ComboFix 09-11-13.04 - D 11/12/2009 20:35.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1302 [GMT -5:00]
Running from: c:\documents and settings\D\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\gidy.reg
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\xanu.vbs
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\chrome.manifest
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\chrome\content\_cfg.js
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\chrome\content\overlay.xul
c:\documents and settings\D\Local Settings\Application Data\{EDD95F70-4863-475A-BD0E-3B63D4FF88A0}\install.rdf
c:\windows\jestertb.dll
c:\windows\kucamy._sy
c:\windows\system32\bazoveza.dll
c:\windows\system32\dasotegi.dll
c:\windows\system32\fejuvizo.dll
c:\windows\system32\feyimupa.dll
c:\windows\system32\fujohufo.dll
c:\windows\system32\gomopiwe.dll
c:\windows\system32\guniyiyu.dll
c:\windows\system32\hofohulu.dll
c:\windows\system32\jatereya.dll
c:\windows\system32\jelukahu.dll
c:\windows\system32\kazepala.dll
c:\windows\system32\komuvuho.dll
c:\windows\system32\kujogeve.dll
c:\windows\system32\laraguji.dll
c:\windows\system32\lipulone.exe
c:\windows\system32\lunegogu.dll
c:\windows\system32\mujuyizi.dll
c:\windows\system32\pahimasa.dll
c:\windows\system32\pidazora.dll
c:\windows\system32\pihuhiru.dll
c:\windows\system32\pilabuma.dll
c:\windows\system32\puneromi.dll
c:\windows\system32\sokodewu.dll
c:\windows\system32\susujewe.dll
c:\windows\system32\suzeyiji.dll
c:\windows\system32\tedovupa.dll
c:\windows\system32\viniyare.dll
c:\windows\system32\vipogije.dll
c:\windows\system32\vorosuka.dll
c:\windows\system32\vufosesa.dll
c:\windows\system32\vumehijo.dll
c:\windows\system32\yofivowi.dll
c:\windows\system32\yubutige.dll
c:\windows\system32\zikiboru.dll
c:\windows\system32\zugezevu.dll
c:\windows\ypiluki.bat
G:\autorun.inf
G:\install.exe
----- BITS: Possible infected sites -----
hxxp://searchimages.org
.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.
2009-11-12 19:46 . 2009-11-12 19:46 39424 --sh--w- c:\windows\system32\yivahuhe.dll
2009-11-12 13:44 . 2009-11-10 00:30 4026136 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-12 13:44 . 2009-11-10 00:30 2016536 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-12 13:44 . 2009-11-10 00:30 1257240 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-12 13:44 . 2009-11-10 00:30 3963672 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-12 13:44 . 2009-11-08 03:06 600344 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-12 13:44 . 2009-11-08 03:06 496920 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-10 00:30 . 2009-11-08 03:07 360584 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-11-10 00:29 . 2009-11-08 03:06 610072 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-10 00:29 . 2009-11-08 03:06 1657112 -c--a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-11-09 23:07 . 2009-11-09 23:07 240664 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\documents and settings\D\Application Data\uniblue
2009-11-09 22:08 . 2009-07-06 04:22 2838442 -c----w- c:\documents and settings\All Users\Application Data\~0\speedupmypc2009.exe
2009-11-09 22:08 . 2009-11-09 22:08 -------- d-----w- c:\program files\Uniblue
2009-11-09 22:07 . 2009-11-09 22:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2009-11-09 21:53 . 2009-11-09 21:53 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-11-09 17:25 . 2009-11-09 17:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-08 03:13 . 2009-10-16 17:12 1119488 -c--a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-08 03:07 . 2009-11-08 23:36 -------- dc----w- C:\$AVG
2009-11-08 03:07 . 2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 03:07 . 2009-11-10 00:30 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 03:07 . 2009-11-08 03:07 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 03:07 . 2009-11-08 03:07 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-11-08 03:07 . 2009-11-12 22:59 -------- d-----w- c:\windows\system32\drivers\Avg
2009-11-08 03:06 . 2009-11-08 03:13 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-08 03:06 . 2009-11-08 03:06 -------- dc----w- c:\documents and settings\All Users\Application Data\avg9
2009-11-07 15:26 . 2009-11-07 15:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 16:33 . 2009-11-04 16:33 152576 ----a-w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-20 07:04 . 2009-10-20 07:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2009-10-16 07:02 . 2009-10-16 07:02 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2009-10-14 02:17 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2009-10-14 02:17 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 01:46 . 2009-07-31 16:25 -------- d-----w- c:\documents and settings\D\Application Data\Skype
2009-11-13 01:44 . 2007-08-27 05:32 -------- d-----w- c:\documents and settings\D\Application Data\WTablet
2009-11-13 01:44 . 2007-07-18 01:11 2048 --s-a-w- c:\windows\bootstat.dat
2009-11-13 01:10 . 2009-07-31 16:26 -------- d-----w- c:\documents and settings\D\Application Data\skypePM
2009-11-09 22:28 . 2008-04-07 10:36 -------- d-----w- c:\documents and settings\D\Application Data\uTorrent
2009-11-09 21:53 . 2007-09-03 12:08 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-09 21:52 . 2009-08-24 23:53 -------- dc----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-08 03:06 . 2008-06-17 03:20 -------- d-----w- c:\program files\AVG
2009-11-07 23:49 . 2007-08-03 05:26 -------- d-----w- c:\program files\Lavasoft
2009-11-07 22:00 . 2009-09-04 16:39 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-07 00:36 . 2009-07-18 00:55 -------- d-----w- c:\program files\Vuze
2009-11-06 19:15 . 2009-09-09 03:15 120 ----a-w- c:\windows\Hvuwurupohofuso.dat
2009-11-04 16:34 . 2008-02-20 04:50 -------- d-----w- c:\program files\Java
2009-10-25 06:40 . 2009-09-19 20:40 25 ----a-w- c:\windows\popcinfot.dat
2009-10-23 05:27 . 2009-07-17 22:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-21 23:39 . 2009-09-01 00:36 -------- d-----w- c:\program files\MilkShape 3D 1.8.5
2009-10-16 20:23 . 2007-07-18 01:13 103320 -c--a-w- c:\documents and settings\D\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2009-08-19 04:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 18:59 . 2009-08-27 21:00 -------- d-----w- c:\program files\s3pe
2009-10-02 22:41 . 2009-08-27 21:01 -------- d-----w- c:\program files\s3oc
2009-09-24 16:21 . 2007-11-04 16:42 -------- d-----w- c:\documents and settings\D\Application Data\U3
2009-09-21 16:20 . 2009-09-21 16:20 -------- d-----w- c:\program files\WinSCP
2009-09-21 00:04 . 2009-07-15 17:20 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-21 00:04 . 2007-07-18 01:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-21 00:03 . 2009-07-15 17:20 151552 ----a-w- c:\windows\system32\nvRegDev.dll
2009-09-19 18:56 . 2009-09-19 18:56 -------- dc----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-09-19 17:45 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony
2009-09-19 17:44 . 2009-09-19 17:44 -------- d-----w- c:\program files\Common Files\Sony Shared
2009-09-19 17:44 . 2009-09-19 17:43 -------- d-----w- c:\program files\Sony
2009-09-19 17:44 . 2009-09-19 17:44 10134 ----a-r- c:\documents and settings\D\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-09-19 17:43 . 2009-09-19 17:43 -------- dc----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-09-19 17:41 . 2009-09-19 17:41 -------- d-----w- c:\documents and settings\D\Application Data\Sony Setup
2009-09-19 17:40 . 2009-09-19 17:40 -------- d-----w- c:\program files\Sony Setup
2009-09-11 21:41 . 2008-06-07 02:15 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 10:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 12:03 . 2009-09-04 12:03 488968 ----a-w- c:\documents and settings\D\Application Data\Real\Update\setup\setup.exe
2009-09-02 05:11 . 2009-09-02 05:11 18941 ----a-w- c:\documents and settings\D\Application Data\kugeguzi.exe
2009-09-02 05:11 . 2009-09-02 05:11 18941 ----a-w- c:\documents and settings\D\Application Data\kugeguzi.exe
2009-09-02 05:11 . 2009-09-02 05:11 17758 ----a-w- c:\windows\system32\kawuva.sys
2009-09-02 05:11 . 2009-09-02 05:11 13975 ----a-w- c:\program files\Common Files\kimuwyhy._dl
2009-09-02 05:11 . 2009-09-02 05:11 13313 ----a-w- c:\documents and settings\D\Application Data\ehiz.dat
2009-09-02 05:11 . 2009-09-02 05:11 12795 ----a-w- c:\program files\Common Files\jaruqeca.dl
2009-09-02 05:11 . 2009-09-02 05:11 12049 ----a-w- c:\windows\system32\pifax.dat
2009-08-29 08:08 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 10:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-19 04:38 . 2009-08-19 04:38 152576 ------w- c:\documents and settings\D\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-13 01:08 . 2009-08-13 01:08 39424 --sha-w- c:\windows\system32\fapawozi.dll
2009-08-12 19:46 . 2009-08-12 19:46 45056 --sha-w- c:\windows\system32\gufinuta.dll
2009-08-13 01:08 . 2009-08-13 01:08 45056 --sha-w- c:\windows\system32\zilebobi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25607976]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-12 2020120]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-07-12 7626752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-05 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-07-12 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-07-12 1519616]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-08 03:07 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BackUp Windows 2009"=c:\docume~1\D\LOCALS~1\Temp\nwgjhk.exe
"ljtrxsnt"=c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"ljtrxsnt"=c:\documents and settings\D\Local Settings\Application Data\vfqdwd\xwwusysguard.exe
"latelaveka"=Rundll32.exe "viniyare.dll",s
"PHIME2002A"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"pazezaded"=Rundll32.exe "c:\windows\system32\laraguji.dll",a
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Abacast\\Abaclient.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\Program Files\\Autodesk\\Maya2008\\bin\\maya.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Crazybump Beta Test\\CrazyBump.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/7/2009 10:07 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/7/2009 10:07 PM 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [11/7/2009 10:06 PM 285392]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S3 axskbus;axskbus;c:\windows\system32\DRIVERS\axskbus.sys --> c:\windows\system32\DRIVERS\axskbus.sys [?]
S3 QCAbsee;Logitech QuickCam Web (0801);c:\windows\system32\drivers\OVCA.sys [10/3/2007 11:56 PM 25088]
S3 XDva011;XDva011;\??\c:\windows\system32\XDva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\XDva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys --> c:\windows\system32\XDva190.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-12 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-11-07 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: {50998A40-AA88-4ABF-9E5A-A7A6F6FD3BAE} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\D\Application Data\Mozilla\Firefox\Profiles\fa8cq251.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
.
- - - - ORPHANS REMOVED - - - -
BHO-{02d90cb7-3304-4d53-8c6b-079e27d1004e} - vumehijo.dll
BHO-{0adfa9e0-af24-4ea1-9179-124fcf86a84e} - vumehijo.dll
HKLM-Run-pazezaded - c:\windows\system32\laraguji.dll
HKLM-Run-latelaveka - viniyare.dll
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
SharedTaskScheduler-{470e951f-c627-440e-bf1b-930718407c60} - c:\windows\system32\vakefume.dll
SharedTaskScheduler-{f1c4682b-c65e-4db2-bcc0-fd31792ff764} - c:\windows\system32\falukovo.dll
SharedTaskScheduler-{c80b742f-cb48-495b-99e0-dd914924894c} - c:\windows\system32\sokodewu.dll
SharedTaskScheduler-{8f14ed5e-cf22-49d5-9aff-63d2ab0fa48e} - c:\windows\system32\lehelojo.dll
SharedTaskScheduler-{6b34fb22-5c11-4f90-a337-3d2398af3730} - c:\windows\system32\laraguji.dll
SSODL-sowadijud-{470e951f-c627-440e-bf1b-930718407c60} - c:\windows\system32\vakefume.dll
SSODL-soyiduhek-{f1c4682b-c65e-4db2-bcc0-fd31792ff764} - c:\windows\system32\falukovo.dll
SSODL-kemazizab-{c80b742f-cb48-495b-99e0-dd914924894c} - c:\windows\system32\sokodewu.dll
SSODL-tizafihiy-{8f14ed5e-cf22-49d5-9aff-63d2ab0fa48e} - c:\windows\system32\lehelojo.dll
SSODL-nikigunet-{cf42a7b8-0521-45d5-962a-da070bd46846} - (no file)
SSODL-fumudayuk-{68699b95-afe9-4c25-a1b8-b3438d0def78} - (no file)
SSODL-zevayizep-{6b34fb22-5c11-4f90-a337-3d2398af3730} - c:\windows\system32\laraguji.dll
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-MilkShape 3D 1.8.4 - c:\program files\MilkShape 3D 1.8.4\uninstall.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-Scriptorium_for_TS2_is1 - e:\eagame~1\SIMS2~1\TSData\Res\Catalog\Scripts\Scriptorium_Backup\unins000.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 20:45
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spmj.sys hal.dll >>UNKNOWN [0x8A863938]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
atapi.sys @ 0x0 0x0 bytes
\Driver\atapi [ IRP_MJ_CREATE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xA6F2 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xA712 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0x6852 != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xA73C != 0xBA609B40 atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0x11336 != 0xBA609B40 atapi.sys
\Driver\atapi IRP hooks detected !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,20,2e,d3,83,e0,a8,f3,4f,b1,92,7e,\
[HKEY_USERS\S-1-5-21-602162358-1177238915-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaanmcphgmojbepbhm"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,67,
70,6a,00,f0
"hagncbooklchmfoh"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
"handeiegdejkdelb"=hex:64,63,6a,62,6b,67,67,6d,62,64,65,70,68,6d,69,67,62,62,
6f,63,6d,6e,69,61,6d,6c,62,6a,6a,66,6c,65,6b,64,6b,6d,68,69,61,62,69,68,6f,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{83CF03DE-408E-5F6E-94BF-9582B7C2E820}\InProcServer32*]
"jacnhpplokjcbfdgfape"=hex:6a,61,64,6f,70,65,6b,6f,6c,68,6a,6b,65,6c,6d,61,67,
67,70,6a,00,00
"iacnbpfbdhommnmdio"=hex:6a,61,64,6f,6b,65,6c,70,65,68,6c,69,64,6e,68,63,69,6d,
70,6d,00,e2
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2500)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-11-12 20:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 01:56
Pre-Run: 45,087,375,360 bytes free
Post-Run: 45,195,243,520 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 1D144860562482E44EB772D9A2E9BD01
Here is the HJT file after the Kaspersky scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:47 AM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 8691 bytes
I would greatly appreciate if someone would let me know if my com is clean. I have already seen a great performance increase in speed while online and opening files. I have also reactivated the resident shield in AVG. Thank you in advance for the help.