- c:\program files\The Action Machine

2009-10-05 19:15 . 2009-08-02 03:58 116736 ----a-w- c:\program files\Patch.exe

2009-10-05 19:15 . 2009-10-05 19:18 -------- d-----w- c:\program files\SENuke2

2009-10-05 15:20 . 2009-10-05 15:20 -------- d-----w- c:\documents and settings\Lyn\Application Data\main.A4DFDCFEC27B9ED82C6EDE429CFFCA2BC46859DA.1

2009-10-05 15:20 . 2009-10-05 15:20 -------- d-----w- c:\program files\StomperNet

2009-10-02 14:54 . 2009-10-02 14:54 -------- d-----w- c:\program files\Market Samurai

2009-09-30 20:18 . 2009-09-30 20:18 -------- d-----w- c:\program files\iPod

2009-09-29 14:33 . 2009-09-29 14:33 -------- d-----w- c:\documents and settings\Lyn\Application Data\Malwarebytes

2009-09-29 14:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-29 14:33 . 2009-09-29 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-29 14:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-29 14:33 . 2009-10-12 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 21:54 . 2009-09-29 14:45 -------- d-----w- c:\program files\pkrovg

2009-09-21 16:32 . 2009-09-21 16:32 -------- d-----w- c:\documents and settings\Lyn\Local Settings\Application Data\Downloaded Installations

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-16 17:54 . 2007-11-05 14:47 -------- d-----w- c:\documents and settings\Lyn\Application Data\Azureus

2009-10-19 14:19 . 2007-02-27 20:44 -------- d-----w- c:\program files\Symantec AntiVirus

2009-10-15 16:04 . 2008-01-09 19:53 -------- d-----w- c:\documents and settings\Lyn\Application Data\Skype

2009-10-15 06:01 . 2008-01-09 17:37 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-10-15 06:01 . 2008-01-09 17:37 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2009-10-13 15:21 . 2008-02-06 21:08 -------- d-----w- c:\documents and settings\Lyn\Application Data\MXSkypeRec

2009-10-12 19:26 . 2009-01-22 20:55 256 ----a-w- c:\windows\system32\pool.bin

2009-10-12 19:01 . 2007-04-19 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-10-09 19:35 . 2008-03-28 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\RingCentral

2009-10-07 17:00 . 2007-11-26 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Light-O-Rama

2009-10-07 17:00 . 2007-11-02 18:23 -------- d-----w- c:\program files\Light-O-Rama

2009-10-05 16:12 . 2007-09-24 21:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-01 21:59 . 2008-05-08 18:10 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5

2009-09-30 20:19 . 2009-07-28 21:04 -------- d-----w- c:\program files\iTunes

2009-09-30 20:18 . 2007-07-12 14:20 -------- d-----w- c:\program files\Common Files\Apple

2009-09-30 15:37 . 2009-06-17 14:19 -------- d-----w- c:\program files\SENuke

2009-09-29 14:21 . 2008-08-13 20:00 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-28 15:13 . 2008-01-14 05:00 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-24 16:31 . 2007-05-06 04:18 -------- d-----w- c:\documents and settings\Lyn\Application Data\IBP

2009-09-23 18:29 . 2007-03-02 16:46 -------- d-----w- c:\program files\EditPlus 2

2009-09-18 14:51 . 2009-09-18 14:51 -------- d-----w- c:\documents and settings\Lyn\Application Data\Artisteer

2009-09-18 14:49 . 2009-09-18 14:49 -------- d-----w- c:\program files\Artisteer 2

2009-09-14 14:49 . 2007-06-12 18:43 -------- d-----w- c:\documents and settings\Lyn\Application Data\Apple Computer

2009-09-11 13:04 . 2009-09-11 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-11 13:01 . 2007-04-02 16:34 -------- d-----w- c:\program files\QuickTime Alternative

2009-09-10 17:01 . 2009-09-10 17:01 27 ---ha-w- c:\documents and settings\All Users\Application Data\.cf09c0bf45c88abfee981785fbc1f8dc.dat

2009-09-10 17:01 . 2009-09-10 17:01 -------- d-----w- c:\documents and settings\Lyn\Application Data\ScreenSteps

2009-09-10 17:01 . 2009-09-10 17:01 -------- d-----w- c:\program files\ScreenSteps 2

2009-09-08 22:02 . 2007-04-23 15:18 -------- d-----w- c:\program files\Google

2009-08-31 21:43 . 2009-08-31 21:22 -------- d-----w- c:\documents and settings\Lyn\Application Data\W Photo Studio Viewer

2009-08-29 01:07 . 2007-05-10 19:01 -------- d-----w- c:\program files\Common Files\Research In Motion

2009-08-28 21:02 . 2009-08-28 21:02 256 ----a-w- c:\documents and settings\Lyn\pool.bin

2009-08-25 21:19 . 2009-02-02 22:41 -------- d-----w- c:\documents and settings\Lyn\Application Data\Roxio

2009-08-24 18:25 . 2007-05-07 15:36 -------- d-----w- c:\program files\Java

2009-07-25 10:23 . 2008-11-06 19:44 411368 ----a-w- c:\windows\system32\deploytk.dll

2007-06-11 14:09 . 2007-06-11 14:09 1124 ----a-w- c:\program files\mdac.log

2007-11-02 16:09 . 2007-11-01 18:16 80 --sh--r- c:\windows\system32\0C05E5229D.dll

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of c:\program files\new ----

2009-10-09 22:10 . 2009-10-12 14:12 10498 ----a-w- c:\program files\new\unins000.msg

2009-10-09 22:10 . 2009-09-10 19:54 269648 ----a-w- c:\program files\new\mbamservice.exe

2009-10-09 22:10 . 2009-09-10 19:54 420176 ----a-w- c:\program files\new\mbamgui.exe

2009-10-09 22:10 . 2009-09-10 19:54 496976 ----a-w- c:\program files\new\vbalsgrid6.ocx

2009-10-09 22:10 . 2009-09-10 19:54 46416 ----a-w- c:\program files\new\ssubtmr6.dll

2009-10-09 22:10 . 2009-09-10 19:54 79696 ----a-w- c:\program files\new\zlib.dll

2009-10-09 22:10 . 2009-09-10 19:53 70992 ----a-w- c:\program files\new\mbamext.dll

2009-10-09 22:10 . 2008-10-31 22:54 13097 ----a-w- c:\program files\new\Languages\ukrainian.lng

2009-10-09 22:10 . 2009-09-06 14:23 12198 ----a-w- c:\program files\new\Languages\serbian.lng

2009-10-09 22:10 . 2008-07-26 14:58 11599 ----a-w- c:\program files\new\Languages\slovak.lng

2009-10-09 22:10 . 2008-03-04 04:28 11205 ----a-w- c:\program files\new\Languages\slovenian.lng

2009-10-09 22:10 . 2009-09-09 04:46 12962 ----a-w- c:\program files\new\Languages\spanish.lng

2009-10-09 22:10 . 2009-09-07 06:51 12265 ----a-w- c:\program files\new\Languages\swedish.lng

2009-10-09 22:10 . 2009-04-15 10:00 13808 ----a-w- c:\program files\new\Languages\turkish.lng

2009-10-09 22:10 . 2008-03-05 00:56 12245 ----a-w- c:\program files\new\Languages\portugueseBR.lng

2009-10-09 22:10 . 2008-06-15 18:04 12345 ----a-w- c:\program files\new\Languages\portuguesePT.lng

2009-10-09 22:10 . 2008-03-14 00:09 12672 ----a-w- c:\program files\new\Languages\romanian.lng

2009-10-09 22:10 . 2008-07-04 05:58 11779 ----a-w- c:\program files\new\Languages\russian.lng

2009-10-09 22:10 . 2009-07-24 00:46 9269 ----a-w- c:\program files\new\Languages\korean.lng

2009-10-09 22:10 . 2008-12-19 21:30 11457 ----a-w- c:\program files\new\Languages\latvian.lng

2009-10-09 22:10 . 2008-09-11 03:29 13314 ----a-w- c:\program files\new\Languages\macedonian.lng

2009-10-09 22:10 . 2009-06-10 18:39 11593 ----a-w- c:\program files\new\Languages\norwegian.lng

2009-10-09 22:10 . 2009-01-11 05:56 11623 ----a-w- c:\program files\new\Languages\polish.lng

2009-10-09 22:10 . 2009-09-10 19:12 13642 ----a-w- c:\program files\new\Languages\german.lng

2009-10-09 22:10 . 2008-10-07 20:15 13234 ----a-w- c:\program files\new\Languages\greek.lng

2009-10-09 22:10 . 2009-08-20 01:38 9278 ----a-w- c:\program files\new\Languages\hebrew.lng

2009-10-09 22:10 . 2008-03-03 22:39 12048 ----a-w- c:\program files\new\Languages\hungarian.lng

2009-10-09 22:10 . 2008-03-05 01:03 13019 ----a-w- c:\program files\new\Languages\italian.lng

2009-10-09 22:10 . 2008-03-05 00:56 12255 ----a-w- c:\program files\new\Languages\dutch.lng

2009-10-09 22:10 . 2009-09-03 15:22 11314 ----a-w- c:\program files\new\Languages\english.lng

2009-10-09 22:10 . 2009-07-31 14:20 11213 ----a-w- c:\program files\new\Languages\estonian.lng

2009-10-09 22:10 . 2008-05-17 15:09 11624 ----a-w- c:\program files\new\Languages\finnish.lng

2009-10-09 22:10 . 2009-09-09 04:45 13442 ----a-w- c:\program files\new\Languages\french.lng

2009-10-09 22:10 . 2008-08-01 14:03 8045 ----a-w- c:\program files\new\Languages\chineseSI.lng

2009-10-09 22:10 . 2008-08-04 17:58 8141 ----a-w- c:\program files\new\Languages\chineseTR.lng

2009-10-09 22:10 . 2008-12-27 21:41 11977 ----a-w- c:\program files\new\Languages\croatian.lng

2009-10-09 22:10 . 2009-09-08 00:42 12199 ----a-w- c:\program files\new\Languages\czech.lng

2009-10-09 22:10 . 2009-02-18 01:27 11893 ----a-w- c:\program files\new\Languages\danish.lng

2009-10-09 22:10 . 2008-07-03 15:10 13924 ----a-w- c:\program files\new\Languages\albanian.lng

2009-10-09 22:10 . 2009-04-10 05:53 10331 ----a-w- c:\program files\new\Languages\arabic.lng

2009-10-09 22:10 . 2009-08-01 21:14 12636 ----a-w- c:\program files\new\Languages\bosnian.lng

2009-10-09 22:10 . 2009-09-09 04:46 12610 ----a-w- c:\program files\new\Languages\bulgarian.lng

2009-10-09 22:10 . 2008-03-05 01:05 12595 ----a-w- c:\program files\new\Languages\catalan.lng

2009-10-09 22:10 . 2009-09-10 19:37 16400 ----a-w- c:\program files\new\changes.rtf

2009-10-09 22:10 . 2009-01-05 00:31 4124 ----a-w- c:\program files\new\license.txt

2009-10-09 22:10 . 2009-09-10 19:53 163664 ----a-w- c:\program files\new\mbam.dll

2009-10-09 22:10 . 2009-07-30 20:27 59015 ----a-w- c:\program files\new\mbam.chm

2009-10-09 22:10 . 2009-10-12 14:11 699216 ----a-w- c:\program files\new\unins000.exe

2009-10-09 22:10 . 2009-10-12 14:12 23662 ----a-w- c:\program files\new\unins000.dat

---- Directory of c:\program files\pkrovg ----

---- Directory of c:\program files\SENuke2 ----

2009-10-05 19:18 . 2009-10-05 19:18 963 ----a-w- c:\program files\SENuke2\latest.bnk

2009-10-05 19:18 . 2009-10-05 19:18 961 ----a-w- c:\program files\SENuke2\latest.rnk

2009-10-05 19:18 . 2009-10-05 19:18 688 ----a-w- c:\program files\SENuke2\latest.wpm

2009-10-05 19:18 . 2009-10-05 19:18 862 ----a-w- c:\program files\SENuke2\latest.pnk

2009-10-05 19:18 . 2009-10-05 19:18 696 ----a-w- c:\program files\SENuke2\latest.vnk

2009-10-05 19:16 . 2009-10-05 19:18 2258 ----a-w- c:\program files\SENuke2\latest.snk

2009-10-05 19:16 . 2009-07-28 20:42 3964928 ----a-w- c:\program files\SENuke2\SENuke.exe.tportBAK

2009-10-05 19:15 . 2009-08-02 03:58 116736 ----a-w- c:\program files\SENuke2\Patch.exe

2009-10-05 19:15 . 2009-03-24 23:19 1247 ----a-w- c:\program files\SENuke2\regcontrols.bat

2009-10-05 19:15 . 2008-04-21 21:17 635 ----a-w- c:\program files\SENuke2\SENuke.exe.manifest

2009-10-05 19:15 . 2008-10-18 11:57 207365 ----a-w- c:\program files\SENuke2\Manual.pdf

2009-10-05 19:15 . 2009-10-05 19:16 3964928 ----a-w- c:\program files\SENuke2\SENuke.exe

2009-10-05 19:15 . 2009-10-05 19:15 2200 ----a-w- c:\program files\SENuke2\unins000.dat

2009-10-05 19:15 . 2009-10-05 19:14 695578 ----a-w- c:\program files\SENuke2\unins000.exe

((((((((((((((((((((((((((((( SnapShot@2009-10-15_06.05.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-15 06:09 . 2009-10-15 06:09 16384 c:\windows\Temp\Perflib_Perfdata_350.dat

- 2005-06-14 12:00 . 2009-03-09 14:01 88874 c:\windows\system32\perfc009.dat

+ 2005-06-14 12:00 . 2009-10-15 06:10 88874 c:\windows\system32\perfc009.dat

+ 2007-02-27 17:10 . 2009-10-15 18:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2007-02-27 17:10 . 2009-10-14 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-02-27 17:10 . 2009-10-15 18:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-02-27 17:10 . 2009-10-14 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-15 18:18 . 2009-10-15 18:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-06-14 12:00 . 2009-03-09 14:01 486302 c:\windows\system32\perfh009.dat

+ 2005-06-14 12:00 . 2009-10-15 06:10 486302 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-01 160592]

"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2009-05-04 479232]

"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2008-03-19 32768]

"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-06-30 2893064]

"IBP"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickBooksDB"="c:\program files\Intuit\QuickBooks 2006\QBDBMgrN.exe" [2005-10-20 126976]

"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-10-08 125368]

"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2005-05-15 187904]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]

"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-11-14 37656]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-01 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-10-14 15:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gaim.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Gaim.lnk

backup=c:\windows\pss\Gaim.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk

backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lyn^Start Menu^Programs^Startup^RescueTime.lnk]

path=c:\documents and settings\Lyn\Start Menu\Programs\Startup\RescueTime.lnk

backup=c:\windows\pss\RescueTime.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=

"c:\\Program Files\\Kayako\\LiveResponse\\LiveResponse.exe"=

"c:\\Program Files\\IBP 9\\IBP.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\IBP 10\\IBP.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/14/2009 10:33 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/14/2009 10:33 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/14/2009 10:33 AM 297752]

R2 bt878kp;bt878kp;c:\windows\system32\drivers\Bt878KP.sys [10/20/2008 11:22 AM 11720]

R2 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [6/4/2009 5:41 PM 451904]

R2 MSSQL$PROVIDUSSTD;SQL Server (PROVIDUSSTD);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 8:29 AM 29178224]

R2 PD91Agent;PD91Agent;c:\program files\RAXCO\PerfectDisk\PD91Agent.exe [7/18/2008 3:02 PM 693512]

R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [5/18/2009 8:13 AM 185640]

R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [6/2/2005 2:54 PM 10496]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/29/2007 8:46 AM 24652]

R2 WinAutomation Service;WinAutomation Service;c:\program files\WinAutomation\WinAutomation.ServiceAgent.exe [5/8/2009 9:39 AM 147096]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/2/2009 8:01 PM 102448]

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [11/15/2008 12:29 PM 102912]

R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [5/14/2005 7:41 PM 3328]

S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [12/10/2008 12:10 AM 24636]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2009 10:57 AM 133104]

S3 PD91Engine;PD91Engine;c:\program files\RAXCO\PerfectDisk\PD91Engine.exe [7/18/2008 3:02 PM 910600]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

.

Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 15:57]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 15:57]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1343024091-725345543-1003Core.job

- c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-28 18:06]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1343024091-725345543-1003UA.job

- c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-28 18:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.inkcarts.com/

uInternet Settings,ProxyServer = 203.131.160.19:85

uInternet Settings,ProxyOverride = <local>

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save ℑ with Flash and Media Capture - c:\program files\Common Files\MetaProducts\FMCapt.dll/saveimg.htm

IE: Save &media files with Flash and Media Capture - c:\program files\Common Files\MetaProducts\FMCapt.dll/savemedia.htm

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{F6F76DF4-FD65-4DE7-942F-4BD5DE9B1C6B} - {B3DA38C9-7C7B-4C32-8A65-8745B3B6085E} - c:\program files\Common Files\MetaProducts\fmcapt.dll

TCP: {4B87B9FA-2A31-4199-8144-53A56D4EAD11} = 68.105.28.12,68.105.29.11

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} - hxxps://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab

FF - ProfilePath - c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFF12.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

AddRemove-Excel MS Access Import, Export & Convert Software_is1 - c:\program files\Excel MS Access Import

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-19 09:46

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

.

Completion time: 2009-10-19 9:55

ComboFix-quarantined-files.txt 2009-10-19 14:53

ComboFix2.txt 2009-10-15 06:19

Pre-Run: 42,711,429,120 bytes free

Post-Run: 42,645,102,592 bytes free

- - End Of File - - 19B634F9956E2F99E63AE2739D28AF48

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
c:\windows\system32\axaltocm.dll

This looks to be a false positive. Let's restore the file.

Open NOTEPAD and copy/paste the text in the quotebox below into it:

Dequarantine::
C:\QooBox\Quarantine\c\windows\system32\axaltocm.dll.vir
Suspect::
C:\QooBox\Quarantine\c\windows\system32\axaltocm.dll.vir

Save this as "CFScript"

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

---------------

ESET Online Scanner

  • Please go to the following link ESET Online Scanner Link
  • Tick the box YES, I accept the Terms Of Use
  • Click the Start button
  • Now click the Install button
  • Click Start
    The scanner engine will initialise and update
  • Do Not tick the box Remove found threats
  • Click the Scan button
    The scan will now run, please be patient
  • When the scan finishes click the Details tab
  • Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

---------------

In your next post, please include fresh logs from:

  1. Online scan
  2. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Link to post
Share on other sites
Niksanyl

Niksanyl

Posted
  • Author
Posted

I can't say how much I appreciate your help with this. . . We're getting closer. . . Computer still isn't behaving quite like it should. But i'm not getting the popups now in the browser. I'll know more after using it a bit today.

ESET Scanner Results

C:\Qoobox\Quarantine\C\WINDOWS\system32\fitelote.dll.vir a variant of Win32/Kryptik.AWO trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\verelojo.dll.vir a variant of Win32/Kryptik.AWO trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\wopuyajo.dll.vir a variant of Win32/Kryptik.AWO trojan

C:\System Volume Information\_restore{9EA6CB28-61C0-47A0-98B3-254CC0569F9D}\RP1\A0000069.dll a variant of Win32/Kryptik.AWO trojan

C:\System Volume Information\_restore{9EA6CB28-61C0-47A0-98B3-254CC0569F9D}\RP1\A0000079.dll a variant of Win32/Kryptik.AWO trojan

C:\System Volume Information\_restore{9EA6CB28-61C0-47A0-98B3-254CC0569F9D}\RP1\A0000081.dll a variant of Win32/Kryptik.AWO trojan

ComboFix.txt

ComboFix 09-10-19.02 - Lyn 10/20/2009 10:18.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.1932 [GMT -5:00]

Running from: c:\documents and settings\Lyn\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Lyn\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\qoobox\Quarantine\C\WINDOWS\system32\axaltocm.dll.vir

.

((((((((((((((((((((((((( Files Created from 2009-09-20 to 2009-10-20 )))))))))))))))))))))))))))))))

.

2009-10-20 15:17 . 2009-10-20 15:17 133120 ----a-w- c:\windows\system32\axaltocm.dll

2009-10-14 16:00 . 2009-10-20 12:38 -------- d-----w- C:\$AVG8.VAULT$

2009-10-14 15:40 . 2009-10-14 15:40 -------- d-----w- c:\documents and settings\Lyn\Local Settings\Application Data\AVG Security Toolbar

2009-10-14 15:33 . 2009-10-14 15:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-10-14 15:33 . 2009-10-14 15:33 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-10-14 15:33 . 2009-10-14 15:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-10-14 15:33 . 2009-10-14 15:33 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-10-14 15:33 . 2009-10-20 13:21 -------- d-----w- c:\windows\system32\drivers\Avg

2009-10-14 15:33 . 2009-10-15 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar

2009-10-14 15:33 . 2009-10-14 15:33 -------- d-----w- c:\program files\AVG

2009-10-14 15:33 . 2009-10-14 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-10-14 15:19 . 2009-10-14 15:19 -------- d-----w- c:\documents and settings\Lyn\Application Data\AVG8

2009-10-12 18:55 . 2009-10-13 02:21 311240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-10-12 15:55 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2009-10-09 22:10 . 2009-10-12 14:12 -------- d-----w- c:\program files\new

2009-10-09 22:08 . 2009-10-09 22:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2

2009-10-08 14:12 . 2009-10-08 14:12 -------- d-----w- c:\program files\Holidaysoft

2009-10-07 16:59 . 2009-10-07 16:59 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-10-07 16:59 . 2009-10-07 16:59 -------- d-----w- c:\program files\MSECACHE

2009-10-05 21:56 . 2009-10-05 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Ultimate Keyword Theme Extractor

2009-10-05 21:56 . 2009-10-05 21:56 -------- d-----w- c:\program files\Ultimate Keyword Theme Extractor

2009-10-05 21:13 . 2009-10-05 21:13 -------- d-----w- c:\program files\The Action Machine

2009-10-05 19:15 . 2009-08-02 03:58 116736 ----a-w- c:\program files\Patch.exe

2009-10-05 19:15 . 2009-10-19 15:53 -------- d-----w- c:\program files\SENuke2

2009-10-05 15:20 . 2009-10-05 15:20 -------- d-----w- c:\documents and settings\Lyn\Application Data\main.A4DFDCFEC27B9ED82C6EDE429CFFCA2BC46859DA.1

2009-10-05 15:20 . 2009-10-05 15:20 -------- d-----w- c:\program files\StomperNet

2009-10-02 14:54 . 2009-10-02 14:54 -------- d-----w- c:\program files\Market Samurai

2009-09-30 20:18 . 2009-09-30 20:18 -------- d-----w- c:\program files\iPod

2009-09-29 14:33 . 2009-09-29 14:33 -------- d-----w- c:\documents and settings\Lyn\Application Data\Malwarebytes

2009-09-29 14:33 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-29 14:33 . 2009-09-29 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-29 14:33 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-29 14:33 . 2009-10-12 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-28 21:54 . 2009-09-29 14:45 -------- d-----w- c:\program files\pkrovg

2009-09-21 16:32 . 2009-09-21 16:32 -------- d-----w- c:\documents and settings\Lyn\Local Settings\Application Data\Downloaded Installations

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-16 17:54 . 2007-11-05 14:47 -------- d-----w- c:\documents and settings\Lyn\Application Data\Azureus

2009-10-20 15:41 . 2007-02-27 20:44 -------- d-----w- c:\program files\Symantec AntiVirus

2009-10-15 16:04 . 2008-01-09 19:53 -------- d-----w- c:\documents and settings\Lyn\Application Data\Skype

2009-10-15 06:01 . 2008-01-09 17:37 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-10-15 06:01 . 2008-01-09 17:37 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2009-10-13 15:21 . 2008-02-06 21:08 -------- d-----w- c:\documents and settings\Lyn\Application Data\MXSkypeRec

2009-10-12 19:26 . 2009-01-22 20:55 256 ----a-w- c:\windows\system32\pool.bin

2009-10-12 19:01 . 2007-04-19 16:47 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-10-09 19:35 . 2008-03-28 20:26 -------- d-----w- c:\documents and settings\All Users\Application Data\RingCentral

2009-10-07 17:00 . 2007-11-26 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Light-O-Rama

2009-10-07 17:00 . 2007-11-02 18:23 -------- d-----w- c:\program files\Light-O-Rama

2009-10-05 16:12 . 2007-09-24 21:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-01 21:59 . 2008-05-08 18:10 -------- d-----w- c:\program files\Mozilla Firefox 3 Beta 5

2009-09-30 20:19 . 2009-07-28 21:04 -------- d-----w- c:\program files\iTunes

2009-09-30 20:18 . 2007-07-12 14:20 -------- d-----w- c:\program files\Common Files\Apple

2009-09-30 15:37 . 2009-06-17 14:19 -------- d-----w- c:\program files\SENuke

2009-09-29 14:21 . 2008-08-13 20:00 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-28 15:13 . 2008-01-14 05:00 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-09-24 16:31 . 2007-05-06 04:18 -------- d-----w- c:\documents and settings\Lyn\Application Data\IBP

2009-09-23 18:29 . 2007-03-02 16:46 -------- d-----w- c:\program files\EditPlus 2

2009-09-18 14:51 . 2009-09-18 14:51 -------- d-----w- c:\documents and settings\Lyn\Application Data\Artisteer

2009-09-18 14:49 . 2009-09-18 14:49 -------- d-----w- c:\program files\Artisteer 2

2009-09-14 14:49 . 2007-06-12 18:43 -------- d-----w- c:\documents and settings\Lyn\Application Data\Apple Computer

2009-09-11 13:04 . 2009-09-11 13:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-11 13:01 . 2007-04-02 16:34 -------- d-----w- c:\program files\QuickTime Alternative

2009-09-10 17:01 . 2009-09-10 17:01 27 ---ha-w- c:\documents and settings\All Users\Application Data\.cf09c0bf45c88abfee981785fbc1f8dc.dat

2009-09-10 17:01 . 2009-09-10 17:01 -------- d-----w- c:\documents and settings\Lyn\Application Data\ScreenSteps

2009-09-10 17:01 . 2009-09-10 17:01 -------- d-----w- c:\program files\ScreenSteps 2

2009-09-08 22:02 . 2007-04-23 15:18 -------- d-----w- c:\program files\Google

2009-08-31 21:43 . 2009-08-31 21:22 -------- d-----w- c:\documents and settings\Lyn\Application Data\W Photo Studio Viewer

2009-08-29 01:07 . 2007-05-10 19:01 -------- d-----w- c:\program files\Common Files\Research In Motion

2009-08-28 21:02 . 2009-08-28 21:02 256 ----a-w- c:\documents and settings\Lyn\pool.bin

2009-08-25 21:19 . 2009-02-02 22:41 -------- d-----w- c:\documents and settings\Lyn\Application Data\Roxio

2009-08-24 18:25 . 2007-05-07 15:36 -------- d-----w- c:\program files\Java

2009-07-25 10:23 . 2008-11-06 19:44 411368 ----a-w- c:\windows\system32\deploytk.dll

2007-06-11 14:09 . 2007-06-11 14:09 1124 ----a-w- c:\program files\mdac.log

2007-11-02 16:09 . 2007-11-01 18:16 80 --sh--r- c:\windows\system32\0C05E5229D.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_06.05.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-15 06:09 . 2009-10-15 06:09 16384 c:\windows\Temp\Perflib_Perfdata_350.dat

- 2005-06-14 12:00 . 2009-03-09 14:01 88874 c:\windows\system32\perfc009.dat

+ 2005-06-14 12:00 . 2009-10-15 06:10 88874 c:\windows\system32\perfc009.dat

+ 2007-02-27 17:10 . 2009-10-15 18:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2007-02-27 17:10 . 2009-10-14 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2007-02-27 17:10 . 2009-10-15 18:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2007-02-27 17:10 . 2009-10-14 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-15 18:18 . 2009-10-15 18:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-06-14 12:00 . 2009-03-09 14:01 486302 c:\windows\system32\perfh009.dat

+ 2005-06-14 12:00 . 2009-10-15 06:10 486302 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-01 160592]

"RCUI"="c:\progra~1\RINGCE~1\RINGCE~1\RCUI.exe" [2009-05-04 479232]

"RCHotKey"="c:\progra~1\RINGCE~1\RINGCE~1\RCHotKey.exe" [2008-03-19 32768]

"Jing"="c:\program files\TechSmith\Jing\Jing.exe" [2009-06-30 2893064]

"IBP"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickBooksDB"="c:\program files\Intuit\QuickBooks 2006\QBDBMgrN.exe" [2005-10-20 126976]

"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-10-08 125368]

"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2005-05-15 187904]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-16 7323648]

"MMReminderService"="c:\program files\Mindjet\MindManager 8\MMReminderService.exe" [2008-11-14 37656]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]

"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-01 160592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-10-14 15:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk

backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk

backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Gaim.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Gaim.lnk

backup=c:\windows\pss\Gaim.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk

backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Privoxy.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Privoxy.lnk

backup=c:\windows\pss\Privoxy.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SnagIt 8.lnk

backup=c:\windows\pss\SnagIt 8.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lyn^Start Menu^Programs^Startup^RescueTime.lnk]

path=c:\documents and settings\Lyn\Start Menu\Programs\Startup\RescueTime.lnk

backup=c:\windows\pss\RescueTime.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=

"c:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"=

"c:\\Program Files\\Kayako\\LiveResponse\\LiveResponse.exe"=

"c:\\Program Files\\IBP 9\\IBP.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\IBP 10\\IBP.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/14/2009 10:33 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/14/2009 10:33 AM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/14/2009 10:33 AM 297752]

R2 bt878kp;bt878kp;c:\windows\system32\drivers\Bt878KP.sys [10/20/2008 11:22 AM 11720]

R2 FlipShare Service;FlipShare Service;c:\program files\Flip Video\FlipShare\FlipShareService.exe [6/4/2009 5:41 PM 451904]

R2 MSSQL$PROVIDUSSTD;SQL Server (PROVIDUSSTD);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 8:29 AM 29178224]

R2 PD91Agent;PD91Agent;c:\program files\RAXCO\PerfectDisk\PD91Agent.exe [7/18/2008 3:02 PM 693512]

R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [5/18/2009 8:13 AM 185640]

R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [6/2/2005 2:54 PM 10496]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/29/2007 8:46 AM 24652]

R2 WinAutomation Service;WinAutomation Service;c:\program files\WinAutomation\WinAutomation.ServiceAgent.exe [5/8/2009 9:39 AM 147096]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/2/2009 8:01 PM 102448]

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [11/15/2008 12:29 PM 102912]

R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [5/14/2005 7:41 PM 3328]

S2 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [12/10/2008 12:10 AM 24636]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2009 10:57 AM 133104]

S3 PD91Engine;PD91Engine;c:\program files\RAXCO\PerfectDisk\PD91Engine.exe [7/18/2008 3:02 PM 910600]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]

.

Contents of the 'Scheduled Tasks' folder

2009-10-14 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:34]

2009-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 15:57]

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-17 15:57]

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1343024091-725345543-1003Core.job

- c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-28 18:06]

2009-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1343024091-725345543-1003UA.job

- c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-28 18:06]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.inkcarts.com/

uInternet Settings,ProxyServer = 203.131.160.19:85

uInternet Settings,ProxyOverride = <local>

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save ℑ with Flash and Media Capture - c:\program files\Common Files\MetaProducts\FMCapt.dll/saveimg.htm

IE: Save &media files with Flash and Media Capture - c:\program files\Common Files\MetaProducts\FMCapt.dll/savemedia.htm

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

IE: {{F6F76DF4-FD65-4DE7-942F-4BD5DE9B1C6B} - {B3DA38C9-7C7B-4C32-8A65-8745B3B6085E} - c:\program files\Common Files\MetaProducts\fmcapt.dll

TCP: {4B87B9FA-2A31-4199-8144-53A56D4EAD11} = 68.105.28.12,68.105.29.11

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} - hxxps://service.ringcentral.com/ActiveX/RingCentral_Message_Player.cab

FF - ProfilePath - c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.igoogle.com

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}\components\nstidy.dll

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\Lyn\Application Data\Mozilla\Firefox\Profiles\jbj3khbs.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\Lyn\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFF12.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFFICE.DLL

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nppl3260.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\nprpjplug.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin2.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin3.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin4.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin5.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin6.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin7.dll

FF - plugin: c:\program files\QuickTime Alternative\Plugins\npqtplugin8.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-20 10:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]

"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

.

Completion time: ~,10time:~,-3

ComboFix-quarantined-files.txt 2009-10-20 15:48

ComboFix2.txt 2009-10-19 14:55

ComboFix3.txt 2009-10-15 06:19

C:\DeQuarantine.txt

Pre-Run: 43,247,292,416 bytes free

Post-Run: 43,335,913,472 bytes free

- - End Of File - - 039543F9F3E11CAB965313C20EA3E186

Upload was successful

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted
ESET Scanner Results

C:\Qoobox\Quarantine\C\WINDOWS\system32\fitelote.dll.vir a variant of Win32/Kryptik.AWO trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\verelojo.dll.vir a variant of Win32/Kryptik.AWO trojan

C:\Qoobox\Quarantine\C\WINDOWS\system32\wopuyajo.dll.vir a variant of Win32/Kryptik.AWO trojan

C:\System Volume Information\_restore{9EA6CB28-61C0-47A0-98B3-254CC0569F9D}\RP1\A0000069.dll a variant of Win32/Kryptik.AWO trojan

C:\System Volume Information\_restore{9EA6CB28-61C0-47A0-98B3-254CC0569F9D}\RP1\A0000079.dll a variant of Win32/Kryptik.AWO trojan

C:\System Volume Information\_restore{9EA6CB28-61C0-47A0-98B3-254CC0569F9D}\RP1\A0000081.dll a variant of Win32/Kryptik.AWO trojan

Of the stuff found by the online scan,

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache later

Computer still isn't behaving quite like it should. But i'm not getting the popups now in the browser. I'll know more after using it a bit today.

Your machine appears to be free of infections. What other issues are you experiencing?

Only suspicious entry which I see is ..

uInternet Settings,ProxyServer = 203.131.160.19:85

... but that appears to be a setting you created. Let me know if that isn't so.

Link to post
Share on other sites
sUBs

sUBs

Posted
Posted

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Uninstall ComboFix ... do not skip this step
    This process will perform some post cleanup measures.
    Do this by going to to Start > Run & typing in ComboFix /U
  2. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  3. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  4. http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  5. http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  6. http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywareinfoforum.com/index.php?showtopic=60955

After doing all these, your system will be optimised against future threats.

.

Have a safe & happy computing day. wave.gif

Kindly respond to this thread once more so we can mark this thread as resolved.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.