55 replies to this topic

[Purrrfect_Chaos]

I have been infected with Windows Police Pro and have tried to open MBAM but it will not open or run. It's also causing problems with many other programs/files including My Computer/Properties. I wanted to try to turn off System Restore and use MBAM, AVG, & Spybot but am having problems with all of them. I cannot download anything. My computer keeps randomly restarting itself(well its probably the infection doing it) and Im not able to get online most of the time I try.
I have mostly had to sign into Myspace IM and try to use a link from that to get online.
And the last time I tried to do that, it would no longer let me.
I am constantly having to find new ways to outsmart this thing.
I dont know how much longer I will even be able to get online.
Im desperate!!! Please help.

Thank you.

[screen317]

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[Purrrfect_Chaos]

screen317, on Sep 26 2009, 02:47 PM, said:

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Combofix wont run on my comp...
What now?

[screen317]

Hi,


Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply.

-screen317

[Purrrfect_Chaos]

I cant get it to download.
I am using Google Chrome as of recently and it does not allow me to choose where to save it.
And it wont dl like normal when I try.
Also, Ive tried to use IE8 so that I could try to save it to my desktop but as of about two days ago, it(IE8) no longer works either.
Also, another strange thing is that I show no signs of the Windows Police Pro anymore, but nothing is working properly on my computer anymore.
Im so confused.

[screen317]

Try downloading it with Firefox.

If no joy, download it from a known clean computer, and transfer it over. Let me know how it goes.

-screen317

[Purrrfect_Chaos]

How would I transfer it? Firefox wont dl.
And with most programs that I try to run now, it says either corrupt or not found. Even for simple stuff like Sounds Settings in My Computer. You have any idea whats going on? Or do you need that report first to even say anything?

[screen317]

What I meant was for you to download it from another computer, put it on a CD, then run it on this computer from the CD.


However, the symptoms you describe are cause for concern, and you may be infected with a file infector.

Download DDS by sUBs from another computer, and transfer it over.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.


If that doesn't work, these are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

• Avira AntiVir Rescue System - Tutorial for Avira Rescue CD.
  If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.
  
• Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
  
• F-Secure Rescue CD - Rescue CD 3.01 released.
  Video: How to Remove Malware with F-Secure Rescue CD
  If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.
  
• BitDefender LiveCD - Index of /rescue_cd
  If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.
  
• Kaspersky RescueDisk - Index of /devbuilds/RescueDisk/
  If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Let me know how it goes.

-screen317

[Purrrfect_Chaos]

Ok thx so much.
I will get on that asap and let you now how it goes.
Thx for your patience as well.

[screen317]

Okay thanks for letting me know.

[Purrrfect_Chaos]

DDS (Ver_09-10-13.01) - NTFSx86
Run by CHRIS MOFFATT at 15:45:36.70 on Fri 10/16/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.158 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\svohost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Police Pro\Windows Police Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CHRIS MOFFATT\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ICQSys (IE PlugIn): {77dc0b63-1535-4ba9-8be8-d59eb676fa02} - c:\windows\system32\dddesot.dll
BHO: ADC PlugIn: {77dc0b63-ff35-4ba9-8be8-aa9eb676fa02} - c:\windows\system32\plugie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: REALBAR: {4e7bd74f-2b8d-469e-c0ff-fd60b590a87d} -
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\Money Express.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Google Update] "c:\documents and settings\chris moffatt\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [CHotkey] mHotkey.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [S3TRAY2] S3tray2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SideWinderTrayV4] c:\progra~1\mi948f~1\gameco~1\common\swtrayv4.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
dRun: [Symantec Network Driver Update Warning] c:\progra~1\symantec\liveup~1\SNDWarn.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
dRun: [Symantec NetDriver Warning] c:\progra~1\symnet~1\SNDWarn.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\at&tse~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: {6224f700-cba3-4071-b251-47cb894244cd} - c:\program files\icq\ICQ.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?40015.6531712963
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-6 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-6 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-6 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-1 24652]
R2 WDefend;WDefend;c:\windows\svohost.exe [2009-10-16 283136]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 RpcPatch;WINS Client; [x]

============== File Associations ===============

exefile=c:\windows\system32\pump.exe "%1" %*

=============== Created Last 30 ================

2009-10-16 10:11 <DIR> --d----- c:\windows\system32\schtml
2009-10-16 10:08 36 a------- c:\windows\system32\skynet.dat
2009-10-16 10:08 283,136 a------- c:\windows\svohost.exe
2009-10-16 10:08 58 a------- c:\windows\wp4.dat
2009-10-16 10:08 3 a------- c:\windows\wp3.dat
2009-10-16 10:08 561,664 a------- c:\windows\system32\plugie.dll
2009-10-16 10:08 9 a------- c:\windows\system32\nuar.old
2009-10-16 10:08 499,712 a------- c:\windows\system32\pump.exe
2009-10-16 10:08 116 a------- c:\windows\system32\wwp.htm
2009-10-16 10:08 <DIR> --d----- c:\program files\Windows Police Pro
2009-10-14 23:01 208 a------- c:\windows\system32\MRT.INI
2009-10-14 17:56 916,480 a------- c:\windows\system32\SET15C.tmp
2009-10-14 17:56 594,432 a------- c:\windows\system32\SET161.tmp
2009-10-14 17:56 55,296 a------- c:\windows\system32\SET160.tmp
2009-10-14 17:56 1,985,536 a------- c:\windows\system32\SET164.tmp
2009-10-14 17:56 1,208,832 a------- c:\windows\system32\SET15D.tmp
2009-10-14 17:56 5,940,224 a------- c:\windows\system32\SET15F.tmp
2009-10-14 17:56 11,069,440 a------- c:\windows\system32\SET166.tmp
2009-09-28 18:06 4 a------- c:\windows\system32\bincd32.dat
2009-09-24 14:43 <DIR> --d----- C:\MySpace
2009-09-24 11:47 <DIR> a-d----- c:\windows\system32\images
2009-09-24 11:47 8,468 a------- c:\windows\system32\wispex.html
2009-09-23 16:27 36 a------- c:\windows\system32\sysnet.dat
2009-09-23 16:27 9 a------- c:\windows\system32\bennuar.old
2009-09-22 15:25 <DIR> --d----- c:\program files\common files\xing shared

==================== Find3M ====================

2009-09-22 15:24 348,160 a------- c:\windows\system32\msvcr71.dll
2009-09-11 07:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-04 13:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 01:08 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 01:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-09 11:08 2,713 ---sh--- c:\windows\system32\bisobobe.exe
2009-08-08 17:07 2,713 ---sh--- c:\windows\system32\yubusipi.exe
2009-08-07 05:04 2,713 ---sh--- c:\windows\system32\pohuniku.exe
2009-08-06 13:58 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 07:00 2,180,352 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 06:13 2,057,728 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll

============= FINISH: 15:48:12.89 ===============

[Purrrfect_Chaos]

Ok so here is what has been happening since my last post...

Windows Police Pro popped up again today for the first time since I first told you it was gona about a week or so ago. Until today, as you are aware, I have not been able to access IE8. But somehow, I was able to accs it today. I dont know why but I was. So I decided to try to take advantage of that, and try to DL the last thing you told me to DL. Here is the log it produced. I have saved both logs to my comp in case this is not the one you wanted. Hope this helps.

~Mal

[screen317]

Hi,

You have many infections on this computer.

Download and extract this tool to your Desktop, then double click it. Immediately after, try running Win32kDiag.exe again.
http://www.dougknox..../xp_exe_fix.zip

[Purrrfect_Chaos]

Win32kDiag.exe says,
"Starting up...
WARNING: Could not get Desktop Directory -- Log File will be at C:\
Press Any key to continue"

After I pressed a key it said below ^that^ stuff,
"Error -- Could not create log file (13)!
Running from: C:\Documents and Settings\CHRIS MOFFATT\Desktop\Win32kDiag.exe"

Then a box pops up that says,
"Win32kDiag.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost"


And also, I have some other infection called "SEcurity Tool" now. Its getting really hard for me to to anything on the comp now. Half the time I have to shut down and restart manually to clear the screen of all this crap from the infections before I can even get online or anything.

~Mal

[screen317]

Hi,


Please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

Before you download it, rename ComboFix to chaos.bat

Save it to your Desktop.


Next, please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).


Next, navigate to Start --> Run, and enter this command:

"%userprofile%\desktop\chaos.bat" /killall

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[Purrrfect_Chaos]

Ok will do.
And also, I forgot to mention that I had to run Win32Diag.exe in safe mode because nothing will run unless I do it in safe mode.

Thx for the further intructions.
I will start right now.

[Purrrfect_Chaos]

Oh and also, I know I should know this already, but what do you mean a NEW HighjackThis log?

[Purrrfect_Chaos]

Nevermind the post about safe mode. I didnt know what I was talking about
And I am going to post my Combofix log in here. I hope this is where you wanted me to do it.

[Purrrfect_Chaos]

ComboFix 09-10-17.01 - CHRIS MOFFATT 10/18/2009 13:38.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479.169 [GMT -7:00]
Running from: c:\documents and settings\CHRIS MOFFATT\desktop\chaos.bat
Command switches used :: /killall
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\CHRIS MOFFATT\Desktop\Security Tool.lnk
c:\documents and settings\Guest\My Documents\iexplore.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\Windows Police Pro.exe
c:\recycler\S-1-5-21-299502267-746137067-839522115-1003
c:\recycler\S-1-5-21-729295071-1689782713-174428723-1003
c:\windows\Installer\5b37e1.msi
c:\windows\Installer\5b37e7.msi
c:\windows\Installer\5b37fb.msi
c:\windows\Installer\5b3803.msi
c:\windows\Installer\5b3808.msi
c:\windows\Installer\5b3819.msi
c:\windows\Installer\5b3822.msi
c:\windows\Installer\5b3827.msi
c:\windows\Installer\5b3830.msi
c:\windows\Installer\5b383f.msi
c:\windows\Installer\5b3844.msi
c:\windows\Installer\5b3849.msi
c:\windows\Installer\5b384e.msi
c:\windows\Installer\5b3853.msi
c:\windows\Installer\5b3858.msi
c:\windows\Installer\5b385d.msi
c:\windows\Installer\5b3862.msi
c:\windows\Installer\5b3863.msi
c:\windows\svohost.exe
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\bisobobe.exe
c:\windows\system32\config\systemprofile\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk
c:\windows\system32\drivers\gasfkybbplnnqd.sys
c:\windows\system32\gasfkyclyvlayd.dat
c:\windows\system32\gasfkyfaufnufh.dat
c:\windows\system32\gasfkyfexbtsao.dll
c:\windows\system32\gasfkyiaonatnx.dll
c:\windows\system32\gasfkysmbylurx.dll
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\nuar.old
c:\windows\system32\pohuniku.exe
c:\windows\system32\pump.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\dbsinit.exe
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\skynet.dat
c:\windows\system32\sysnet.dat
c:\windows\system32\wispex.html
c:\windows\system32\yubusipi.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RPCPATCH
-------\Service_RpcPatch
-------\Legacy_WDefend
-------\Service_gasfkyrsrcwfnu
-------\Service_WDefend


((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-17 18:10 . 2009-10-18 19:00 -------- d-----w- c:\documents and settings\All Users\Application Data\48290629
2009-10-16 17:08 . 2009-10-18 20:37 58 ----a-w- c:\windows\wp4.dat
2009-10-16 17:08 . 2009-10-18 20:37 1 ----a-w- c:\windows\wp3.dat
2009-10-16 17:08 . 2009-10-18 20:36 561664 ----a-w- c:\windows\system32\plugie.dll
2009-09-30 21:39 . 2009-09-30 21:40 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Adobe
2009-09-30 21:37 . 2009-09-30 21:37 -------- d-----w- c:\documents and settings\Guest\Application Data\Yahoo!
2009-09-30 21:37 . 2009-09-30 21:37 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2009-09-24 21:43 . 2009-09-24 21:43 -------- d-----w- C:\MySpace
2009-09-23 23:22 . 2009-09-23 23:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-23 23:16 . 2009-09-23 23:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-09-22 22:37 . 2009-10-14 18:57 -------- d-----w- c:\documents and settings\CHRIS MOFFATT\Local Settings\Application Data\Temp
2009-09-22 22:26 . 2009-09-22 22:26 -------- d-----w- c:\documents and settings\CHRIS MOFFATT\Local Settings\Application Data\Real
2009-09-22 22:25 . 2009-09-22 22:25 -------- d-----w- c:\program files\Common Files\xing shared
2009-09-22 22:21 . 2009-09-22 22:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-29 23:39 . 2009-08-06 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-25 00:24 . 2009-08-06 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-23 22:50 . 2002-02-08 11:30 -------- d-----w- c:\program files\Common Files\AOL
2009-09-22 23:41 . 2008-02-24 17:17 -------- d-----w- c:\program files\Google
2009-09-22 22:24 . 2004-10-15 14:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-09-22 22:24 . 2002-02-08 11:28 -------- d-----w- c:\program files\Common Files\Real
2009-09-14 23:53 . 2009-09-14 23:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-14 23:44 . 2006-06-27 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-09-14 23:44 . 2004-08-03 19:50 -------- d-----w- c:\program files\Yahoo!
2009-09-14 23:44 . 2006-06-27 00:49 -------- d-----w- c:\documents and settings\CHRIS MOFFATT\Application Data\Yahoo!
2009-09-11 14:33 . 2002-02-08 10:04 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 00:49 . 2009-09-11 00:49 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-11 00:49 . 2009-09-11 00:49 -------- d-----w- c:\program files\McAfee Security Scan
2009-09-08 19:12 . 2009-09-08 19:12 -------- d-----w- c:\program files\support.com
2009-09-08 19:12 . 2009-09-08 19:12 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-09-04 20:45 . 2002-02-08 10:04 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-03 17:40 . 2009-09-01 20:09 -------- d-----w- c:\program files\Microsoft
2009-09-01 20:07 . 2006-07-16 16:26 -------- d-----w- c:\program files\Java
2009-08-29 08:08 . 2009-10-15 00:56 916480 ----a-w- c:\windows\system32\SET15C.tmp
2009-08-29 08:08 . 2009-10-15 00:56 1208832 ----a-w- c:\windows\system32\SET15D.tmp
2009-08-29 08:08 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 08:08 . 2009-10-15 00:56 5940224 ----a-w- c:\windows\system32\SET15F.tmp
2009-08-29 08:08 . 2009-10-15 00:56 594432 ----a-w- c:\windows\system32\SET161.tmp
2009-08-29 08:08 . 2009-10-15 00:56 55296 ----a-w- c:\windows\system32\SET160.tmp
2009-08-29 08:08 . 2009-10-15 00:56 1985536 ----a-w- c:\windows\system32\SET164.tmp
2009-08-29 08:08 . 2009-10-15 00:56 11069440 ----a-w- c:\windows\system32\SET166.tmp
2009-08-26 08:16 . 2002-02-08 10:04 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2004-08-13 02:59 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-13 02:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-08-13 02:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2002-02-08 11:12 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2002-02-08 10:03 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-13 02:59 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2002-02-08 11:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-06 20:58 . 2009-08-06 20:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-06 20:58 . 2009-08-06 20:58 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-06 20:58 . 2009-08-06 20:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 20:58 . 2009-08-06 20:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-05 09:11 . 2002-02-08 11:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 14:00 . 2002-02-08 10:04 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2002-08-29 01:04 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-03 20:36 . 2009-08-06 22:41 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 20:36 . 2009-08-06 22:41 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 12:23 . 2009-07-18 17:16 411368 ----a-w- c:\windows\system32\deploytk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02}]
2009-10-18 20:36 561664 ----a-w- c:\windows\system32\plugie.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 16:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Google Update"="c:\documents and settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-22 133104]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-07-18 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2003-11-03 77824]
"SideWinderTrayV4"="c:\progra~1\MI948F~1\GAMECO~1\common\swtrayv4.exe" [1999-11-19 24650]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-16 2025752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-22 198160]
"CHotkey"="mHotkey.exe" - c:\windows\mHotkey.exe [2002-07-23 477184]
"S3TRAY2"="S3tray2.exe" - c:\windows\system32\S3tray2.exe [2003-02-25 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-4-10 217088]
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2002-2-8 1742384]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-06 20:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/6/2009 1:58 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/6/2009 1:58 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/6/2009 1:57 PM 297752]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/1/2008 11:41 PM 24652]
S2 AntipPolice_;AntiPol;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3557127444-988613841-3444001093-1005Core.job
- c:\documents and settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-22 22:35]

2009-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3557127444-988613841-3444001093-1005UA.job
- c:\documents and settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-22 22:35]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycdict.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
HKU-Default-Run-Symantec Network Driver Update Warning - c:\progra~1\Symantec\LIVEUP~1\SNDWarn.EXE
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
HKU-Default-Run-Symantec NetDriver Warning - c:\progra~1\SYMNET~1\SNDWarn.exe
AddRemove-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\CDAUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 13:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gasfkyrsrcwfnu]
"imagepath"="\systemroot\system32\drivers\gasfkybbplnnqd.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3557127444-988613841-3444001093-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gasfkyrsrcwfnu]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gasfkybbplnnqd.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2088)
c:\windows\system32\WININET.dll
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\chaos\CF28784.exe
c:\documents and settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-10-18 13:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 20:52

Pre-Run: 63,546,957,824 bytes free
Post-Run: 63,726,739,456 bytes free

334 --- E O F --- 2009-10-15 19:04

[Purrrfect_Chaos]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:50 PM, on 10/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ADC PlugIn - {77DC0B63-ff35-4ba9-8BE8-aa9EB676FA02} - C:\WINDOWS\system32\plugie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MI948F~1\GAMECO~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\CHRIS MOFFATT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - http://lads.myspace....ceUploader2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AntiPol (AntipPolice_) - Unknown owner - C:\WINDOWS\svchast.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11018 bytes