WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Unable to remove uacinit.dll

Started by Blawman , Sep 08 2009 10:08 AM

This topic is locked

13 replies to this topic

#1 Blawman

New Member

Authentic Member
7 posts

Posted 08 September 2009 - 10:08 AM

Hello and thanks in advance... As requested in the 'Welcome New Members.." post - here are my RootRepeal, DDS and Attach outputs:

RootRepeal output
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/08 11:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: chneijzb.sys
Image Path: C:\WINDOWS\system32\drivers\chneijzb.sys
Address: 0xB96FC000 Size: 61440 File Visible: No Signed: -
Status: -

Name: ddfhmsi.sys
Image Path: C:\WINDOWS\system32\drivers\ddfhmsi.sys
Address: 0xB970C000 Size: 61440 File Visible: No Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA60A9000 Size: 479232 File Visible: No Signed: -
Status: -

Name: rootkitcheck__rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootkitcheck__rootrepeal.sys
Address: 0xA27C5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACdtvakawqgr.sys

==EOF==

DDS output
DDS (Ver_09-06-26.01) - NTFSx86
Run by <USERNAME> at 11:31:37.56 on Tue 09/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1828 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\<USERNAME>\Desktop\MalwareRemoval__dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uURLSearchHooks: SHOUTcast Toolbar Search Class: {14f0d511-36a2-41ca-ae01-ba4f87282c97} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: SHOUTcast Toolbar Search Class: {14f0d511-36a2-41ca-ae01-ba4f87282c97} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: SHOUTcast Loader: {ccec60fc-2608-4e58-9659-3ffc159e8ea9} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: SHOUTcast Radio Toolbar: {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: &SHOUTcast Search - c:\documents and settings\all users\application data\shoutcast radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {FF0DC965-0D1D-4993-A169-C1CC7ACFB4F5} = 192.168.111.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\<USERN~1\applic~1\mozilla\firefox\profiles\7whc5iuz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-ab-en-us&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\<USERNAME>\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-28 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-29 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-28 108552]
R1 NEOFLTR_550_12129;Juniper Networks TDI Filter Driver (NEOFLTR_550_12129);c:\windows\system32\drivers\NEOFLTR_550_12129.sys [2007-10-3 63008]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-7-11 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-7-11 41424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-28 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-5-29 87760]
RUnknown fqrfh;fqrfh; [x]
RUnknown ynml;ynml; [x]
S2 gupdate1c9d106b29edab9;Google Update Service (gupdate1c9d106b29edab9);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\c:\program files\vmware\vmware converter\vstor2-p2v30.sys --> c:\program files\vmware\vmware converter\vstor2-p2v30.sys [?]
S2 yqwtzdlhimt.sys;yqwtzdlhimt.sys;\??\c:\windows\system32\drivers\yqwtzdlhimt.sys --> c:\windows\system32\drivers\yqwtzdlhimt.sys [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2003-4-4 11392]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-2 79888]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [2008-9-5 47184]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2008-10-27 31824]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-09-04 22:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 22:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 22:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 09:09 <DIR> --d----- c:\program files\CCleaner
2009-08-28 23:15 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-28 16:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-28 16:56 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-28 16:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 16:56 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 16:56 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-28 16:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-28 16:56 <DIR> --d----- c:\program files\AVG
2009-08-11 22:54 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:54 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 13:38 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-30 13:38 22,328 a------- c:\docume~1\mathew~1\applic~1\PnkBstrK.sys
2009-07-30 13:38 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-07-30 13:37 669,184 a------- c:\windows\system32\pbsvc.exe
2009-07-30 13:37 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-07-21 17:04 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-07-21 17:04 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-18 12:05 3,069,440 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 11:31 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 a------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-03-07 10:38 604 a---h--- c:\program files\STLL Notifier
2009-01-20 12:03 193 a------- c:\documents and settings\<USERNAME>\test.bat
2008-01-21 12:13 389,120 a------- c:\documents and settings\<USERNAME>\stas75_20060810.0001.dll
2008-01-21 10:06 81,920 a------- c:\docume~1\<USERN~1\applic~1\ezpinst.exe
2008-01-21 10:06 47,360 a------- c:\docume~1\<USERN~1\applic~1\pcouffin.sys

============= FINISH: 11:32:06.79 ===============

Thank you for your help - Blawman

Attached Files

Attach.txt 19.55KB 700 downloads

Advertisements

Register to Remove

#2 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 08 September 2009 - 12:24 PM

Hi,

Please do the following:

Download Combofix from either of the links below. You must rename it before saving it. Save it to your desktop.

Link 2
Link 3

Posted Image

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt back into this thread.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#3 Blawman

New Member

Authentic Member
7 posts

Posted 08 September 2009 - 01:19 PM

By accident, I ran the Combo-Fix with network down .... so I will be posting both logs (one without the recovery console and then one with):

Combo-Fix_Log1
ComboFix 09-09-07.06 - <USERNAME> 09/08/2009 14:46.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.2081 [GMT -4:00]
Running from: c:\documents and settings\<USERNAME>\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\bdcore.dll
c:\windows\Downloaded Program Files\libfn.dll
c:\windows\Installer\1fb31c.msi
c:\windows\Installer\48a850d.msi
c:\windows\Installer\cf86d0d.msi
c:\windows\Installer\f390861.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\UACdtvakawqgr.sys
c:\windows\system32\UACdgtexyiyed.dll
c:\windows\system32\UACdiremqgryl.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClmlqbrqond.dat
c:\windows\system32\UACuocdxnmcnt.dll
c:\windows\system32\UACvecytiwvsl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 15:29 . 2009-09-08 15:29 -------- d-----w- c:\program files\ERUNT
2009-09-05 02:30 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 02:30 . 2009-09-05 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 02:30 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:09 . 2009-09-03 13:09 -------- d-----w- c:\program files\CCleaner
2009-08-31 19:28 . 2009-08-31 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 22:07 . 2009-08-29 22:09 -------- d-----w- c:\documents and settings\<USERNAME>\Local Settings\Application Data\Temp
2009-08-29 03:15 . 2009-09-08 04:42 -------- d-----w- C:\$AVG8.VAULT$
2009-08-28 20:56 . 2009-08-29 12:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 20:56 . 2009-08-28 20:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-28 20:56 . 2009-08-28 20:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-28 20:56 . 2009-08-29 12:15 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 20:56 . 2009-08-29 12:15 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 20:56 . 2009-09-08 09:13 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-28 20:56 . 2009-08-28 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-28 20:56 . 2009-08-28 20:56 -------- d-----w- c:\program files\AVG
2009-08-15 15:49 . 2009-08-15 18:08 -------- d-----w- c:\windows\BDOSCAN8
2009-08-12 02:54 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 18:45 . 2008-01-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-08 18:45 . 2008-01-02 20:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-09-04 16:17 . 2008-12-29 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-09-04 14:41 . 2008-01-13 13:11 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\BitTorrent
2009-09-02 04:51 . 2008-01-02 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-28 20:52 . 2005-06-14 20:14 -------- d-----w- c:\program files\GemMaster
2009-08-28 20:52 . 2005-06-14 20:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-28 20:50 . 2008-01-02 20:42 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\VMware
2009-08-28 20:49 . 2005-06-14 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-28 12:20 . 2008-01-05 20:39 -------- d-----w- c:\program files\Steam
2009-08-14 18:06 . 2005-06-14 20:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-13 13:04 . 2008-09-15 14:33 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\Move Networks
2009-08-05 09:01 . 2004-08-10 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:55 . 2008-06-30 18:23 -------- d-----w- c:\program files\UltraCompare
2009-08-01 14:25 . 2009-07-12 23:11 -------- d-----w- c:\program files\ATI Technologies
2009-07-30 17:38 . 2009-07-30 17:38 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-30 17:38 . 2009-07-30 17:38 22328 ----a-w- c:\documents and settings\<USERNAME>\Application Data\PnkBstrK.sys
2009-07-30 17:38 . 2009-07-30 17:38 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-30 17:37 . 2009-07-30 17:37 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-30 17:37 . 2009-07-30 17:37 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-30 17:31 . 2009-07-30 17:31 -------- d-----w- c:\program files\Electronic Arts
2009-07-21 21:04 . 2009-07-14 01:32 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-21 21:04 . 2009-07-14 01:32 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-21 19:23 . 2009-07-21 19:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-21 19:15 . 2009-02-24 19:20 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\Verizon
2009-07-21 19:12 . 2009-02-24 19:20 -------- d-----w- c:\program files\Verizon
2009-07-17 19:01 . 2004-08-10 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 01:32 . 2009-07-14 01:32 -------- d-----w- c:\program files\OpenAL
2009-07-12 23:16 . 2009-07-12 23:16 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\ATI
2009-07-12 23:15 . 2009-07-12 23:15 0 ----a-w- c:\windows\ativpsrm.bin
2009-07-11 15:41 . 2009-07-11 15:41 -------- d-----w- c:\program files\BeatJunkie
2009-06-29 15:31 . 2009-06-29 15:41 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-29 15:30 . 2009-06-29 15:21 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-26 16:50 . 2004-08-10 10:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2009-05-27 13:06 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-10 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-03-07 14:38 . 2009-03-07 14:38 604 ---ha-w- c:\program files\STLL Notifier
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-09-10 17:49 . 2008-09-10 17:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{14f0d511-36a2-41ca-ae01-ba4f87282c97}"= "c:\program files\SHOUTcast Radio Toolbar\shoutcasttb.dll" [2008-09-17 1275176]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{14f0d511-36a2-41ca-ae01-ba4f87282c97}]
[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{8613efdf-b530-4b1d-b970-b09f99977813}]
[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 17:38 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-9-17 221247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 12:15 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yqwtzdlhimt.sys]
@="\??\c:\windows\system32\drivers\yqwtzdlhimt.sys"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [8/28/2009 4:56 PM 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [6/29/2009 11:21 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/28/2009 4:56 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/28/2009 4:56 PM 108552]
R1 NEOFLTR_550_12129;Juniper Networks TDI Filter Driver (NEOFLTR_550_12129);c:\windows\SYSTEM32\DRIVERS\NEOFLTR_550_12129.sys [10/3/2007 4:20 PM 63008]
R1 VBoxDrv;VirtualBox Service;c:\windows\SYSTEM32\DRIVERS\VBoxDrv.sys [7/11/2008 4:00 PM 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\SYSTEM32\DRIVERS\VBoxUSBMon.sys [7/11/2008 4:00 PM 41424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2009 4:56 PM 297752]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\SYSTEM32\DRIVERS\VBoxNetFlt.sys [5/29/2009 8:12 PM 87760]
S2 gupdate1c9d106b29edab9;Google Update Service (gupdate1c9d106b29edab9);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\c:\program files\VMware\VMware Converter\vstor2-p2v30.sys --> c:\program files\VMware\VMware Converter\vstor2-p2v30.sys [?]
S2 yqwtzdlhimt.sys;yqwtzdlhimt.sys;\??\c:\windows\system32\drivers\yqwtzdlhimt.sys --> c:\windows\system32\drivers\yqwtzdlhimt.sys [?]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\avpnnic.sys [4/4/2003 1:48 PM 11392]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\VBoxNetAdp.sys [5/2/2009 8:49 PM 79888]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\SYSTEM32\DRIVERS\VBoxTAP.sys [9/5/2008 2:31 PM 47184]
S3 VBoxUSB;VirtualBox USB;c:\windows\SYSTEM32\DRIVERS\VBoxUSB.sys [10/27/2008 11:28 AM 31824]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dell.com
IE: &SHOUTcast Search - c:\documents and settings\All Users\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {FF0DC965-0D1D-4993-A169-C1CC7ACFB4F5} = 192.168.111.1
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\<USERNAME>\Application Data\Mozilla\Firefox\Profiles\7whc5iuz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-ab-en-us&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\<USERNAME>\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 14:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{06A3795B-0BB0-7CB0-AB8F-9BB8836F2BA3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,76,3e,21,4b,0b,c8,6f,fa,5a,2f,36,9b,5d,03,96,c9,8d,87,2d,9a,fe,fe,
09,0c,bd,72,6c,af,05,af,5f,5d,9a,89,32,58,c8,0c,2a,c6,ad,e4,5d,27,b7,46,b6,\
"??"=hex:03,b4,f2,77,9e,ba,a0,69,0f,d1,5f,68,a1,a8,6b,cc

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\SecuROM\License information*]
"datasecu"=hex:fa,d1,ae,e3,66,56,66,78,bc,9f,d1,d1,73,95,02,02,ca,d6,98,0b,06,
54,c0,74,de,e1,80,cf,27,32,ab,2f,f0,58,a0,dc,8a,ad,bc,a4,3b,f4,ba,05,62,b5,\
"rkeysecu"=hex:fa,69,54,de,91,f3,09,0a,71,6e,8e,d4,41,ae,f9,4e

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44BD4CEF-0E4D-C558-6DFE23FFC881A6CD}\{A2EC7C34-2018-E83B-27DF1E7548223FEC}\{5151FD78-1E6F-B5B8-7B478C2CB67D678B}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9046776-195D-89EA-3E66F9BC5DAE5B9B}\{E7989E73-D3F8-C437-CB8470F59A56421D}\{FFD68A1F-1364-19C2-ECF1A15A7898EBE6}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,09,4c,4b,
91,56,9e,38,b3,4b,6d,7a,c6,6a,e4,e0,e7,90,af,71,32,54,c6,cb,54,0e,78,62,f7,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-08 14:53
ComboFix-quarantined-files.txt 2009-09-08 18:53

Pre-Run: 155,536,613,376 bytes free
Post-Run: 155,586,785,280 bytes free

232 --- E O F --- 2009-09-07 23:18

Combo-Fix_Log2
ComboFix 09-09-08.01 - <USERNAME> 09/08/2009 14:57.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1966 [GMT -4:00]
Running from: c:\documents and settings\<USERNAME>\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 15:29 . 2009-09-08 15:29 -------- d-----w- c:\program files\ERUNT
2009-09-05 02:30 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 02:30 . 2009-09-05 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 02:30 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:09 . 2009-09-03 13:09 -------- d-----w- c:\program files\CCleaner
2009-08-31 19:28 . 2009-08-31 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 22:07 . 2009-08-29 22:09 -------- d-----w- c:\documents and settings\<USERNAME>\Local Settings\Application Data\Temp
2009-08-29 03:15 . 2009-09-08 04:42 -------- d-----w- C:\$AVG8.VAULT$
2009-08-28 20:56 . 2009-08-29 12:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 20:56 . 2009-08-28 20:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-28 20:56 . 2009-08-28 20:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-28 20:56 . 2009-08-29 12:15 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 20:56 . 2009-08-29 12:15 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 20:56 . 2009-09-08 09:13 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-28 20:56 . 2009-08-28 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-28 20:56 . 2009-08-28 20:56 -------- d-----w- c:\program files\AVG
2009-08-15 15:49 . 2009-08-15 18:08 -------- d-----w- c:\windows\BDOSCAN8
2009-08-12 02:54 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 18:45 . 2008-01-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-08 18:45 . 2008-01-02 20:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-09-04 16:17 . 2008-12-29 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-09-04 14:41 . 2008-01-13 13:11 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\BitTorrent
2009-09-02 04:51 . 2008-01-02 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-28 20:52 . 2005-06-14 20:14 -------- d-----w- c:\program files\GemMaster
2009-08-28 20:52 . 2005-06-14 20:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-28 20:50 . 2008-01-02 20:42 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\VMware
2009-08-28 20:49 . 2005-06-14 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-28 12:20 . 2008-01-05 20:39 -------- d-----w- c:\program files\Steam
2009-08-14 18:06 . 2005-06-14 20:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-13 13:04 . 2008-09-15 14:33 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\Move Networks
2009-08-05 09:01 . 2004-08-10 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:55 . 2008-06-30 18:23 -------- d-----w- c:\program files\UltraCompare
2009-08-01 14:25 . 2009-07-12 23:11 -------- d-----w- c:\program files\ATI Technologies
2009-07-30 17:38 . 2009-07-30 17:38 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-30 17:38 . 2009-07-30 17:38 22328 ----a-w- c:\documents and settings\<USERNAME>\Application Data\PnkBstrK.sys
2009-07-30 17:38 . 2009-07-30 17:38 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-30 17:37 . 2009-07-30 17:37 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-30 17:37 . 2009-07-30 17:37 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-30 17:31 . 2009-07-30 17:31 -------- d-----w- c:\program files\Electronic Arts
2009-07-21 21:04 . 2009-07-14 01:32 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-21 21:04 . 2009-07-14 01:32 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-21 19:23 . 2009-07-21 19:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-21 19:15 . 2009-02-24 19:20 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\Verizon
2009-07-21 19:12 . 2009-02-24 19:20 -------- d-----w- c:\program files\Verizon
2009-07-17 19:01 . 2004-08-10 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 01:32 . 2009-07-14 01:32 -------- d-----w- c:\program files\OpenAL
2009-07-12 23:16 . 2009-07-12 23:16 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\ATI
2009-07-12 23:15 . 2009-07-12 23:15 0 ----a-w- c:\windows\ativpsrm.bin
2009-07-11 15:41 . 2009-07-11 15:41 -------- d-----w- c:\program files\BeatJunkie
2009-06-29 15:31 . 2009-06-29 15:41 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-29 15:30 . 2009-06-29 15:21 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-26 16:50 . 2004-08-10 10:00 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2009-05-27 13:06 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-10 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-03-07 14:38 . 2009-03-07 14:38 604 ---ha-w- c:\program files\STLL Notifier
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-09-10 17:49 . 2008-09-10 17:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{14f0d511-36a2-41ca-ae01-ba4f87282c97}"= "c:\program files\SHOUTcast Radio Toolbar\shoutcasttb.dll" [2008-09-17 1275176]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{14f0d511-36a2-41ca-ae01-ba4f87282c97}]
[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{8613efdf-b530-4b1d-b970-b09f99977813}]
[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 17:38 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-9-17 221247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 12:15 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yqwtzdlhimt.sys]
@="\??\c:\windows\system32\drivers\yqwtzdlhimt.sys"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [8/28/2009 4:56 PM 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [6/29/2009 11:21 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/28/2009 4:56 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/28/2009 4:56 PM 108552]
R1 NEOFLTR_550_12129;Juniper Networks TDI Filter Driver (NEOFLTR_550_12129);c:\windows\SYSTEM32\DRIVERS\NEOFLTR_550_12129.sys [10/3/2007 4:20 PM 63008]
R1 VBoxDrv;VirtualBox Service;c:\windows\SYSTEM32\DRIVERS\VBoxDrv.sys [7/11/2008 4:00 PM 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\SYSTEM32\DRIVERS\VBoxUSBMon.sys [7/11/2008 4:00 PM 41424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2009 4:56 PM 297752]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\SYSTEM32\DRIVERS\VBoxNetFlt.sys [5/29/2009 8:12 PM 87760]
S2 gupdate1c9d106b29edab9;Google Update Service (gupdate1c9d106b29edab9);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\c:\program files\VMware\VMware Converter\vstor2-p2v30.sys --> c:\program files\VMware\VMware Converter\vstor2-p2v30.sys [?]
S2 yqwtzdlhimt.sys;yqwtzdlhimt.sys;\??\c:\windows\system32\drivers\yqwtzdlhimt.sys --> c:\windows\system32\drivers\yqwtzdlhimt.sys [?]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\avpnnic.sys [4/4/2003 1:48 PM 11392]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\VBoxNetAdp.sys [5/2/2009 8:49 PM 79888]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\SYSTEM32\DRIVERS\VBoxTAP.sys [9/5/2008 2:31 PM 47184]
S3 VBoxUSB;VirtualBox USB;c:\windows\SYSTEM32\DRIVERS\VBoxUSB.sys [10/27/2008 11:28 AM 31824]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dell.com
IE: &SHOUTcast Search - c:\documents and settings\All Users\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {FF0DC965-0D1D-4993-A169-C1CC7ACFB4F5} = 192.168.111.1
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\<USERNAME>\Application Data\Mozilla\Firefox\Profiles\7whc5iuz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-ab-en-us&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 15:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{06A3795B-0BB0-7CB0-AB8F-9BB8836F2BA3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,76,3e,21,4b,0b,c8,6f,fa,5a,2f,36,9b,5d,03,96,c9,8d,87,2d,9a,fe,fe,
09,0c,bd,72,6c,af,05,af,5f,5d,9a,89,32,58,c8,0c,2a,c6,ad,e4,5d,27,b7,46,b6,\
"??"=hex:03,b4,f2,77,9e,ba,a0,69,0f,d1,5f,68,a1,a8,6b,cc

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\SecuROM\License information*]
"datasecu"=hex:fa,d1,ae,e3,66,56,66,78,bc,9f,d1,d1,73,95,02,02,ca,d6,98,0b,06,
54,c0,74,de,e1,80,cf,27,32,ab,2f,f0,58,a0,dc,8a,ad,bc,a4,3b,f4,ba,05,62,b5,\
"rkeysecu"=hex:fa,69,54,de,91,f3,09,0a,71,6e,8e,d4,41,ae,f9,4e

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44BD4CEF-0E4D-C558-6DFE23FFC881A6CD}\{A2EC7C34-2018-E83B-27DF1E7548223FEC}\{5151FD78-1E6F-B5B8-7B478C2CB67D678B}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9046776-195D-89EA-3E66F9BC5DAE5B9B}\{E7989E73-D3F8-C437-CB8470F59A56421D}\{FFD68A1F-1364-19C2-ECF1A15A7898EBE6}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,09,4c,4b,
91,56,9e,38,b3,4b,6d,7a,c6,6a,e4,e0,e7,90,af,71,32,54,c6,cb,54,0e,78,62,f7,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2796)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-08 15:02
ComboFix-quarantined-files.txt 2009-09-08 19:02
ComboFix2.txt 2009-09-08 18:53

Pre-Run: 155,584,077,824 bytes free
Post-Run: 155,563,515,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

216 --- E O F --- 2009-09-07 23:18

#4 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 08 September 2009 - 03:12 PM

Hi,

P2P - I see you have P2P software BitTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Please see this topic for more information:
Perils of P2P File Sharing.
I would strongly recommend that you uninstall this now. You can do so via Control Panel >> Add or Remove Programs.

NEXT

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/Unable_remove_uacinit_dll_t106824.html&view=findpost&p=594507#entry594507

Collect::
c:\windows\system32\drivers\yqwtzdlhimt.sys
C:\WINDOWS\system32\drivers\chneijzb.sys
C:\WINDOWS\system32\drivers\ddfhmsi.sys

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yqwtzdlhimt.sys]

Driver::
yqwtzdlhimt.sys
ddfhmsi.sys
chneijzb.sys

RegNull::
[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{06A3795B-0BB0-7CB0-AB8F-9BB8836F2BA3}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44BD4CEF-0E4D-C558-6DFE23FFC881A6CD}\{A2EC7C34-2018-E83B-27DF1E7548223FEC}\{5151FD78-1E6F-B5B8-7B478C2CB67D678B}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9046776-195D-89EA-3E66F9BC5DAE5B9B}\{E7989E73-D3F8-C437-CB8470F59A56421D}\{FFD68A1F-1364-19C2-ECF1A15A7898EBE6}*]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#5 Blawman

New Member

Authentic Member
7 posts

Posted 08 September 2009 - 03:38 PM

Understood, about the BitTorrent.

Here is the output:

ComboFix 09-09-08.02 - <USERNAME> 09/08/2009 17:24.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1844 [GMT -4:00]
Running from: c:\documents and settings\<USERNAME>\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\<USERNAME>\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YQWTZDLHIMT.SYS
-------\Service_yqwtzdlhimt.sys

((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
.

2009-09-08 15:29 . 2009-09-08 15:29 -------- d-----w- c:\program files\ERUNT
2009-09-05 02:30 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-05 02:30 . 2009-09-05 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-05 02:30 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:09 . 2009-09-03 13:09 -------- d-----w- c:\program files\CCleaner
2009-08-31 19:28 . 2009-08-31 19:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-29 22:07 . 2009-08-29 22:09 -------- d-----w- c:\documents and settings\<USERNAME>\Local Settings\Application Data\Temp
2009-08-29 03:15 . 2009-09-08 04:42 -------- d-----w- C:\$AVG8.VAULT$
2009-08-28 20:56 . 2009-08-29 12:15 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 20:56 . 2009-08-28 20:56 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-28 20:56 . 2009-08-28 20:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-28 20:56 . 2009-08-29 12:15 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 20:56 . 2009-08-29 12:15 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 20:56 . 2009-09-08 09:13 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-28 20:56 . 2009-08-28 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-28 20:56 . 2009-08-28 20:56 -------- d-----w- c:\program files\AVG
2009-08-15 15:49 . 2009-08-15 18:08 -------- d-----w- c:\windows\BDOSCAN8
2009-08-12 02:54 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 21:28 . 2008-01-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-09-08 21:28 . 2008-01-02 20:38 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-09-04 16:17 . 2008-12-29 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg8
2009-09-04 14:41 . 2008-01-13 13:11 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\BitTorrent
2009-09-02 04:51 . 2008-01-02 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-08-28 20:52 . 2005-06-14 20:14 -------- d-----w- c:\program files\GemMaster
2009-08-28 20:52 . 2005-06-14 20:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-28 20:50 . 2008-01-02 20:42 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\VMware
2009-08-28 20:49 . 2005-06-14 20:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-28 12:20 . 2008-01-05 20:39 -------- d-----w- c:\program files\Steam
2009-08-14 18:06 . 2005-06-14 20:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-13 13:04 . 2008-09-15 14:33 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\Move Networks
2009-08-05 09:01 . 2004-08-10 10:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 17:55 . 2008-06-30 18:23 -------- d-----w- c:\program files\UltraCompare
2009-08-01 14:25 . 2009-07-12 23:11 -------- d-----w- c:\program files\ATI Technologies
2009-07-30 17:38 . 2009-07-30 17:38 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-30 17:38 . 2009-07-30 17:38 22328 ----a-w- c:\documents and settings\<USERNAME>\Application Data\PnkBstrK.sys
2009-07-30 17:38 . 2009-07-30 17:38 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-30 17:37 . 2009-07-30 17:37 669184 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-30 17:37 . 2009-07-30 17:37 66872 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-30 17:31 . 2009-07-30 17:31 -------- d-----w- c:\program files\Electronic Arts
2009-07-21 21:04 . 2009-07-14 01:32 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2009-07-21 21:04 . 2009-07-14 01:32 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-21 19:23 . 2009-07-21 19:15 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-21 19:15 . 2009-02-24 19:20 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\Verizon
2009-07-21 19:12 . 2009-02-24 19:20 -------- d-----w- c:\program files\Verizon
2009-07-17 19:01 . 2004-08-10 10:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-10 10:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 01:32 . 2009-07-14 01:32 -------- d-----w- c:\program files\OpenAL
2009-07-12 23:16 . 2009-07-12 23:16 -------- d-----w- c:\documents and settings\<USERNAME>\Application Data\ATI
2009-07-12 23:15 . 2009-07-12 23:15 0 ----a-w- c:\windows\ativpsrm.bin
2009-07-11 15:41 . 2009-07-11 15:41 -------- d-----w- c:\program files\BeatJunkie
2009-06-29 15:31 . 2009-06-29 15:41 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-29 15:30 . 2009-06-29 15:21 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-26 16:50 . 2004-08-10 10:00 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2009-05-27 13:06 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 08:25 . 2004-08-10 10:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-10 10:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-10 10:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-10 10:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-08-10 10:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-10 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2004-08-10 10:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-10 10:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-10 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-10 10:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-10 10:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-03-07 14:38 . 2009-03-07 14:38 604 ---ha-w- c:\program files\STLL Notifier
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2008-09-10 17:49 . 2008-09-10 17:49 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-08_18.51.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-08 21:29 . 2009-09-08 21:29 16384 c:\windows\temp\Perflib_Perfdata_8b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{14f0d511-36a2-41ca-ae01-ba4f87282c97}"= "c:\program files\SHOUTcast Radio Toolbar\shoutcasttb.dll" [2008-09-17 1275176]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{14f0d511-36a2-41ca-ae01-ba4f87282c97}]
[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{8613efdf-b530-4b1d-b970-b09f99977813}]
[HKEY_CLASSES_ROOT\SHOUTcastTb.AOLTBSearch]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-02 17:38 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-02 1004800]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-05-07 591696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-9-17 221247]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 12:15 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [8/28/2009 4:56 PM 12552]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [6/29/2009 11:21 AM 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [8/28/2009 4:56 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [8/28/2009 4:56 PM 108552]
R1 NEOFLTR_550_12129;Juniper Networks TDI Filter Driver (NEOFLTR_550_12129);c:\windows\SYSTEM32\DRIVERS\NEOFLTR_550_12129.sys [10/3/2007 4:20 PM 63008]
R1 VBoxDrv;VirtualBox Service;c:\windows\SYSTEM32\DRIVERS\VBoxDrv.sys [7/11/2008 4:00 PM 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\SYSTEM32\DRIVERS\VBoxUSBMon.sys [7/11/2008 4:00 PM 41424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2009 4:56 PM 297752]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\SYSTEM32\DRIVERS\VBoxNetFlt.sys [5/29/2009 8:12 PM 87760]
S2 gupdate1c9d106b29edab9;Google Update Service (gupdate1c9d106b29edab9);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\c:\program files\VMware\VMware Converter\vstor2-p2v30.sys --> c:\program files\VMware\VMware Converter\vstor2-p2v30.sys [?]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\SYSTEM32\DRIVERS\avpnnic.sys [4/4/2003 1:48 PM 11392]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 5:34 PM 1029456]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\VBoxNetAdp.sys [5/2/2009 8:49 PM 79888]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\SYSTEM32\DRIVERS\VBoxTAP.sys [9/5/2008 2:31 PM 47184]
S3 VBoxUSB;VirtualBox USB;c:\windows\SYSTEM32\DRIVERS\VBoxUSB.sys [10/27/2008 11:28 AM 31824]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.dell.com
IE: &SHOUTcast Search - c:\documents and settings\All Users\Application Data\SHOUTcast Radio Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {FF0DC965-0D1D-4993-A169-C1CC7ACFB4F5} = 192.168.1.1
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\<USERNAME>\Application Data\Mozilla\Firefox\Profiles\7whc5iuz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-ab-en-us&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\<USERNAME>\Application Data\Move Networks\plugins\npqmp071504000001.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-08 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5d,76,3e,21,4b,0b,c8,6f,fa,5a,2f,36,9b,5d,03,96,c9,8d,87,2d,9a,fe,fe,
09,0c,bd,72,6c,af,05,af,5f,5d,9a,89,32,58,c8,0c,2a,c6,ad,e4,5d,27,b7,46,b6,\
"??"=hex:03,b4,f2,77,9e,ba,a0,69,0f,d1,5f,68,a1,a8,6b,cc

[HKEY_USERS\S-1-5-21-820826615-3694178435-1013940595-1005\Software\SecuROM\License information*]
"datasecu"=hex:fa,d1,ae,e3,66,56,66,78,bc,9f,d1,d1,73,95,02,02,ca,d6,98,0b,06,
54,c0,74,de,e1,80,cf,27,32,ab,2f,f0,58,a0,dc,8a,ad,bc,a4,3b,f4,ba,05,62,b5,\
"rkeysecu"=hex:fa,69,54,de,91,f3,09,0a,71,6e,8e,d4,41,ae,f9,4e

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1312)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2292)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\program files\Common Files\EPSON\eEBAPI\eEBSvc.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\EHOME\ehrecvr.exe
c:\windows\EHOME\ehSched.exe
c:\program files\Intel\Intel Application Accelerator\IAANTmon.exe
c:\windows\SYSTEM32\PnkBstrA.exe
c:\program files\VMware\VMware Workstation\vmware-authd.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
c:\windows\SYSTEM32\vmnat.exe
c:\windows\EHOME\mcrdsvc.exe
c:\windows\SYSTEM32\vmnetdhcp.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\SYSTEM32\dllhost.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-08 17:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-08 21:34
ComboFix2.txt 2009-09-08 19:02
ComboFix3.txt 2009-09-08 18:53

Pre-Run: 155,597,131,776 bytes free
Post-Run: 155,436,023,808 bytes free

240 --- E O F --- 2009-09-07 23:18

#6 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 08 September 2009 - 04:34 PM

Hi,

Please do the following:

Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

MBAM Log
Kaspersky report

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#7 Blawman

New Member

Authentic Member
7 posts

Posted 09 September 2009 - 07:03 AM

The online Kaspersky scan was taking a long time - so when I checked this morning ; wouldn't you know it, there was a windows update that restarted the computer. I restarted the Online scan (it will be a few hours). Int he mean time, here is the MBAM.log:

MBAM Log
Malwarebytes' Anti-Malware 1.40
Database version: 2759
Windows 5.1.2600 Service Pack 3

9/8/2009 7:04:07 PM
mbam-log-2009-09-08 (19-04-07).txt

Scan type: Quick Scan
Objects scanned: 102262
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

... I will add the Kaspersky log when it finishes; in a few hours

#8 Blawman

New Member

Authentic Member
7 posts

Posted 09 September 2009 - 12:35 PM

Finally after 6hrs ... here is the Kaspersky scan output

Kaspersky output
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 9, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 09, 2009 13:40:23
Records in database: 2763878
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan statistics:
Objects scanned: 143965
Threats found: 17
Infected objects found: 47
Suspicious objects found: 9
Scan duration: 06:05:49

File name / Threat / Threats count
C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Outlook\archive.pst Infected: Email-Worm.Win32.Bagle.ct 1
C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Documents and Settings\<USERNAME>\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Hoax.Win32.BadJoke.Finger.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACdtvakawqgr.sys.vir Infected: Rootkit.Win32.Agent.rqu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdgtexyiyed.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACdiremqgryl.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuocdxnmcnt.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACvecytiwvsl.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044895.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044896.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044897.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044899.exe Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044900.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044901.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044902.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044903.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044904.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP647\A0044905.EXE Infected: Virus.Win32.Virut.ce 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP660\A0046803.sys Infected: Rootkit.Win32.Agent.rqu 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP660\A0046804.dll Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP660\A0046805.dll Infected: Trojan.Win32.Tdss.anrc 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP660\A0046806.dll Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP660\A0046807.dll Infected: Packed.Win32.TDSS.y 1
D:\SERPLab\utilities\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
E:\FTP\_pub\APPz\RealVNC.Enterprise.v4.2.8.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 1
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Bankfraud.v 2
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 4
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Bankfraud.dq 2
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Bayfraud.p 1
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Infected: Email-Worm.Win32.Bagle.cs 1
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Infected: Trojan-Spy.HTML.Bayfraud.hn 2
E:\TEST\TEST-Laptop-Backup\desktop\Outlook\outlook.pst Infected: Email-Worm.Win32.Bagle.ef 1
E:\Outlook Backup\backup_112407.pst Infected: Email-Worm.Win32.Bagle.ct 1
E:\Outlook Backup\backup_112407.pst Infected: Hoax.Win32.BadJoke.Finger.b 1
E:\Outlook Backup\backup_112607.pst Infected: Email-Worm.Win32.Bagle.ct 1
E:\Outlook Backup\backup_112607.pst Infected: Hoax.Win32.BadJoke.Finger.b 1
E:\Outlook Backup\Evolution\Sent Items\message419.html Infected: Trojan-Spy.HTML.Paylap.cb 1
E:\Outlook Backup\Evolution\Sent Items\message420.html Infected: Trojan-Spy.HTML.Paylap.cb 1
E:\Outlook Backup\Evolution\Sent Items\message423.html Infected: Trojan-Spy.HTML.Paylap.cb 1
E:\Outlook Backup\Evolution\Sent Items\message429.html Infected: Trojan-Spy.HTML.Paylap.cb 1
E:\Outlook Backup\Evolution\Sent Items\message444.html Infected: Trojan-Spy.HTML.Paylap.cb 1
E:\Outlook Backup\Evolution\Sent Items\message446.html Infected: Trojan-Spy.HTML.Paylap.cb 1
E:\Outlook Backup\Evolution\Sent Items\message455.html Infected: Trojan-Spy.HTML.Paylap.cb 1

Selected area has been scanned.

#9 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 09 September 2009 - 03:52 PM

Hi, All the infections are in your Outlook and Outlook backup. Unfortunately it can't identify which particular emails are infected. I would be cautious and delete all the backup files, then look in your present files and delete anything from anyone you don't know, or that have attachments. The rest of the items are in quarantine or old system restore points. Please post a fresh DDS Log and Attach.txt and advise how your computer is running now and if there are any outstanding issues

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#10 Blawman

New Member

Authentic Member
7 posts

Posted 09 September 2009 - 06:18 PM

DSS output

DDS (Ver_09-06-26.01) - NTFSx86
Run by <USERNAME> at 20:05:44.71 on Wed 09/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1883 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\<USERNAME>\Desktop\MalwareRemoval__dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://www.dell.com
uURLSearchHooks: SHOUTcast Toolbar Search Class: {14f0d511-36a2-41ca-ae01-ba4f87282c97} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: SHOUTcast Toolbar Search Class: {14f0d511-36a2-41ca-ae01-ba4f87282c97} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: SHOUTcast Loader: {ccec60fc-2608-4e58-9659-3ffc159e8ea9} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: SHOUTcast Radio Toolbar: {0457331d-8ca6-4f97-9c26-6a9ef2b2dba8} - c:\program files\shoutcast radio toolbar\shoutcasttb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
IE: &SHOUTcast Search - c:\documents and settings\all users\application data\shoutcast radio toolbar\ietoolbar\resources\en-us\local\search.html
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8683C98-5341-421B-B23C-8514C05354F1} - hxxp://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
TCP: {FF0DC965-0D1D-4993-A169-C1CC7ACFB4F5} = 192.168.111.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\<USERN~1\applic~1\mozilla\firefox\profiles\7whc5iuz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50-ff-shoutcast-ab-en-us&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\<USERNAME>\application data\move networks\plugins\npqmp071504000001.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-28 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-29 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-28 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-28 108552]
R1 NEOFLTR_550_12129;Juniper Networks TDI Filter Driver (NEOFLTR_550_12129);c:\windows\system32\drivers\NEOFLTR_550_12129.sys [2007-10-3 63008]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-7-11 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-7-11 41424]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-28 297752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1029456]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2009-5-29 87760]
R3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S2 gupdate1c9d106b29edab9;Google Update Service (gupdate1c9d106b29edab9);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S2 vstor2-p2v30;Vstor2 P2V30 Virtual Storage Driver;\??\c:\program files\vmware\vmware converter\vstor2-p2v30.sys --> c:\program files\vmware\vmware converter\vstor2-p2v30.sys [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [2003-4-4 11392]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-5-2 79888]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [2008-9-5 47184]
S3 VBoxUSB;VirtualBox USB;c:\windows\system32\drivers\VBoxUSB.sys [2008-10-27 31824]

=============== Created Last 30 ================

2009-09-08 17:30 153,088 -------- c:\windows\system32\dllcache\triedit.dll
2009-09-08 14:57 <DIR> a-dshr-- C:\cmdcons
2009-09-08 14:39 230,912 a------- c:\windows\PEV.exe
2009-09-08 14:39 161,792 a------- c:\windows\SWREG.exe
2009-09-08 14:39 98,816 a------- c:\windows\sed.exe
2009-09-04 22:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 22:30 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 22:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-03 09:09 <DIR> --d----- c:\program files\CCleaner
2009-08-28 23:15 <DIR> --d----- C:\$AVG8.VAULT$
2009-08-28 16:56 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-28 16:56 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-08-28 16:56 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-28 16:56 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 16:56 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-28 16:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-08-28 16:56 <DIR> --d----- c:\program files\AVG
2009-08-11 22:54 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 22:54 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

==================== Find3M ====================

2009-08-13 11:16 512,000 a------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-30 13:38 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-30 13:38 22,328 a------- c:\docume~1\mathew~1\applic~1\PnkBstrK.sys
2009-07-30 13:38 103,736 a------- c:\windows\system32\PnkBstrB.exe
2009-07-30 13:37 669,184 a------- c:\windows\system32\pbsvc.exe
2009-07-30 13:37 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-07-21 17:04 409,600 a------- c:\windows\system32\wrap_oal.dll
2009-07-21 17:04 114,688 a------- c:\windows\system32\OpenAL32.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-18 12:05 3,069,440 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 12:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 13:09 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 11:31 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-26 12:50 666,624 a------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 12:50 620,032 a------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 12:50 666,624 -------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\dllcache\ieencode.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 04:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 04:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 04:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 04:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 04:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 04:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 07:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 10:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 80,896 -------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 08:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-03-07 10:38 604 a---h--- c:\program files\STLL Notifier
2009-01-20 12:03 193 a------- c:\documents and settings\<USERNAME>\test.bat
2008-01-21 12:13 389,120 a------- c:\documents and settings\<USERNAME>\stas75_20060810.0001.dll
2008-01-21 10:06 81,920 a------- c:\docume~1\mathew~1\applic~1\ezpinst.exe
2008-01-21 10:06 47,360 a------- c:\docume~1\mathew~1\applic~1\pcouffin.sys

============= FINISH: 20:06:35.11 ===============

Attached Files

Attach2.txt 23.75KB 736 downloads

#11 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 09 September 2009 - 06:34 PM

Hi,

You are clean,

just some housekeeping to do now.

Please do the following:

Please download JavaRa to your desktop and unzip it to its own folder.

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button.
Scroll down to the Java SE Runtime Environment (JRE) option.
Download and install the latest Java Runtime Environment (JRE) version for your computer.(version 6, update 16)

NEXT

Follow these steps to uninstall Combofix

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

NEXT

Now to remove the rest of the tools that we have used in fixing your machine:

Make sure you have an Internet Connection.
Download OTC to your desktop and run it
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

Note: If there are any logs/tools remaining on your desktop, just rightclick > delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them
Then consider a password keeper, to keep all your passwords safe.
Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
SpywareBlaster protects against bad ActiveX, it immunizes your PC against them.
SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time anti-spyware protection program ( eg : TeaTimer, Windows Defender ) or there will be a conflict.
Make Internet Explorer more secure
- Click Start > Run
- Type Inetcpl.cpl & click OK
- Click on the Security tab
- Click Reset all zones to default level
- Make sure the Internet Zone is selected & Click Custom level
- In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
- Next Click OK, then Apply button and then OK to exit the Internet Properties page.
ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT has an addon available for both Firefox and IE
For Firefox, I highly recommend this add-on to keep your PC even more secure.
- NoScript - for blocking ads and other potential website attacks
Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:
Think Prevention.
PC Safety and Security--What Do I Need?.

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#12 Blawman

New Member

Authentic Member
7 posts

Posted 09 September 2009 - 07:25 PM

Thank you SO much for all your help. I have been fighting this one for a while. Everything seems to be running smooth. I have done a few more scans and nothing (knock on wood). Also thank you for all the final tips. Thank you thank you thank you. You may close the thread now

#13 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 09 September 2009 - 08:08 PM

You are more than welcome stay safe :wavey:

~CB

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#14 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 13 September 2009 - 08:07 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Body Background

skin color theme