Attack From Several Sources

Vfem · Oct 16, 2011

Ok, forgive me if my information isn't completely accurate. I'll try harder to explain if something sounds iffy, or I'm using the wrong terms.

So, at the beginning I was notified repeatedly of attacks being made on my system today. I was running AVG. It refused to update, couldn't upgrade and finally one of the 'viruses' attacked AVG. Finally freezing it up and telling me I no longer have the authority to move, open or remove the program.

While trying to do a search online every link google brought up redirected me to a totally different site. Realized there was some sort of redirect virus on my computer (though I think that is secondary to what happened to AVG, but I can't be certain).

AVG warned me of a Trojan Virus it blocked, also warned me about a virus called Katush.A (this may be wrong, I'm trying to remember since I can't look in my virus vault without access to AVG.

So since then I ran Kaspersky TDSSKiller, it only found 3 threats, made no difference to the running of my computer, so ran Combofix, now I'm running Kaspersky virus remedy and it's having the same issue as the others. AVG is locked/password protected and I don't know how to get around that to remove the program completely?

I also do not know if I got all the problems on my hard drive yet. It 'appears' I got the root kit that was redirecting me on google... so that's how I got here. I have been at this for hours... and brain has gone to mush, but I'm so nervous about losing my system as this is my business computer and I need this work on Monday! I definitely can't afford to miss a day or work since I can't afford to pay someone else to deal with this headache... but from the posts I was reading before I posted this, you all seem to know exactly what you're doing. So here I am!

Anyways, I want to show you at Combofix report and make sure I didn't miss anything I need to go back and manually do. I'm not completely computer illiterate so I'm sure someone could talk me through.

Thanks in advance!!!

~Shannon~

log -

ComboFix 11-10-15.04 - Owner 10/16/2011 1:59.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.125 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Favorites\Antivirus Test Online.url
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\temp.dmf
c:\windows\$NtUninstallKB57678$\1669499136
c:\windows\$NtUninstallKB57678$\1786934323\@
c:\windows\$NtUninstallKB57678$\1786934323\L\ymbcippc
c:\windows\$NtUninstallKB57678$\1786934323\loader.tlb
c:\windows\$NtUninstallKB57678$\1786934323\U\@00000001
c:\windows\$NtUninstallKB57678$\1786934323\U\@000000c0
c:\windows\$NtUninstallKB57678$\1786934323\U\@000000cb
c:\windows\$NtUninstallKB57678$\1786934323\U\@000000cf
c:\windows\$NtUninstallKB57678$\1786934323\U\@80000000
c:\windows\$NtUninstallKB57678$\1786934323\U\@800000c0
c:\windows\$NtUninstallKB57678$\1786934323\U\@800000cb
c:\windows\$NtUninstallKB57678$\1786934323\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\dasetup.log
c:\windows\kb835221.exe
c:\windows\setup.exe
c:\windows\system32\
c:\windows\system32\AutoRun.inf
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\windows-kb870669-x86-enu.exe
c:\windows\windowsxp-kb867282-x86-enu.exe
c:\windows\windowsxp-kb873333-x86-enu.exe
c:\windows\windowsxp-kb884018-x86-enu.exe
c:\windows\windowsxp-kb885250-x86-enu.exe
c:\windows\windowsxp-kb885835-x86-enu.exe
c:\windows\windowsxp-kb885836-x86-enu.exe
c:\windows\windowsxp-kb886185-x86-enu.exe
c:\windows\windowsxp-kb887472-x86-enu.exe
c:\windows\windowsxp-kb887742-x86-enu.exe
c:\windows\windowsxp-kb888113-x86-enu.exe
c:\windows\windowsxp-kb888239-x86-enu.exe
c:\windows\windowsxp-kb888302-x86-enu.exe
c:\windows\windowsxp-kb890047-x86-enu.exe
c:\windows\windowsxp-kb890175-x86-enu.exe
c:\windows\windowsxp-kb891781-x86-enu.exe
c:\windows\$NtUninstallKB57678$ . . . . Failed to delete
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe . . . is infected!!
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\Ati2evxx.exe . . . is infected!!
c:\windows\system32\Ati2evxx.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Canon\CAL\CALMAIN.exe . . . is infected!!
c:\program files\Canon\CAL\CALMAIN.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe . . . is infected!!
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_6a827433
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-15 21:27 . 2011-10-15 21:27 -------- d-sh--w- c:\documents and settings\Owner\Local Settings\Application Data\6a827433
2011-10-15 21:23 . 2011-10-15 21:23 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-10-15 21:22 . 2011-10-15 21:22 -------- d-----w- c:\program files\Coupons
2011-09-26 15:41 . 2011-09-26 15:41 220160 -c----w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 15:41 . 2011-09-26 15:41 20480 -c----w- c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 15:41 . 2011-09-26 15:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2005-03-02 23:44 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2005-03-02 23:44 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2005-03-02 23:44 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-07 13:26 . 2011-06-16 13:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20 . 2005-03-02 23:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2005-03-02 23:44 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2005-03-02 23:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2005-03-02 23:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2005-03-02 23:44 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2005-03-02 23:44 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
2011-02-08 13:33 978944 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll
2010-12-20 17:32 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-05-30 15:33 2495816 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-30 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 2748928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"HostManager"="c:\program files\Common Files\AOL\1145242537\ee\AOLSoftware.exe" [2006-05-10 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-15 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aim6.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\Common Files\\ArcSoft\\Connection Service\\Bin\\ACDaemon.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\tdsskiller.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe --> c:\program files\TomTom HOME 2\TomTomHOMEService.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:35 PM 1025352]
S3 Msdgpubdmmp;Msdgpubdmmp; [x]
S4 {7ani$vaivnp;{7ani$vaivnp; [x]
S4 Rsdpfslrsi;Rsdpfslrsi;c:\windows\system32\drivers\ipsec.sys [3/2/2005 7:44 PM 75264]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
TCP: DhcpNameServer = 24.178.162.3 97.81.22.195 24.159.64.23
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bfuf2t6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b1192d1&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - %profile%\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}
FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-77825075.sys
AddRemove-HP Imaging Device Functions - c:\program files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe
AddRemove-HP Photosmart Essential - c:\program files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 02:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2011-10-16 02:29:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-16 06:29
.
Pre-Run: 101,573,910,528 bytes free
Post-Run: 101,900,898,304 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - AAF61A84CA2989ECD021A723DBEA115D

GaryCantley · Oct 16, 2011

Have you run Malware Bytes yet?

If not, d/l and run it. JohnB will be along later to assist you further.

Vfem · Oct 16, 2011

I downloaded and am running Microsoft Security Essentials so I have a background anti virus running. Everything has slowed down, but I just saw the link to download that, so I am on my way to do that next.

**fingers crossed** I hope hubby can handle the DD in the morning since I don't know when I'll get to sleep.

Thanks so much! :good:

Vfem · Oct 16, 2011

OK... I downloaded and ran MBAM. I have a copy of the log.

I just want to say, of the 5 things I ran tonight... each one found something different in different areas the others missed. So worrisome to see that, now I wonder just how long those viruses have been on my system waiting on me to unleash them?

If I need to do more then the 'quick scan' I'll rerun it!

But anyways... AVG still locking me out and can't uninstall, here's MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7956

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/16/2011 4:22:08 AM
mbam-log-2011-10-16 (04-22-08).txt

Scan type: Quick scan
Objects scanned: 178351
Time elapsed: 23 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CONNECT (Trojan.PornDialer) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

johnb35 · Oct 16, 2011

I can't promise this will be cleaned up by tomorrow for you as I have to go to work today but I will get you started on some procedures you need to run.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection.

When it has finished cleaning the infection you will see a report stating whether or not it was successful as shown below.

If the log says will be cured after reboot, please reboot the system by pressing the reboot now button.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it. Please open the log and copy and paste it back here.

2.

Please download Gooredfix to your desktop from here or here

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/Win 7).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear.
Please copy and paste the Goored.txt log in your next reply (it can be found on your desktop).

3.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

Killall::

Folder::
c:\documents and settings\Owner\Local Settings\Application Data\6a827433


Driver::
Msdgpubdmmp
{7ani$vaivnp

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

4.

I need you to post an uninstall list that combofix automatically creates when running. Please navigate to C:\qoobox and in that folder will be a file named add-remove programs.txt. Please open that file and copy and paste the contents back here.

5.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

When the hijackthis log appears in a notepad file, click on the edit menu, click select all, then click on the edit menu again and click on copy. Come back to your reply and right click on your mouse and click on paste.

Post the logfile that HijackThis produces

6.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.

Please make sure you post all 6 logs so that we can get this done quicker. I will have a few opportunities to check in while i'm at work but might be able to reply with specific instructions until I get back home later tonight.

Vfem · Oct 16, 2011

Well thank you so much for your time, that is very awesome of you... and I don't want to rush you at all.

I'm going to post each log upon completion. I've downloaded the programs you've listed. Here's my first log from TDSSkiller. I did the immediate reboot.

01:33:17.0195 1956 TDSS rootkit removing tool 2.6.9.0 Oct 14 2011 11:33:24
01:33:17.0882 1956 ============================================================
01:33:17.0882 1956 Current date / time: 2011/10/16 01:33:17.0882
01:33:17.0882 1956 SystemInfo:
01:33:17.0882 1956
01:33:17.0882 1956 OS Version: 5.1.2600 ServicePack: 3.0
01:33:17.0882 1956 Product type: Workstation
01:33:17.0882 1956 ComputerName: EA5E71A6DE4A4D9
01:33:17.0882 1956 UserName: Owner
01:33:17.0882 1956 Windows directory: C:\WINDOWS
01:33:17.0882 1956 System windows directory: C:\WINDOWS
01:33:17.0882 1956 Processor architecture: Intel x86
01:33:17.0882 1956 Number of processors: 2
01:33:17.0882 1956 Page size: 0x1000
01:33:17.0882 1956 Boot type: Normal boot
01:33:17.0882 1956 ============================================================
01:33:21.0258 1956 Initialize success
01:33:30.0541 1520 ============================================================
01:33:30.0541 1520 Scan started
01:33:30.0541 1520 Mode: Manual;
01:33:30.0541 1520 ============================================================
01:33:32.0291 1520 6a827433 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\863273578:2508032972.exe
01:33:33.0041 1520 Suspicious file (Hidden): C:\WINDOWS\863273578:2508032972.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
01:33:33.0041 1520 6a827433 ( HiddenFile.Multi.Generic ) - warning
01:33:33.0041 1520 6a827433 - detected HiddenFile.Multi.Generic (1)
01:33:33.0370 1520 Abiosdsk - ok
01:33:33.0416 1520 abp480n5 - ok
01:33:33.0573 1520 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:33:33.0573 1520 ACPI - ok
01:33:33.0682 1520 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
01:33:33.0682 1520 ACPIEC - ok
01:33:33.0745 1520 adpu160m - ok
01:33:33.0807 1520 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
01:33:33.0823 1520 aec - ok
01:33:33.0917 1520 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
01:33:33.0917 1520 Afc - ok
01:33:34.0026 1520 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
01:33:34.0026 1520 AFD - ok
01:33:34.0260 1520 AgereSoftModem (593aefc67283d409f34cc1245d00a509) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
01:33:34.0385 1520 AgereSoftModem - ok
01:33:34.0604 1520 Aha154x - ok
01:33:34.0714 1520 aic78u2 - ok
01:33:34.0760 1520 aic78xx - ok
01:33:34.0839 1520 AliIde - ok
01:33:34.0901 1520 amsint - ok
01:33:35.0026 1520 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
01:33:35.0042 1520 Arp1394 - ok
01:33:35.0089 1520 asc - ok
01:33:35.0167 1520 asc3350p - ok
01:33:35.0182 1520 asc3550 - ok
01:33:35.0339 1520 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:33:35.0339 1520 AsyncMac - ok
01:33:35.0432 1520 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
01:33:35.0432 1520 atapi - ok
01:33:35.0479 1520 Atdisk - ok
01:33:35.0558 1520 ati2mtag (5658b0f5c6bd9d77723b93398e48f0f3) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
01:33:35.0604 1520 ati2mtag - ok
01:33:35.0667 1520 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:33:35.0667 1520 Atmarpc - ok
01:33:35.0776 1520 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
01:33:35.0776 1520 audstub - ok
01:33:35.0933 1520 AVGIDSDriver (2d18221aab3db2d408d6c55c0f23090a) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
01:33:35.0948 1520 AVGIDSDriver - ok
01:33:36.0042 1520 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
01:33:36.0058 1520 AVGIDSEH - ok
01:33:36.0120 1520 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
01:33:36.0151 1520 AVGIDSFilter - ok
01:33:36.0261 1520 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
01:33:36.0276 1520 AVGIDSShim - ok
01:33:36.0417 1520 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
01:33:36.0448 1520 Avgldx86 - ok
01:33:36.0542 1520 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
01:33:36.0542 1520 Avgmfx86 - ok
01:33:36.0589 1520 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
01:33:36.0589 1520 Avgrkx86 - ok
01:33:36.0667 1520 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
01:33:36.0683 1520 Avgtdix - ok
01:33:36.0792 1520 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
01:33:36.0808 1520 Beep - ok
01:33:36.0886 1520 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
01:33:36.0902 1520 cbidf2k - ok
01:33:36.0995 1520 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
01:33:37.0027 1520 CCDECODE - ok
01:33:37.0073 1520 cd20xrnt - ok
01:33:37.0183 1520 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
01:33:37.0198 1520 Cdaudio - ok
01:33:37.0308 1520 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
01:33:37.0323 1520 Cdfs - ok
01:33:37.0417 1520 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:33:37.0433 1520 Cdrom - ok
01:33:37.0480 1520 Changer - ok
01:33:37.0574 1520 CmdIde - ok
01:33:37.0636 1520 Cpqarray - ok
01:33:37.0683 1520 dac2w2k - ok
01:33:37.0699 1520 dac960nt - ok
01:33:37.0777 1520 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
01:33:37.0808 1520 Disk - ok
01:33:37.0964 1520 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
01:33:38.0027 1520 dmboot - ok
01:33:38.0199 1520 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
01:33:38.0214 1520 DMICall - ok
01:33:38.0339 1520 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
01:33:38.0386 1520 dmio - ok
01:33:38.0605 1520 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
01:33:38.0621 1520 dmload - ok
01:33:38.0699 1520 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
01:33:38.0714 1520 DMusic - ok
01:33:38.0761 1520 dpti2o - ok
01:33:38.0808 1520 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
01:33:38.0808 1520 drmkaud - ok
01:33:38.0949 1520 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
01:33:38.0980 1520 E100B - ok
01:33:39.0121 1520 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
01:33:39.0136 1520 Fastfat - ok
01:33:39.0214 1520 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
01:33:39.0214 1520 Fdc - ok
01:33:39.0324 1520 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
01:33:39.0339 1520 FilterService - ok
01:33:39.0449 1520 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
01:33:39.0464 1520 Fips - ok
01:33:39.0558 1520 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
01:33:39.0558 1520 Flpydisk - ok
01:33:39.0668 1520 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
01:33:39.0683 1520 FltMgr - ok
01:33:39.0746 1520 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:33:39.0761 1520 Fs_Rec - ok
01:33:39.0871 1520 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:33:39.0886 1520 Ftdisk - ok
01:33:39.0996 1520 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:33:40.0011 1520 Gpc - ok
01:33:40.0090 1520 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
01:33:40.0105 1520 HdAudAddService - ok
01:33:40.0277 1520 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
01:33:40.0293 1520 HDAudBus - ok
01:33:40.0402 1520 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:33:40.0418 1520 HidUsb - ok
01:33:40.0527 1520 hpn - ok
01:33:40.0621 1520 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
01:33:40.0621 1520 HPZid412 - ok
01:33:40.0668 1520 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
01:33:40.0668 1520 HPZipr12 - ok
01:33:40.0746 1520 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
01:33:40.0762 1520 HPZius12 - ok
01:33:40.0871 1520 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
01:33:40.0902 1520 HTTP - ok
01:33:40.0980 1520 i2omgmt - ok
01:33:41.0012 1520 i2omp - ok
01:33:41.0090 1520 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
01:33:41.0105 1520 i8042prt - ok
01:33:41.0480 1520 ialm (afbf1b43cc830bdc03b582003da439c2) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
01:33:41.0527 1520 ialm - ok
01:33:41.0652 1520 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
01:33:41.0652 1520 Imapi - ok
01:33:41.0684 1520 ini910u - ok
01:33:42.0121 1520 IntcAzAudAddService (b2b7af5dc5e1b6b171dfda681d105c7c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
01:33:42.0293 1520 IntcAzAudAddService - ok
01:33:42.0465 1520 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
01:33:42.0496 1520 IntelIde - ok
01:33:42.0559 1520 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
01:33:42.0574 1520 intelppm - ok
01:33:42.0637 1520 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
01:33:42.0637 1520 Ip6Fw - ok
01:33:42.0715 1520 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:33:42.0715 1520 IpFilterDriver - ok
01:33:42.0793 1520 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:33:42.0793 1520 IpInIp - ok
01:33:42.0840 1520 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:33:42.0840 1520 IpNat - ok
01:33:42.0934 1520 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:33:42.0965 1520 IPSec - ok
01:33:42.0996 1520 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
01:33:42.0996 1520 IRENUM - ok
01:33:43.0090 1520 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:33:43.0090 1520 isapnp - ok
01:33:43.0168 1520 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:33:43.0168 1520 Kbdclass - ok
01:33:43.0200 1520 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
01:33:43.0200 1520 kbdhid - ok
01:33:43.0293 1520 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
01:33:43.0325 1520 kmixer - ok
01:33:43.0387 1520 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
01:33:43.0403 1520 KSecDD - ok
01:33:43.0496 1520 L8042pr2 (4103dbb6caa85e40d271c1ad12bbf776) C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
01:33:43.0528 1520 L8042pr2 - ok
01:33:43.0575 1520 lbrtfdc - ok
01:33:43.0622 1520 LMouFlt2 (b666f835c18974f392a387c6e863072f) C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
01:33:43.0653 1520 LMouFlt2 - ok
01:33:43.0747 1520 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
01:33:43.0762 1520 LVPr2Mon - ok
01:33:43.0872 1520 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
01:33:43.0872 1520 LVRS - ok
01:33:43.0981 1520 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\drivers\LVUSBSta.sys
01:33:43.0981 1520 LVUSBSta - ok
01:33:45.0419 1520 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
01:33:47.0935 1520 LVUVC - ok
01:33:48.0372 1520 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
01:33:48.0404 1520 mnmdd - ok
01:33:48.0872 1520 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
01:33:48.0888 1520 Modem - ok
01:33:49.0232 1520 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
01:33:49.0279 1520 MODEMCSA - ok
01:33:49.0685 1520 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:33:49.0685 1520 Mouclass - ok
01:33:49.0935 1520 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:33:49.0982 1520 mouhid - ok
01:33:50.0310 1520 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
01:33:50.0326 1520 MountMgr - ok
01:33:50.0701 1520 mr7910 (e3274b2b7bbd44391e84d244e8bcc555) C:\WINDOWS\system32\DRIVERS\mr7910.sys
01:33:50.0717 1520 mr7910 - ok
01:33:50.0842 1520 mraid35x - ok
01:33:51.0092 1520 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
01:33:51.0123 1520 MREMP50 - ok
01:33:51.0217 1520 MREMP50a64 - ok
01:33:51.0248 1520 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
01:33:51.0248 1520 MRESP50 - ok
01:33:51.0295 1520 MRESP50a64 - ok
01:33:51.0560 1520 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:33:51.0639 1520 MRxDAV - ok
01:33:52.0045 1520 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:33:52.0326 1520 MRxSmb - ok
01:33:52.0623 1520 Msdgpubdmmp - ok
01:33:52.0998 1520 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
01:33:52.0998 1520 Msfs - ok
01:33:53.0295 1520 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:33:53.0311 1520 MSKSSRV - ok
01:33:53.0670 1520 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:33:53.0733 1520 MSPCLOCK - ok
01:33:54.0061 1520 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
01:33:54.0077 1520 MSPQM - ok
01:33:54.0233 1520 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:33:54.0233 1520 mssmbios - ok
01:33:54.0467 1520 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
01:33:54.0499 1520 MSTEE - ok
01:33:54.0905 1520 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
01:33:54.0920 1520 Mup - ok
01:33:55.0264 1520 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
01:33:55.0264 1520 NABTSFEC - ok
01:33:55.0546 1520 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
01:33:55.0546 1520 NDIS - ok
01:33:55.0811 1520 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
01:33:55.0843 1520 NdisIP - ok
01:33:55.0952 1520 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:33:55.0952 1520 NdisTapi - ok
01:33:56.0030 1520 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:33:56.0046 1520 Ndisuio - ok
01:33:56.0093 1520 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:33:56.0108 1520 NdisWan - ok
01:33:56.0233 1520 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
01:33:56.0233 1520 NDProxy - ok
01:33:56.0327 1520 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
01:33:56.0327 1520 NetBIOS - ok
01:33:56.0452 1520 NetBT (cf580b2aedffe9cba86a6ed386634d61) C:\WINDOWS\system32\DRIVERS\netbt.sys
01:33:56.0468 1520 NetBT - ok
01:33:56.0530 1520 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
01:33:56.0546 1520 NIC1394 - ok
01:33:56.0593 1520 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
01:33:56.0593 1520 Npfs - ok
01:33:56.0702 1520 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
01:33:56.0733 1520 Ntfs - ok
01:33:56.0811 1520 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
01:33:56.0811 1520 Null - ok
01:33:56.0843 1520 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:33:56.0843 1520 NwlnkFlt - ok
01:33:56.0858 1520 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:33:56.0874 1520 NwlnkFwd - ok
01:33:56.0890 1520 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
01:33:56.0890 1520 ohci1394 - ok
01:33:56.0936 1520 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
01:33:56.0952 1520 Parport - ok
01:33:57.0015 1520 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
01:33:57.0015 1520 PartMgr - ok
01:33:57.0061 1520 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
01:33:57.0061 1520 ParVdm - ok
01:33:57.0093 1520 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
01:33:57.0108 1520 PCI - ok
01:33:57.0108 1520 PCIDump - ok
01:33:57.0218 1520 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
01:33:57.0233 1520 PCIIde - ok
01:33:57.0296 1520 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
01:33:57.0312 1520 Pcmcia - ok
01:33:57.0358 1520 PDCOMP - ok
01:33:57.0390 1520 PDFRAME - ok
01:33:57.0421 1520 PDRELI - ok
01:33:57.0452 1520 PDRFRAME - ok
01:33:57.0530 1520 perc2 - ok
01:33:57.0546 1520 perc2hib - ok
01:33:57.0608 1520 pnarp (36fcac4fa28b462ca867742dea59b0d0) C:\WINDOWS\system32\DRIVERS\pnarp.sys
01:33:57.0624 1520 pnarp - ok
01:33:57.0687 1520 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:33:57.0687 1520 PptpMiniport - ok
01:33:57.0733 1520 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
01:33:57.0733 1520 PSched - ok
01:33:57.0796 1520 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:33:57.0796 1520 Ptilink - ok
01:33:57.0890 1520 purendis (d8ac00388262b1a4878a7ee12f31d376) C:\WINDOWS\system32\DRIVERS\purendis.sys
01:33:57.0905 1520 purendis - ok
01:33:57.0968 1520 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys
01:33:57.0968 1520 PxHelp20 - ok
01:33:57.0984 1520 ql1080 - ok
01:33:58.0030 1520 Ql10wnt - ok
01:33:58.0062 1520 ql12160 - ok
01:33:58.0124 1520 ql1240 - ok
01:33:58.0202 1520 ql1280 - ok
01:33:58.0280 1520 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:33:58.0296 1520 RasAcd - ok
01:33:58.0405 1520 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:33:58.0437 1520 Rasl2tp - ok
01:33:58.0531 1520 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:33:58.0531 1520 RasPppoe - ok
01:33:58.0624 1520 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
01:33:58.0624 1520 Raspti - ok
01:33:58.0765 1520 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:33:58.0812 1520 Rdbss - ok
01:33:58.0921 1520 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:33:58.0937 1520 RDPCDD - ok
01:33:59.0031 1520 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
01:33:59.0031 1520 RDPWD - ok
01:33:59.0093 1520 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
01:33:59.0093 1520 redbook - ok
01:33:59.0171 1520 Rsdpfslrsi (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\drivers\ipsec.sys
01:33:59.0171 1520 Rsdpfslrsi - ok
01:33:59.0265 1520 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:33:59.0265 1520 Secdrv - ok
01:33:59.0328 1520 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
01:33:59.0343 1520 Serial - ok
01:33:59.0406 1520 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
01:33:59.0406 1520 Sfloppy - ok
01:33:59.0437 1520 Simbad - ok
01:33:59.0515 1520 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
01:33:59.0515 1520 SLIP - ok
01:33:59.0562 1520 Sparrow - ok
01:33:59.0624 1520 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
01:33:59.0656 1520 splitter - ok
01:33:59.0749 1520 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
01:33:59.0781 1520 sr - ok
01:33:59.0875 1520 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
01:33:59.0890 1520 Srv - ok
01:33:59.0968 1520 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
01:33:59.0968 1520 streamip - ok
01:34:00.0015 1520 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
01:34:00.0015 1520 swenum - ok
01:34:00.0421 1520 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
01:34:00.0421 1520 swmidi - ok
01:34:00.0656 1520 symc810 - ok
01:34:00.0672 1520 symc8xx - ok
01:34:00.0703 1520 sym_hi - ok
01:34:00.0718 1520 sym_u3 - ok
01:34:00.0750 1520 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
01:34:00.0750 1520 sysaudio - ok
01:34:00.0828 1520 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:34:00.0843 1520 Tcpip - ok
01:34:00.0875 1520 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
01:34:00.0875 1520 TDPIPE - ok
01:34:00.0890 1520 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
01:34:00.0890 1520 TDTCP - ok
01:34:00.0922 1520 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
01:34:00.0922 1520 TermDD - ok
01:34:00.0953 1520 TosIde - ok
01:34:00.0984 1520 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
01:34:00.0984 1520 Udfs - ok
01:34:01.0000 1520 ultra - ok
01:34:01.0062 1520 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
01:34:01.0062 1520 Update - ok
01:34:01.0125 1520 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
01:34:01.0125 1520 usbaudio - ok
01:34:01.0140 1520 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:34:01.0140 1520 usbccgp - ok
01:34:01.0187 1520 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:34:01.0187 1520 usbehci - ok
01:34:01.0203 1520 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:34:01.0203 1520 usbhub - ok
01:34:01.0234 1520 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
01:34:01.0234 1520 usbprint - ok
01:34:01.0250 1520 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
01:34:01.0250 1520 usbscan - ok
01:34:01.0265 1520 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:34:01.0281 1520 usbstor - ok
01:34:01.0328 1520 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
01:34:01.0328 1520 usbuhci - ok
01:34:01.0375 1520 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
01:34:01.0375 1520 VgaSave - ok
01:34:01.0390 1520 ViaIde - ok
01:34:01.0437 1520 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
01:34:01.0437 1520 VolSnap - ok
01:34:01.0484 1520 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:34:01.0484 1520 Wanarp - ok
01:34:01.0500 1520 WDICA - ok
01:34:01.0547 1520 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
01:34:01.0562 1520 wdmaud - ok
01:34:01.0625 1520 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
01:34:01.0625 1520 WpdUsb - ok
01:34:01.0672 1520 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
01:34:01.0672 1520 WSTCODEC - ok
01:34:01.0703 1520 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
01:34:01.0703 1520 WudfPf - ok
01:34:01.0734 1520 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
01:34:01.0734 1520 WudfRd - ok
01:34:01.0797 1520 {7ani$vaivnp - ok
01:34:01.0828 1520 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
01:34:02.0016 1520 \Device\Harddisk0\DR0 - ok
01:34:02.0016 1520 Boot (0x1200) (bc15b47fa3c5534be6b66bbce6cef5ac) \Device\Harddisk0\DR0\Partition0
01:34:02.0016 1520 \Device\Harddisk0\DR0\Partition0 - ok
01:34:02.0016 1520 ============================================================
01:34:02.0016 1520 Scan finished
01:34:02.0016 1520 ============================================================
01:34:02.0031 2532 Detected object count: 1
01:34:02.0031 2532 Actual detected object count: 1
01:34:20.0019 2532 HKLM\SYSTEM\ControlSet001\services\6a827433 - will be deleted on reboot
01:34:20.0035 2532 HKLM\SYSTEM\ControlSet003\services\6a827433 - will be deleted on reboot
01:34:20.0035 2532 C:\WINDOWS\863273578:2508032972.exe - will be deleted on reboot
01:34:20.0035 2532 6a827433 ( HiddenFile.Multi.Generic ) - User select action: Delete
01:35:00.0698 2880 Deinitialize success

Vfem · Oct 16, 2011

GooredFix by jpshortstuff (03.07.10.1)
Log created at 12:52 on 16/10/2011 (Owner)
Firefox version 3.6.23 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:45 15/11/2005]
{AB2CE124-6272-4b12-94A9-7303C7397BD1} [19:38 22/04/2010]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [19:34 02/05/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [15:37 20/07/2007]
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [16:07 07/11/2007]
{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} [19:50 04/09/2008]
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [13:56 05/04/2008]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [14:04 05/08/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [15:31 09/01/2009]

C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\bfuf2t6g.default\extensions\
FFToolbar@upromise [13:38 28/09/2009]
[email protected] [13:17 14/04/2010]
{173487d0-5384-11dd-ae16-0800200c9a66} [16:29 14/12/2009]
{3e0e7d2a-070f-4a47-b019-91fe5385ba79} [20:28 06/04/2010]
{628ad4a0-a4d0-11db-b37a-0800200c9a66} [16:29 14/12/2009]
{6E1A2A2E-AE2A-4A26-A812-46F54288379E} [15:38 02/02/2010]
{7694c49c-9fbd-11dc-8314-0800200c9a66} [13:59 17/10/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"avg@igeared"="C:\Program Files\AVG\AVG10\Toolbar\Firefox\avg@igeared" [15:53 25/09/2011]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"="C:\Program Files\AVG\AVG10\Firefox4\" [12:11 30/03/2011]

-=E.O.F=-

Vfem · Oct 16, 2011

ComboFix log:

ComboFix 11-10-15.04 - Owner 10/16/2011 13:02:21.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.129 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_{7ani$vaivnp
.
.
((((((((((((((((((((((((( Files Created from 2011-09-16 to 2011-10-16 )))))))))))))))))))))))))))))))
.
.
2011-10-16 07:19 . 2011-09-12 20:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25B10671-EFC6-4F3E-A777-D6D786C07577}\mpengine.dll
2011-10-16 07:11 . 2011-10-16 07:11 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-15 21:27 . 2011-10-15 21:27 -------- d-sh--w- c:\documents and settings\Owner\Local Settings\Application Data\6a827433
2011-10-15 21:23 . 2011-10-15 21:23 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-10-15 21:22 . 2011-10-15 21:22 -------- d-----w- c:\program files\Coupons
2011-09-26 15:41 . 2011-09-26 15:41 220160 -c----w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 15:41 . 2011-09-26 15:41 20480 -c----w- c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 15:41 . 2011-09-26 15:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2005-03-02 23:44 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2005-03-02 23:44 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2005-03-02 23:44 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-07 13:26 . 2011-06-16 13:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20 . 2005-03-02 23:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2005-03-02 23:44 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2005-03-02 23:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2005-03-02 23:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2005-03-02 23:44 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2005-03-02 23:44 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-09-01 13:16 2532680 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-09-01 2532680]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 2748928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"HostManager"="c:\program files\Common Files\AOL\1145242537\ee\AOLSoftware.exe" [2006-05-10 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-05-27 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-15 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aim6.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\Common Files\\ArcSoft\\Connection Service\\Bin\\ACDaemon.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\tdsskiller.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 4:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [12/8/2010 5:12 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/12/2010 2:19 PM 297168]
R1 MpKsl0cff10ed;MpKsl0cff10ed;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25B10671-EFC6-4F3E-A777-D6D786C07577}\MpKsl0cff10ed.sys [10/16/2011 4:17 AM 28752]
R1 MpKsl21716243;MpKsl21716243;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25B10671-EFC6-4F3E-A777-D6D786C07577}\MpKsl21716243.sys [10/16/2011 1:17 PM 28752]
R1 MpKsl86d2484d;MpKsl86d2484d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25B10671-EFC6-4F3E-A777-D6D786C07577}\MpKsl86d2484d.sys [10/16/2011 12:52 PM 28752]
R1 MpKslfc533e3f;MpKslfc533e3f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{25B10671-EFC6-4F3E-A777-D6D786C07577}\MpKslfc533e3f.sys [10/16/2011 3:27 AM 28752]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/3/2010 4:23 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/3/2010 4:23 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/3/2010 4:23 PM 27216]
S2 AVGIDSAgent;AVGIDSAgent;"c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
S2 avgwd;AVG WatchDog;"c:\program files\AVG\AVG10\avgwdsvc.exe" --> c:\program files\AVG\AVG10\avgwdsvc.exe [?]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe --> c:\program files\TomTom HOME 2\TomTomHOMEService.exe [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [5/12/2011 4:35 PM 1025352]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 Msdgpubdmmp;Msdgpubdmmp; [x]
S4 Rsdpfslrsi;Rsdpfslrsi;c:\windows\system32\drivers\ipsec.sys [3/2/2005 7:44 PM 75264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL21716243
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
2011-10-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
TCP: DhcpNameServer = 24.178.162.3 97.81.22.195 24.159.64.23
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bfuf2t6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b1192d1&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - %profile%\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}
FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Security Toolbar em:version=7.008.031.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\AVG\AVG10\Toolbar\Firefox\avg@igeared
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\AVG\AVG10\Firefox4
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-16 13:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(876)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\SOUNDMAN.EXE
c:\windows\Logi_MwX.Exe
c:\program files\Skype\Phone\Skype.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.BIN
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2011-10-16 13:33:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-16 17:33
ComboFix2.txt 2011-10-16 06:29
.
Pre-Run: 101,279,051,776 bytes free
Post-Run: 101,273,124,864 bytes free
.
- - End Of File - - 9B8574BC35E5133561EDFECF5E2F0153

Vfem · Oct 16, 2011

Combofix add-remove programs.txt contents:

A430
A430_Help
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 8.3.0
Agere Systems PCI Soft Modem
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
ArcSoft MediaImpression
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG 2011
AVG PC Tuneup 2011
BufferChm
CameraDrivers
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Choice Guard
Cisco Network Magic
Click to DVD 2.0.03 Menu Data
Click to DVD 2.4
CoffeeCup Direct FTP
CoffeeCup Free FTP
CoffeeCup Free Zip Wizard
Coupon Printer for Windows
D1400
D1400_Help
DeviceDiscovery
dj_sf_ProductContext
dj_sf_software
dj_sf_software_req
DVgate Plus
Facebook Plug-In
H&R Block Deluxe + Efile + State 2009
H&R Block Deluxe + Efile + State 2010
H&R Block North Carolina 2009
H&R Block North Carolina 2010
Hotfix for Windows XP (KB2570791)
HP Deskjet 1000 J110 series Basic Device Software
HP Deskjet 1000 J110 series Help
HP Deskjet Printer Driver Software 9.0
HP Photo Printing Software
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Photosmart Essential2.01
HP Update
hph_ProductContext
hph_readme
hph_software
hph_software_req
HPPhotoSmartExpress
Image Converter 2
InstantShareDevicesMFC
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD for VAIO
InterVideo WinDVDX
ISScript
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lame ACM MP3 Codec
Logitech MouseWare 9.79
Logitech Updater
Logitech Vid
Logitech Webcam Software
Logitech Webcam Software Driver Package
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Shockwave Player
Malwarebytes' Anti-Malware version 1.51.2.1300
Memory Stick Formatter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886904)
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox (3.6.23)
MSVCRT
MX-700 Editor
Network Magic
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
OpenOffice.org 2.4
PanoStandAlone
Photo Viewer
PSSWCORE
Pure Networks Platform
Realtek High Definition Audio Driver
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Segoe UI
Skype Toolbars
Skype™ 4.2
Sony Certificate PCH
Sony MP4 Shared Library
Sony Video Shared Library
Spybot - Search & Destroy
Status
TBS WMP Plug-in
TomTom HOME 2.8.1.2218
TomTom HOME Visual Studio Merge Modules
Toolbox
TrayApp
Unload
UnloadSupport
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB971029)
VAIO Control Center
VAIO Entertainment Platform
VAIO Launcher
VAIO Media 4.0
VAIO Media AC3 Decoder 1.0
VAIO Media Integrated Server 4.1
VAIO Media Redistribution 4.0
VAIO Media Registration Tool 4.0
VAIO Original Screen Saver
VAIO Original Screen Saver VAIO Motion SD Wide Contents
VAIO Registration
VAIO Structure Wallpaper
VAIO Survey Standalone
VAIO Update 2
VAIO Zone
VAIO Zone Remote Commander
VideoToolkit01
WebEx Support Manager for Internet Explorer
WebFldrs XP
WebReg
wildlife_habitat_screensaver
Windows Backup Utility
Windows Driver Package - (mr7910) Image 06/28/2005 1.3.0.0
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WordPerfect Office 12
XviD MPEG-4 Video Codec
ZipGenius 6 (6.0.3.1150)

Vfem · Oct 16, 2011

HijackThis log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:50:01 PM, on 10/16/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: (no name) - {053F9267-DC04-4294-A72C-58F732D338C0} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - C:\Program Files\SpyWall\TrlIETool.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145242537\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG10\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - Unknown owner - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe (file missing)
O23 - Service: AVG WatchDog (avgwd) - Unknown owner - C:\Program Files\AVG\AVG10\avgwdsvc.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (file missing)
O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Unknown owner - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TomTomHOMEService - Unknown owner - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (file missing)
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (file missing)
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 11933 bytes

Vfem · Oct 16, 2011

ESET is running a scan and has been stuck at 51% for almost 10 minutes on 1 file.

C:\Documents and Settings\Owner\Application Data\AVG\Rescu...\110220224024500.rsc

Sorry, it only shows as this shorted route name.

Should I stop ESET and restart... though I do know AVG is my biggest problem right now so I'm not surprised!

Vfem · Oct 16, 2011

Ok I tried to stop and start over, it now says it can't configure and can only get 97% of the update.

It reads:

Can not get update. Is proxy configured?

Vfem · Oct 16, 2011

Ignore last post, I uninstalled and reinstalled and its been running for the last 30 minutes. Still gets caught up around 50% but did not freeze up completely... still running.

Vfem · Oct 16, 2011

Finally got the log from ESET:

C:\Documents and Settings\Owner\Local Settings\Application Data\6a827433\X Win32/Sirefef.DD trojan
C:\Qoobox\Quarantine\C\Program Files\Canon\CAL\CALMAIN.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Ati2evxx.exe.vir Win32/Patched.HN trojan
C:\System Volume Information\_restore{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP2114\A0183385.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP2114\A0183386.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP2114\A0183387.exe Win32/Patched.HN trojan
C:\WINDOWS\system32\drivers\netbt.sys Win32/Rootkit.Agent.NUT trojan

johnb35 · Oct 17, 2011

Ok, I'm home and will give you more procedures to do, however, what you need to do first is, either uninstall Microsoft Security Essentials or uninstall AVG as you have 2 antivirus programs installed at the same time and you can't do that. I would recommend to get rid of AVG and keep MSE. I'll be back shortly with more fixes.

johnb35 · Oct 17, 2011

1.

Please uninstall all of the following programs in add/remove programs.

Adobe Reader 8.3.0
AVG PC Tuneup 2011
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
WebFldrs XP
WebReg
wildlife_habitat_screensaver

Then go here to download the lastest versions of Adobe Reader and Java.

http://get.adobe.com/reader/?promoid=BUIGO

http://www.java.com/en/download/index.jsp

2.

Please rerun hijackthis and place checks next to the following entries.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {0347C33E-8762-4905-BF09-768834316C61} - (no file)
O2 - BHO: (no name) - {053F9267-DC04-4294-A72C-58F732D338C0} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - C:\Program Files\SpyWall\TrlIETool.dll (file missing)
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - S-1-5-18 Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Then click on fix checked at the bottom.

3.

Please run another cfscript by doing the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

Folder::
 c:\documents and settings\Owner\Local Settings\Application Data\6a827433

Driver::
Msdgpubdmmp

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

4.

I need you to upload a file to www.virustotal.com and give me the link to the result.

Click on that link and when the page loads click on the browse button and then navigate to this file.

C:\WINDOWS\system32\drivers\netbt.sys

Then click on send file, it will take a few seconds to get the result page. Then just copy and paste the web address link and put in your next reply.

5.

Download and run Ccleaner.

http://download.cnet.com/ccleaner/

Download, install and open program, don't change any settings and click on run cleaner. This cleaning may take a few minutes.

6.

Right click on "my computer" click on properties. Click on system restore tab, check the box to turn off system restore and then click apply, then ok. Go back into and uncheck the box to turn system restore back on.

7.

Run a new hijackthis scan and post the logfile.

8.

Finally give me an update on how the system is running.

Vfem · Oct 17, 2011

Combofix log:

ComboFix 11-10-17.02 - Owner 10/17/2011 16:11:31.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.214 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Local Settings\Application Data\6a827433
c:\documents and settings\Owner\Local Settings\Application Data\6a827433\@
c:\documents and settings\Owner\Local Settings\Application Data\6a827433\U\80000000.@
c:\documents and settings\Owner\Local Settings\Application Data\6a827433\U\800000cb.@
c:\documents and settings\Owner\Local Settings\Application Data\6a827433\X
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Msdgpubdmmp
.
.
((((((((((((((((((((((((( Files Created from 2011-09-17 to 2011-10-17 )))))))))))))))))))))))))))))))
.
.
2011-10-17 20:25 . 2011-10-17 20:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb6701298.sys
2011-10-17 20:10 . 2011-10-17 20:10 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb15c6e31.sys
2011-10-17 12:29 . 2011-10-17 12:29 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKsl7d70e573.sys
2011-10-17 12:03 . 2011-10-17 12:03 -------- d-----w- c:\program files\Common Files\Java
2011-10-17 12:03 . 2011-10-17 12:02 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-10-17 12:03 . 2011-10-17 12:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-10-17 12:03 . 2011-10-17 12:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-17 12:02 . 2011-10-17 12:02 -------- d-----w- c:\program files\Java
2011-10-17 11:45 . 2011-10-17 11:45 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb19a2315.sys
2011-10-17 11:45 . 2011-10-17 20:25 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\offreg.dll
2011-10-17 11:15 . 2011-09-12 20:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\mpengine.dll
2011-10-16 18:47 . 2011-10-16 18:47 -------- d-----w- c:\program files\ESET
2011-10-16 17:48 . 2011-10-16 17:48 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-10-16 17:48 . 2011-10-16 17:48 -------- d-----w- c:\program files\Trend Micro
2011-10-16 07:57 . 2011-10-16 07:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2011-10-16 07:56 . 2011-10-16 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-10-16 07:56 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 07:56 . 2011-10-16 07:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-16 07:26 . 2011-09-12 20:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-10-16 07:14 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-10-16 07:11 . 2011-10-16 07:11 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-15 21:23 . 2011-10-15 21:23 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-10-15 21:22 . 2011-10-15 21:22 -------- d-----w- c:\program files\Coupons
2011-09-26 15:41 . 2011-09-26 15:41 220160 -c----w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 15:41 . 2011-09-26 15:41 20480 -c----w- c:\windows\system32\dllcache\oleaccrc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 15:41 . 2011-09-26 15:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2005-03-02 23:44 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2005-03-02 23:44 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2005-03-02 23:44 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-07 13:26 . 2011-06-16 13:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-06 13:20 . 2005-03-02 23:44 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2005-03-02 23:44 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2005-03-02 23:44 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2005-03-02 23:44 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2005-03-02 23:44 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2005-03-02 23:44 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2004-08-04 12:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2011-03-09 247728]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-04-06 26102056]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-10 344064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-13 61952]
"CreateCD_Reminder"="c:\windows\Sonysys\VAIO Recovery\reminder.exe" [2004-07-16 53248]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"SoundMan"="SOUNDMAN.EXE" [2004-11-02 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-11-29 2748928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-08 155648]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 19968]
"HostManager"="c:\program files\Common Files\AOL\1145242537\ee\AOLSoftware.exe" [2006-05-10 50760]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1145242537\\ee\\aim6.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TomTom HOME 2\\xulrunner\\TomTomHOMERuntime.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\ArcSoft\\Connection Service\\Bin\\ACDaemon.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\tdsskiller.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 MpKsl7d70e573;MpKsl7d70e573;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKsl7d70e573.sys [10/17/2011 8:29 AM 28752]
R1 MpKslb05f64b9;MpKslb05f64b9;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb05f64b9.sys [10/17/2011 4:35 PM 28752]
R1 MpKslb15c6e31;MpKslb15c6e31;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb15c6e31.sys [10/17/2011 4:10 PM 28752]
R1 MpKslb19a2315;MpKslb19a2315;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb19a2315.sys [10/17/2011 7:45 AM 28752]
R1 MpKslb6701298;MpKslb6701298;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B2B5A32C-03C5-460B-828B-2E19380AB04E}\MpKslb6701298.sys [10/17/2011 4:25 PM 28752]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe --> c:\program files\TomTom HOME 2\TomTomHOMEService.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S4 Rsdpfslrsi;Rsdpfslrsi;c:\windows\system32\drivers\ipsec.sys [3/2/2005 7:44 PM 75264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLB05F64B9
*NewlyCreated* - MPKSLB6701298
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]
.
2011-10-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Transfer by Image Converter 2 - c:\program files\Sony\Image Converter 2\menu.htm
TCP: DhcpNameServer = 24.178.162.3 97.81.22.195 24.159.64.23
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bfuf2t6g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b1192d1&v=7.008.031.001&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - Ext: Full Flat: {6E1A2A2E-AE2A-4A26-A812-46F54288379E} - %profile%\extensions\{6E1A2A2E-AE2A-4A26-A812-46F54288379E}
FF - Ext: AddThis: {3e0e7d2a-070f-4a47-b019-91fe5385ba79} - %profile%\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-ESET Online Scanner - c:\program files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 16:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3304)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Logi_MwX.Exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\system32\taskmgr.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
.
**************************************************************************
.
Completion time: 2011-10-17 16:38:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-17 20:38
ComboFix2.txt 2011-10-16 17:33
ComboFix3.txt 2011-10-16 06:29
.
Pre-Run: 101,563,523,072 bytes free
Post-Run: 101,790,384,128 bytes free
.
- - End Of File - - 4007DEA50AD5644B9941CFCA0D201E1A

Vfem · Oct 17, 2011

virustotal.com result:

http://www.virustotal.com/file-scan...9335c02bbed811eefe3a8ac84264a5eb63-1318884075

File name:
netbt.sys
Submission date:
2011-10-17 20:41:15 (UTC)
Current status:
queued (#10) queued analysing finished
Result:
4/ 38 (10.5%)

ntivirus Version Last Update Result
AntiVir 7.11.16.29 2011.10.17 -
Antiy-AVL 2.0.3.7 2011.10.17 -
Avast 6.0.1289.0 2011.10.17 -
AVG 10.0.0.1190 2011.10.17 -
BitDefender 7.2 2011.10.17 -
CAT-QuickHeal 11.00 2011.10.17 -
ClamAV 0.97.0.0 2011.10.17 -
Commtouch 5.3.2.6 2011.10.17 -
Comodo 10478 2011.10.17 -
DrWeb 5.0.2.03300 2011.10.17 -
Emsisoft 5.1.0.11 2011.10.17 Rootkit.Win32.ZAccess!IK
eSafe 7.0.17.0 2011.10.17 -
eTrust-Vet 36.1.8624 2011.10.17 -
F-Prot 4.6.5.141 2011.10.17 -
F-Secure 9.0.16440.0 2011.10.17 -
Fortinet 4.3.370.0 2011.10.17 -
GData 22 2011.10.17 -
Ikarus T3.1.1.107.0 2011.10.17 Rootkit.Win32.ZAccess
Jiangmin 13.0.900 2011.10.17 -
K7AntiVirus 9.115.5300 2011.10.17 -
Kaspersky 9.0.0.837 2011.10.17 Rootkit.Win32.ZAccess.g
McAfee 5.400.0.1158 2011.10.17 -
McAfee-GW-Edition 2010.1D 2011.10.17 -
Microsoft 1.7702 2011.10.17 -
NOD32 6551 2011.10.17 Win32/Rootkit.Agent.NUT
Panda 10.0.3.5 2011.10.17 -
PCTools 8.0.0.5 2011.10.17 -
Prevx 3.0 2011.10.17 -
Rising 23.80.00.01 2011.10.17 -
Sophos 4.70.0 2011.10.17 -
SUPERAntiSpyware 4.40.0.1006 2011.10.17 -
Symantec 20111.2.0.82 2011.10.17 -
TheHacker 6.7.0.1.325 2011.10.17 -
TrendMicro 9.500.0.1008 2011.10.17 -
TrendMicro-HouseCall 9.500.0.1008 2011.10.17 -
VIPRE 10791 2011.10.17 -
ViRobot 2011.10.17.4723 2011.10.17 -
VirusBuster 14.1.16.0 2011.10.17 -
Additional information
Show all
MD5 : cf580b2aedffe9cba86a6ed386634d61
SHA1 : 678a1076072b35910065f77a59f82f1c0ce01d67
SHA256: a26c618b8a7f984cdf685733c423609335c02bbed811eefe3a8ac84264a5eb63

Vfem · Oct 17, 2011

HiJackThis Logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:01:06 PM, on 10/17/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\taskmgr.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - C:\Program Files\SpyWall\TrlIETool.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [CreateCD_Reminder] C:\WINDOWS\Sonysys\VAIO Recovery\reminder.exe
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1145242537\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Transfer by Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Unknown owner - C:\Program Files\Canon\CAL\CALMAIN.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe (file missing)
O23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Unknown owner - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TomTomHOMEService - Unknown owner - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe (file missing)
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\Sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe (file missing)
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

--
End of file - 9621 bytes

johnb35 · Oct 17, 2011

Ok, a few more things to do.

1.

You may have missed checking these entries so we'll do it again to be sure. Rerun hijackthis and place checks next to the following entries.

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O3 - Toolbar: Trlokom IE Toolbar - {C5AF4D9B-0B55-4BAC-9486-218EA2C6BC3E} - C:\Program Files\SpyWall\TrlIETool.dll (file missing)

Then click on fix checked.

2.

I uploaded an uninfected copy of the netbt.sys driver here

http://www.mediafire.com/?gs33viqz8x7i5y7

and you will be replacing it using a combofix script. Please download that file to your desktop so you can perform the following.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code:

Killall::

fcopy::

c:\documents and settings\Owner\Desktop\netbt.sys | c:\windows\system32\drivers\netbt.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

3.

Then please rerun the eset online scan and post the results for me and then post a fresh hijackthis log and malwarebytes log for me.

Attack From Several Sources

New Member

New Member

New Member

New Member

Administrator

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

New Member

Administrator

Administrator

New Member

New Member

New Member

Administrator