Fake Windows Security.

Micro-star international / ATHLON
April 26, 2009 at 17:03:16
Specs: Windows XP
I'm getting this annoying pop-ups of fake windows security that are desperate to install their anti-virus onto my computer and delete AVG. I can't seem to get rid of it. Now my computer is going slower and blue screening and restarting.
Manufacturer: Msi
Model: Ms-6590
OS: Microsoft Windows XP Professional
CPU/Ram: 1.102 GHz / 1535 MB
Video Card: NVIDIA GeForce 6800
Sound Card: USB Audio Device

See More: Fake Windows Security.

Report •


#1
April 26, 2009 at 17:52:06
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
April 26, 2009 at 18:34:43
Hmm, I just did a system restore to yesterday's date and the popups are gone and my AVG's resident shield is working again. The virus still exists apparently but AVG resident shield keeps randomly popping up and moving them to vault. So far I haven't noticed any effects of virus yet.

I guess I should try these scans just in case.


Report •

#3
April 26, 2009 at 18:43:33
Yes, you need to run the scans.

Report •

Related Solutions

#4
April 26, 2009 at 19:31:51
Here's from Anti-Malware:

Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 3

4/26/2009 10:17:27 PM
mbam-log-2009-04-26 (22-17-27).txt

Scan type: Quick Scan
Objects scanned: 79944
Time elapsed: 24 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31d1da7a-7bbd-4878-a3d5-8e406d833bbe} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{31d1da7a-7bbd-4878-a3d5-8e406d833bbe} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a75e294e-c047-4d29-b07e-37b792881bef} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7aa32fc7-133b-4ae7-998e-ced0d9829b12} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000005-0000-0000-0000-100009000004} (Heuristics.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACabitmxvkbnmpmni.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACwhopxudeuwmrqhe.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Report •

#5
April 26, 2009 at 19:34:39
Looks like Malwarebytes found some of the infection we need to see the Hijack This log.

Report •

#6
April 26, 2009 at 19:38:06

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:15 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CachemanXP\CachemanXP.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jamie\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.aionline.edu/portal/server.pt?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: WebPerform - {AB692F9B-27FE-4511-8885-ED62BB45197B} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\jamie\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=zuzed009MJUS_ZZzer000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wotuzapi.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\Program Files\CachemanXP\CachemanXP.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 13595 bytes


Report •

#7
April 26, 2009 at 20:03:39
You still have an infection.

I would suggest that you go to add/remove programs and uninstall Bearshare as it is known to harbor spyware.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, Spybot and any other antispyware that you may have.To get AVG turned off once you select exit from the sys tray click on the desktop icon > click resident shield> uncheck the box to the left of "resident shield active"> cleck save. Undo this when you finish running Combofix.
2. Run Combofix by double clicking the toolb.exe icon on your desktop and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.


Report •

#8
April 26, 2009 at 20:39:07
I'm confused as to why Bearshare is showing up. I removed that program like, a year ago. I didn't like the program and never used it. It's not in add/remove and doesn't show up in search.

I'll select and remove it with Hijackthis if possible.

How do I make sure all mal-ware blockers, anti-virus and etc are off?


Report •

#9
April 26, 2009 at 21:02:04
Well have you just tried to use a registry cleaner?

Want A Weekly Update on Latest System Security Problem http://www.systemsecurityinstitute.org


Report •

#10
April 26, 2009 at 22:00:04
I've had and used Eusing Regestry Cleaner for a long time.

Here's ComboFix log, I ran it a 2nd time because 1st time restarted on own and gave no log, or something, was afk.

ComboFix 09-04-25.A3 - jamie 04/27/2009 0:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1073 [GMT -4:00]
Running from: c:\documents and settings\jamie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\jamie\Application Data\inst.exe
c:\windows\system32\1300200.dll
c:\windows\system32\13573125.dll
c:\windows\system32\14505975.dll
c:\windows\system32\34698158.dll
c:\windows\system32\6756292.dll
c:\windows\system32\722160.dll
c:\windows\system32\feretizi.dll
c:\windows\system32\installer.exe
c:\windows\system32\UACqoorfrlwcilloam.db
c:\windows\system32\UACuutdpxxfyptfuep.log
c:\windows\system32\UACymphreqaqpulsdp.dat

.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 01:50 . 2009-04-27 01:50 -------- d-----w c:\documents and settings\jamie\Application Data\Malwarebytes
2009-04-27 01:50 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 01:50 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 01:50 . 2009-04-27 01:50 -------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 01:50 . 2009-04-27 01:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 19:25 . 2009-04-26 19:25 59904 --sha-w c:\windows\system32\kanolalo.exe
2009-04-26 19:12 . 2009-04-27 00:50 3794557 ----a-w c:\windows\system32\uactmp.db
2009-04-26 19:08 . 2009-04-26 19:15 -------- d-----w c:\program files\Coreguard Antivirus 2009
2009-04-26 19:05 . 2009-04-26 19:05 82432 ----a-w c:\windows\system32\resdll.dll
2009-04-26 19:05 . 2009-04-26 19:05 123392 ----a-w c:\windows\system32\wscsvc32.exe
2009-04-25 05:45 . 2009-04-25 05:45 -------- dc----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-25 05:45 . 2009-04-25 05:45 -------- d-----w c:\documents and settings\jamie\Application Data\AVS4YOU
2009-04-25 05:40 . 2009-04-25 05:41 -------- d-----w c:\program files\Common Files\AVSMedia
2009-04-25 05:40 . 2009-04-26 19:44 -------- d-----w c:\program files\AVS4YOU
2009-04-16 10:55 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 10:55 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 10:55 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 10:55 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 10:55 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 10:55 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 10:54 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 10:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-11 23:36 . 2009-04-11 23:36 -------- d-----w c:\program files\Common Files\Control Panels
2009-04-10 23:23 . 2009-04-10 23:23 41808 -c--a-w c:\windows\system32\xfcodec.dll
2009-04-10 07:02 . 2009-04-10 07:02 -------- d-----w c:\windows\system32\KB905474
2009-04-10 07:02 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-10 07:02 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-10 07:02 . 2009-02-09 22:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-02 18:58 . 2008-04-14 00:12 82432 ---h-tw c:\windows\system32\347a5c4.dll
2009-04-02 18:58 . 2008-04-14 00:12 82432 ---h-tw c:\windows\system32\17c1aac.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 04:36 . 2008-04-19 05:27 -------- d-----w c:\documents and settings\jamie\Application Data\Xfire
2009-04-27 04:24 . 2008-12-13 17:23 -------- d-----w c:\documents and settings\jamie\Application Data\mjusbsp
2009-04-27 03:01 . 2007-04-14 04:25 61034 -c--a-w C:\YServer.txt
2009-04-27 00:26 . 2008-11-01 00:38 -------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-04-26 19:58 . 2007-07-25 02:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-25 03:29 . 2007-08-25 22:53 -------- d-----w c:\documents and settings\jamie\Application Data\Azureus
2009-04-24 01:20 . 2008-04-19 05:27 -------- d-s---w c:\program files\Xfire
2009-04-23 22:30 . 2007-08-23 19:40 -------- d-----w c:\program files\Java
2009-04-19 19:46 . 2007-06-29 04:38 -------- d-----w c:\documents and settings\jamie\Application Data\SecondLife
2009-04-19 17:46 . 2008-09-14 15:56 2002 -c--a-w C:\LXDDcomx.log
2009-04-19 17:46 . 2008-09-14 07:20 -------- d-----w c:\program files\Lx_cats
2009-04-17 06:40 . 2008-09-05 07:11 -------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-17 03:42 . 2009-02-05 06:46 -------- d-----w c:\program files\Perfect World Entertainment
2009-04-12 17:37 . 2008-10-07 16:04 -------- d-----w c:\documents and settings\jamie\Application Data\Skype
2009-04-12 17:20 . 2008-10-07 16:09 -------- d-----w c:\documents and settings\jamie\Application Data\skypePM
2009-04-12 04:08 . 2007-04-13 06:14 73824 -c--a-w c:\documents and settings\jamie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 21:23 . 2007-06-13 17:59 -------- d-----w c:\program files\Common Files\Adobe
2009-04-10 07:01 . 2007-08-25 22:49 -------- d-----w c:\program files\Azureus
2009-03-26 03:14 . 2008-01-19 23:29 -------- d-----w c:\program files\SecondLife
2009-03-25 03:06 . 2009-03-25 03:06 173 -c--a-w C:\Connector-2009-03-24.log
2009-03-17 21:20 . 2009-02-20 05:33 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-16 00:24 . 2009-03-16 00:03 346 -c--a-w C:\Connector-2009-03-15.log
2009-03-13 03:34 . 2008-12-15 03:13 -------- d-----w c:\documents and settings\jamie\Application Data\GSC
2009-03-09 09:19 . 2009-01-06 15:33 410984 -c--a-w c:\windows\system32\deploytk.dll
2009-03-09 04:53 . 2009-03-09 04:53 -------- d-----w c:\documents and settings\jamie\Application Data\Elluminate
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 05:53 . 2009-01-28 18:19 -------- d-----w c:\documents and settings\jamie\Application Data\InstallShield
2009-02-26 23:34 . 2009-02-26 23:34 -------- d-----w c:\program files\QAvimator
2009-02-20 18:09 . 2004-08-04 10:00 78336 -c--a-w c:\windows\system32\ieencode.dll
2009-02-20 05:34 . 2009-02-20 05:34 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-02-20 05:34 . 2009-02-20 05:34 360192 -c--a-w c:\windows\system32\TuneUpDefragService.exe
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 03:09 . 2008-02-24 23:55 55 -c--a-w C:\DVDPATH.TXT
2009-02-07 23:02 . 2005-03-30 01:01 2066048 -c--a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2005-03-30 01:23 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 18:52 . 2008-11-01 00:38 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-01-20 14:14 . 2007-04-14 00:33 47360 -c--a-w c:\documents and settings\jamie\Application Data\pcouffin.sys
2007-04-14 00:33 . 2007-04-14 00:33 87608 -c--a-w c:\documents and settings\jamie\Application Data\ezpinst.exe
2008-01-10 19:05 . 2008-01-10 19:05 0 -csha-w c:\windows\SF285FB59.tmp
2008-09-07 12:11 . 2008-09-07 12:11 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"cdloader"="c:\documents and settings\jamie\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-05-06 900096]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 68856]

c:\documents and settings\jamie\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-4-10 3111248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-4-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 18:52 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wotuzapi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^MP3 Rocket (Minimized).lnk]
backup=c:\windows\pss\MP3 Rocket (Minimized).lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^VonageRestart.exe]
backup=c:\windows\pss\VonageRestart.exeStartup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Vongo Tray.lnk]
backup=c:\windows\pss\Vongo Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"McciCMService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LXSUPMON"=c:\windows\system32\LXSUPMON.EXE RUN
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Documents and Settings\\jamie\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25777:UDP"= 25777:UDP:xfirevoice
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 CachemanXPService;CachemanXP;c:\program files\CachemanXP\CachemanXP.exe [2007-06-02 245248]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2007-05-23 547744]
R3 CBPMp50;CBPMp50 NDIS Protocol Driver; [x]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPSp50.sys [2006-11-29 27072]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\DRIVERS\lne100v5.sys [2001-04-01 36013]
R3 SetupNTGLM7X;SetupNTGLM7X; [x]
R3 USB_RNDIS_51; USB Remote NDIS Device Driver;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
R3 XDva189;XDva189; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-05 325128]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
S2 LtcyCfgSvc;PCI Latency Tool Service;c:\program files\PCI Latency Tool 3\LtcyCfgSvc.exe [2005-12-26 5120]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-05-25 537520]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2005-05-19 70016]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-20 603904]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 6656]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a90045f-c940-11dd-9c61-000c763c5b72}]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 02:36]

2009-04-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mycampus.aionline.edu/portal/server.pt?
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - ?p=zuzed009MJUS_ZZzer000
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\jamie\Application Data\Mozilla\Firefox\Profiles\e8mi8nfi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 00:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-813497703-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:89,8c,77,85,03,ac,1b,dc,e3,57,87,02,1f,f1,73,d8,f7,78,2a,d9,d5,ac,1f,
93,01,c3,a2,d2,7e,39,54,3f,37,9c,27,53,c1,3a,f0,91,5b,e9,6a,26,f4,8c,be,71,\
"??"=hex:aa,ad,a2,78,c7,9b,4b,66,7f,22,df,68,81,4c,16,e6
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-04-27 0:47
ComboFix-quarantined-files.txt 2009-04-27 04:45

Pre-Run: 23,932,641,280 bytes free
Post-Run: 23,920,275,456 bytes free

315 --- E O F --- 2009-04-17 06:46


Report •

#11
April 27, 2009 at 14:35:03
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\kanolalo.exe
c:\windows\system32\uactmp.db
c:\windows\SF285FB59.tmp

Folder::
c:\program files\Coreguard Antivirus 2009

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please go to Virus Total and upload the following files one at the time for analysis:

c:\windows\system32\347a5c4.dll

c:\windows\system32\17c1aac.dll

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#12
April 27, 2009 at 17:33:27
ComboFix 09-04-25.A3 - jamie 04/27/2009 19:52.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.773 [GMT -4:00]
Running from: c:\documents and settings\jamie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jamie\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\SF285FB59.tmp
c:\windows\system32\kanolalo.exe
c:\windows\system32\uactmp.db
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coreguard Antivirus 2009
c:\program files\Coreguard Antivirus 2009\blacklist.cga
c:\program files\Coreguard Antivirus 2009\core.cga
c:\program files\Coreguard Antivirus 2009\CoreExt.dll
c:\program files\Coreguard Antivirus 2009\firewall.dll
c:\windows\SF285FB59.tmp
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-4-27 )))))))))))))))))))))))))))))))
.

2009-04-27 01:50 . 2009-04-27 01:50 -------- d-----w c:\documents and settings\jamie\Application Data\Malwarebytes
2009-04-27 01:50 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 01:50 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 01:50 . 2009-04-27 01:50 -------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 01:50 . 2009-04-27 01:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 19:05 . 2009-04-26 19:05 82432 ----a-w c:\windows\system32\resdll.dll
2009-04-26 19:05 . 2009-04-26 19:05 123392 ----a-w c:\windows\system32\wscsvc32.exe
2009-04-25 05:45 . 2009-04-25 05:45 -------- dc----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-25 05:45 . 2009-04-25 05:45 -------- d-----w c:\documents and settings\jamie\Application Data\AVS4YOU
2009-04-25 05:40 . 2009-04-25 05:41 -------- d-----w c:\program files\Common Files\AVSMedia
2009-04-25 05:40 . 2009-04-26 19:44 -------- d-----w c:\program files\AVS4YOU
2009-04-16 10:55 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 10:55 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 10:55 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 10:55 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 10:55 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 10:55 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 10:54 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 10:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-11 23:36 . 2009-04-11 23:36 -------- d-----w c:\program files\Common Files\Control Panels
2009-04-10 23:23 . 2009-04-10 23:23 41808 -c--a-w c:\windows\system32\xfcodec.dll
2009-04-10 07:02 . 2009-04-10 07:02 -------- d-----w c:\windows\system32\KB905474
2009-04-10 07:02 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-10 07:02 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-10 07:02 . 2009-02-09 22:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt
2009-04-02 18:58 . 2008-04-14 00:12 82432 ---h-tw c:\windows\system32\347a5c4.dll
2009-04-02 18:58 . 2008-04-14 00:12 82432 ---h-tw c:\windows\system32\17c1aac.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 23:58 . 2008-12-13 17:23 -------- d-----w c:\documents and settings\jamie\Application Data\mjusbsp
2009-04-27 23:58 . 2008-04-19 05:27 -------- d-----w c:\documents and settings\jamie\Application Data\Xfire
2009-04-27 03:01 . 2007-04-14 04:25 61034 -c--a-w C:\YServer.txt
2009-04-27 00:26 . 2008-11-01 00:38 -------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-04-26 19:58 . 2007-07-25 02:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-25 03:29 . 2007-08-25 22:53 -------- d-----w c:\documents and settings\jamie\Application Data\Azureus
2009-04-24 01:20 . 2008-04-19 05:27 -------- d-s---w c:\program files\Xfire
2009-04-23 22:30 . 2007-08-23 19:40 -------- d-----w c:\program files\Java
2009-04-19 19:46 . 2007-06-29 04:38 -------- d-----w c:\documents and settings\jamie\Application Data\SecondLife
2009-04-19 17:46 . 2008-09-14 15:56 2002 -c--a-w C:\LXDDcomx.log
2009-04-19 17:46 . 2008-09-14 07:20 -------- d-----w c:\program files\Lx_cats
2009-04-17 06:40 . 2008-09-05 07:11 -------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-17 03:42 . 2009-02-05 06:46 -------- d-----w c:\program files\Perfect World Entertainment
2009-04-12 17:37 . 2008-10-07 16:04 -------- d-----w c:\documents and settings\jamie\Application Data\Skype
2009-04-12 17:20 . 2008-10-07 16:09 -------- d-----w c:\documents and settings\jamie\Application Data\skypePM
2009-04-12 04:08 . 2007-04-13 06:14 73824 -c--a-w c:\documents and settings\jamie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 21:23 . 2007-06-13 17:59 -------- d-----w c:\program files\Common Files\Adobe
2009-04-10 07:01 . 2007-08-25 22:49 -------- d-----w c:\program files\Azureus
2009-03-26 03:14 . 2008-01-19 23:29 -------- d-----w c:\program files\SecondLife
2009-03-25 03:06 . 2009-03-25 03:06 173 -c--a-w C:\Connector-2009-03-24.log
2009-03-17 21:20 . 2009-02-20 05:33 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-16 00:24 . 2009-03-16 00:03 346 -c--a-w C:\Connector-2009-03-15.log
2009-03-13 03:34 . 2008-12-15 03:13 -------- d-----w c:\documents and settings\jamie\Application Data\GSC
2009-03-09 09:19 . 2009-01-06 15:33 410984 -c--a-w c:\windows\system32\deploytk.dll
2009-03-09 04:53 . 2009-03-09 04:53 -------- d-----w c:\documents and settings\jamie\Application Data\Elluminate
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 05:53 . 2009-01-28 18:19 -------- d-----w c:\documents and settings\jamie\Application Data\InstallShield
2009-02-20 18:09 . 2004-08-04 10:00 78336 -c--a-w c:\windows\system32\ieencode.dll
2009-02-20 05:34 . 2009-02-20 05:34 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-02-20 05:34 . 2009-02-20 05:34 360192 -c--a-w c:\windows\system32\TuneUpDefragService.exe
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 03:09 . 2008-02-24 23:55 55 -c--a-w C:\DVDPATH.TXT
2009-02-07 23:02 . 2005-03-30 01:01 2066048 -c--a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2005-03-30 01:23 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 18:52 . 2008-11-01 00:38 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-01-20 14:14 . 2007-04-14 00:33 47360 -c--a-w c:\documents and settings\jamie\Application Data\pcouffin.sys
2007-04-14 00:33 . 2007-04-14 00:33 87608 -c--a-w c:\documents and settings\jamie\Application Data\ezpinst.exe
2008-09-07 12:11 . 2008-09-07 12:11 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-27_04.43.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 23:58 . 2009-04-27 23:58 16384 c:\windows\temp\Perflib_Perfdata_8a4.dat
+ 2009-04-27 23:57 . 2009-04-27 23:57 16384 c:\windows\temp\Perflib_Perfdata_4c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"cdloader"="c:\documents and settings\jamie\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-05-06 900096]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 68856]

c:\documents and settings\jamie\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-4-10 3111248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-4-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 18:52 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^MP3 Rocket (Minimized).lnk]
backup=c:\windows\pss\MP3 Rocket (Minimized).lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^VonageRestart.exe]
backup=c:\windows\pss\VonageRestart.exeStartup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Vongo Tray.lnk]
backup=c:\windows\pss\Vongo Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"McciCMService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LXSUPMON"=c:\windows\system32\LXSUPMON.EXE RUN
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Documents and Settings\\jamie\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25777:UDP"= 25777:UDP:xfirevoice
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 CachemanXPService;CachemanXP;c:\program files\CachemanXP\CachemanXP.exe [2007-06-02 245248]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2007-05-23 547744]
R3 CBPMp50;CBPMp50 NDIS Protocol Driver; [x]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPSp50.sys [2006-11-29 27072]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\DRIVERS\lne100v5.sys [2001-04-01 36013]
R3 SetupNTGLM7X;SetupNTGLM7X; [x]
R3 USB_RNDIS_51; USB Remote NDIS Device Driver;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
R3 XDva189;XDva189; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-05 325128]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
S2 LtcyCfgSvc;PCI Latency Tool Service;c:\program files\PCI Latency Tool 3\LtcyCfgSvc.exe [2005-12-26 5120]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-05-25 537520]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2005-05-19 70016]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-20 603904]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 6656]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a90045f-c940-11dd-9c61-000c763c5b72}]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 02:36]

2009-04-27 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mycampus.aionline.edu/portal/server.pt?
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - ?p=zuzed009MJUS_ZZzer000
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\jamie\Application Data\Mozilla\Firefox\Profiles\e8mi8nfi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 19:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-813497703-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:89,8c,77,85,03,ac,1b,dc,e3,57,87,02,1f,f1,73,d8,f7,78,2a,d9,d5,ac,1f,
93,01,c3,a2,d2,7e,39,54,3f,37,9c,27,53,c1,3a,f0,91,5b,e9,6a,26,f4,8c,be,71,\
"??"=hex:aa,ad,a2,78,c7,9b,4b,66,7f,22,df,68,81,4c,16,e6
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3140)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\LxrSII1s.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-04-27 20:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 00:07
ComboFix2.txt 2009-04-27 04:47

Pre-Run: 23,977,701,376 bytes free
Post-Run: 23,994,478,592 bytes free

327 --- E O F --- 2009-04-17 06:46


Report •

#13
April 27, 2009 at 17:38:39
File has already been analysed:
MD5: 2ccc474eb85ceaa3e1fa1726580a3e5a
First received: 04.21.2009 06:03:37 (CET)
Date: 04.26.2009 23:50:52 (CET) [+1D]
Results: 1/40
Permalink: analisis/2196eeb09320ffdf6c3b960e80dbd6c5

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.26 -
AhnLab-V3 5.0.0.2 2009.04.26 -
AntiVir 7.9.0.156 2009.04.26 -
Antiy-AVL 2.0.3.1 2009.04.24 -
Authentium 5.1.2.4 2009.04.26 -
Avast 4.8.1335.0 2009.04.26 -
AVG 8.5.0.287 2009.04.26 -
BitDefender 7.2 2009.04.26 -
CAT-QuickHeal 10.00 2009.04.25 -
ClamAV 0.94.1 2009.04.26 -
Comodo 1135 2009.04.25 -
DrWeb 4.44.0.09170 2009.04.26 -
eSafe 7.0.17.0 2009.04.23 -
eTrust-Vet 31.6.6475 2009.04.24 -
F-Prot 4.4.4.56 2009.04.26 -
F-Secure 8.0.14470.0 2009.04.25 -
Fortinet 3.117.0.0 2009.04.26 -
GData 19 2009.04.26 -
Ikarus T3.1.1.49.0 2009.04.26 -
K7AntiVirus 7.10.716 2009.04.25 -
Kaspersky 7.0.0.125 2009.04.26 -
McAfee 5597 2009.04.26 -
McAfee+Artemis 5597 2009.04.26 -
McAfee-GW-Edition 6.7.6 2009.04.26 Trojan.LooksLike.Patched
Microsoft 1.4602 2009.04.26 -
NOD32 4035 2009.04.25 -
Norman 6.00.06 2009.04.24 -
nProtect 2009.1.8.0 2009.04.26 -
Panda 10.0.0.14 2009.04.26 -
PCTools 4.4.2.0 2009.04.26 -
Prevx1 3.0 2009.04.26 -
Rising 21.26.62.00 2009.04.26 -
Sophos 4.41.0 2009.04.26 -
Sunbelt 3.2.1858.2 2009.04.24 -
Symantec 1.4.4.12 2009.04.26 -
TheHacker 6.3.4.1.314 2009.04.26 -
TrendMicro 8.700.0.1004 2009.04.25 -
VBA32 3.12.10.3 2009.04.25 -
ViRobot 2009.4.24.1708 2009.04.24 -
VirusBuster 4.6.5.0 2009.04.26 -
Additional information
File size: 82432 bytes
MD5...: 2ccc474eb85ceaa3e1fa1726580a3e5a
SHA1..: 7cf3366c68e402eb3678046fe97651a586044560
SHA256: 6e99d2fb4997e54e8b1b7d769cf2c0fae296a6441dc39984850ea26bfeb7e500
SHA512: 158cdba8cda0da68829f30fa8f5b7a0caca90d9a6ca7480a3de7a3a6c0f2f84d
68533d62c5f72c7f332e90a7a916f4b28c49c0841b3bfb0df5a8b63e4ba5426c
ssdeep: 1536:HRqRC/AJcBuyg2q1htxvSrqtkBx5sALnR4lxCyqnelG:HR0TJKBq1hrvSrM
kBx5swR41Mj
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1273
timedatestamp.....: 0x4802a163 (Mon Apr 14 00:12:19 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12153 0x12200 6.48 cb2c4ac799159013b18999c21e2df4f0
.data 0x14000 0x914 0xa00 4.88 704b5717fb2cf3f297691957debc5e92
.rsrc 0x15000 0x3f8 0x400 3.43 5ff68b649c14d167754073f671ef1ef1
.reloc 0x16000 0xdc8 0xe00 6.65 c085926e9053221b19c5e6bcc1c08384

( 5 imports )
> ADVAPI32.dll: RegNotifyChangeKeyValue, RegDeleteKeyA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegEnumKeyExA
> KERNEL32.dll: GetTickCount, QueryPerformanceCounter, lstrcmpA, HeapReAlloc, HeapFree, HeapAlloc, InterlockedCompareExchange, IsBadWritePtr, GetEnvironmentVariableA, GetComputerNameA, GetVersionExA, GetSystemDirectoryA, GetWindowsDirectoryA, WaitForMultipleObjectsEx, ResetEvent, IsBadReadPtr, TlsSetValue, GetHandleInformation, ExpandEnvironmentStringsA, InterlockedExchange, GetCurrentThreadId, TlsAlloc, GetSystemInfo, HeapCreate, GetProcessHeap, HeapDestroy, TlsFree, lstrlenA, lstrcpyA, IsBadCodePtr, GetProcAddress, CreateEventA, GetModuleFileNameA, LoadLibraryA, CreateThread, FreeLibrary, WaitForSingleObject, CloseHandle, FreeLibraryAndExitThread, EnterCriticalSection, SetEvent, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SwitchToThread, SetLastError, DelayLoadFailureHook, TlsGetValue, InterlockedDecrement, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, InterlockedIncrement, LeaveCriticalSection
> msvcrt.dll: __isascii, isspace, _except_handler3, sprintf, _adjust_fdiv, malloc, _initterm, free, _stricmp, fclose, fgets, atoi, strchr, fopen, wcscpy, strtoul, wcscmp, wcslen, wcschr
> ntdll.dll: RtlIpv4StringToAddressW, RtlIpv6StringToAddressExW, RtlIpv4StringToAddressA
> WS2HELP.dll: WahCompleteRequest, WahQueueUserApc, WahEnableNonIFSHandleSupport, WahDisableNonIFSHandleSupport, WahCreateSocketHandle, WahNotifyAllProcesses, WahCreateNotificationHandle, WahWaitForNotification, WahOpenCurrentThread, WahCloseThread, WahInsertHandleContext, WahRemoveHandleContext, WahDestroyHandleContextTable, WahCreateHandleContextTable, WahEnumerateHandleContexts, WahCloseApcHelper, WahCloseHandleHelper, WahCloseNotificationHandleHelper, WahOpenNotificationHandleHelper, WahOpenHandleHelper, WahOpenApcHelper, WahCloseSocketHandle, WahReferenceContextByHandle

( 117 exports )
FreeAddrInfoW, GetAddrInfoW, GetNameInfoW, WEP, WPUCompleteOverlappedRequest, WSAAccept, WSAAddressToStringA, WSAAddressToStringW, WSAAsyncGetHostByAddr, WSAAsyncGetHostByName, WSAAsyncGetProtoByName, WSAAsyncGetProtoByNumber, WSAAsyncGetServByName, WSAAsyncGetServByPort, WSAAsyncSelect, WSACancelAsyncRequest, WSACancelBlockingCall, WSACleanup, WSACloseEvent, WSAConnect, WSACreateEvent, WSADuplicateSocketA, WSADuplicateSocketW, WSAEnumNameSpaceProvidersA, WSAEnumNameSpaceProvidersW, WSAEnumNetworkEvents, WSAEnumProtocolsA, WSAEnumProtocolsW, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAGetQOSByName, WSAGetServiceClassInfoA, WSAGetServiceClassInfoW, WSAGetServiceClassNameByClassIdA, WSAGetServiceClassNameByClassIdW, WSAHtonl, WSAHtons, WSAInstallServiceClassA, WSAInstallServiceClassW, WSAIoctl, WSAIsBlocking, WSAJoinLeaf, WSALookupServiceBeginA, WSALookupServiceBeginW, WSALookupServiceEnd, WSALookupServiceNextA, WSALookupServiceNextW, WSANSPIoctl, WSANtohl, WSANtohs, WSAProviderConfigChange, WSARecv, WSARecvDisconnect, WSARecvFrom, WSARemoveServiceClass, WSAResetEvent, WSASend, WSASendDisconnect, WSASendTo, WSASetBlockingHook, WSASetEvent, WSASetLastError, WSASetServiceA, WSASetServiceW, WSASocketA, WSASocketW, WSAStartup, WSAStringToAddressA, WSAStringToAddressW, WSAUnhookBlockingHook, WSAWaitForMultipleEvents, WSApSetPostRoutine, WSCDeinstallProvider, WSCEnableNSProvider, WSCEnumProtocols, WSCGetProviderPath, WSCInstallNameSpace, WSCInstallProvider, WSCUnInstallNameSpace, WSCUpdateProvider, WSCWriteNameSpaceOrder, WSCWriteProviderOrder, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getprotobyname, getprotobynumber, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
PDFiD.: -
RDS...: NSRL Reference Data Set


Report •

#14
April 27, 2009 at 18:43:45
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\347a5c4.dll
c:\windows\system32\17c1aac.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#15
April 28, 2009 at 07:54:27
The Online scan showed 0 infections.

ComboFix 09-04-25.A3 - jamie 04/27/2009 23:20.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.871 [GMT -4:00]
Running from: c:\documents and settings\jamie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jamie\Desktop\CFScript.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\17c1aac.dll
c:\windows\system32\347a5c4.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\17c1aac.dll
c:\windows\system32\347a5c4.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-27 01:50 . 2009-04-27 01:50 -------- d-----w c:\documents and settings\jamie\Application Data\Malwarebytes
2009-04-27 01:50 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 01:50 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 01:50 . 2009-04-27 01:50 -------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-27 01:50 . 2009-04-27 01:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-26 19:05 . 2009-04-26 19:05 82432 ----a-w c:\windows\system32\resdll.dll
2009-04-26 19:05 . 2009-04-26 19:05 123392 ----a-w c:\windows\system32\wscsvc32.exe
2009-04-25 05:45 . 2009-04-25 05:45 -------- dc----w c:\documents and settings\All Users\Application Data\AVS4YOU
2009-04-25 05:45 . 2009-04-25 05:45 -------- d-----w c:\documents and settings\jamie\Application Data\AVS4YOU
2009-04-25 05:40 . 2009-04-25 05:41 -------- d-----w c:\program files\Common Files\AVSMedia
2009-04-25 05:40 . 2009-04-26 19:44 -------- d-----w c:\program files\AVS4YOU
2009-04-16 10:55 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 10:55 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 10:55 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 10:55 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 10:55 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 10:55 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 10:54 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 10:54 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-11 23:36 . 2009-04-11 23:36 -------- d-----w c:\program files\Common Files\Control Panels
2009-04-10 23:23 . 2009-04-10 23:23 41808 -c--a-w c:\windows\system32\xfcodec.dll
2009-04-10 07:02 . 2009-04-10 07:02 -------- d-----w c:\windows\system32\KB905474
2009-04-10 07:02 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-04-10 07:02 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-04-10 07:02 . 2009-02-09 22:51 12490 ----a-w c:\windows\system32\KB905474\wga_eula.txt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 03:26 . 2008-12-13 17:23 -------- d-----w c:\documents and settings\jamie\Application Data\mjusbsp
2009-04-28 03:26 . 2008-04-19 05:27 -------- d-----w c:\documents and settings\jamie\Application Data\Xfire
2009-04-28 03:17 . 2008-04-19 05:27 -------- d-s---w c:\program files\Xfire
2009-04-27 03:01 . 2007-04-14 04:25 61034 -c--a-w C:\YServer.txt
2009-04-27 00:26 . 2008-11-01 00:38 -------- dc----w c:\documents and settings\All Users\Application Data\avg8
2009-04-26 19:58 . 2007-07-25 02:54 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-25 03:29 . 2007-08-25 22:53 -------- d-----w c:\documents and settings\jamie\Application Data\Azureus
2009-04-23 22:30 . 2007-08-23 19:40 -------- d-----w c:\program files\Java
2009-04-19 19:46 . 2007-06-29 04:38 -------- d-----w c:\documents and settings\jamie\Application Data\SecondLife
2009-04-19 17:46 . 2008-09-14 15:56 2002 -c--a-w C:\LXDDcomx.log
2009-04-19 17:46 . 2008-09-14 07:20 -------- d-----w c:\program files\Lx_cats
2009-04-17 06:40 . 2008-09-05 07:11 -------- dc----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-17 03:42 . 2009-02-05 06:46 -------- d-----w c:\program files\Perfect World Entertainment
2009-04-12 17:37 . 2008-10-07 16:04 -------- d-----w c:\documents and settings\jamie\Application Data\Skype
2009-04-12 17:20 . 2008-10-07 16:09 -------- d-----w c:\documents and settings\jamie\Application Data\skypePM
2009-04-12 04:08 . 2007-04-13 06:14 73824 -c--a-w c:\documents and settings\jamie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-11 21:23 . 2007-06-13 17:59 -------- d-----w c:\program files\Common Files\Adobe
2009-04-10 07:01 . 2007-08-25 22:49 -------- d-----w c:\program files\Azureus
2009-03-26 03:14 . 2008-01-19 23:29 -------- d-----w c:\program files\SecondLife
2009-03-25 03:06 . 2009-03-25 03:06 173 -c--a-w C:\Connector-2009-03-24.log
2009-03-17 21:20 . 2009-02-20 05:33 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-16 00:24 . 2009-03-16 00:03 346 -c--a-w C:\Connector-2009-03-15.log
2009-03-13 03:34 . 2008-12-15 03:13 -------- d-----w c:\documents and settings\jamie\Application Data\GSC
2009-03-09 09:19 . 2009-01-06 15:33 410984 -c--a-w c:\windows\system32\deploytk.dll
2009-03-09 04:53 . 2009-03-09 04:53 -------- d-----w c:\documents and settings\jamie\Application Data\Elluminate
2009-03-06 14:22 . 2004-08-04 10:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-03-04 03:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 05:53 . 2009-01-28 18:19 -------- d-----w c:\documents and settings\jamie\Application Data\InstallShield
2009-02-20 18:09 . 2004-08-04 10:00 78336 -c--a-w c:\windows\system32\ieencode.dll
2009-02-20 05:34 . 2009-02-20 05:34 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-02-20 05:34 . 2009-02-20 05:34 360192 -c--a-w c:\windows\system32\TuneUpDefragService.exe
2009-02-09 12:10 . 2004-08-04 10:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 10:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 10:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 10:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 10:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-08 03:09 . 2008-02-24 23:55 55 -c--a-w C:\DVDPATH.TXT
2009-02-07 23:02 . 2005-03-30 01:01 2066048 -c--a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2004-08-04 10:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2005-03-30 01:23 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 10:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-05 18:52 . 2008-11-01 00:38 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-02-03 19:59 . 2004-08-04 10:00 56832 ----a-w c:\windows\system32\secur32.dll
2008-01-20 14:14 . 2007-04-14 00:33 47360 -c--a-w c:\documents and settings\jamie\Application Data\pcouffin.sys
2007-04-14 00:33 . 2007-04-14 00:33 87608 -c--a-w c:\documents and settings\jamie\Application Data\ezpinst.exe
2008-09-07 12:11 . 2008-09-07 12:11 32768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090720080908\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-27_04.43.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 03:26 . 2009-04-28 03:26 16384 c:\windows\temp\Perflib_Perfdata_73c.dat
+ 2009-04-28 03:25 . 2009-04-28 03:25 16384 c:\windows\temp\Perflib_Perfdata_590.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"cdloader"="c:\documents and settings\jamie\Application Data\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"LXSUPMON"="c:\windows\system32\LXSUPMON.EXE" [2002-05-06 900096]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-05 1601304]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 620152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-04 68856]

c:\documents and settings\jamie\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-4-10 3111248]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2009-4-11 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 734872]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-05 18:52 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^MP3 Rocket (Minimized).lnk]
backup=c:\windows\pss\MP3 Rocket (Minimized).lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jamie^Start Menu^Programs^Startup^VonageRestart.exe]
backup=c:\windows\pss\VonageRestart.exeStartup

[HKLM\~\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^Vongo Tray.lnk]
backup=c:\windows\pss\Vongo Tray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"usnjsvc"=3 (0x3)
"RichVideo"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"McciCMService"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"gusvc"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Adobe LM Service"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"LXSUPMON"=c:\windows\system32\LXSUPMON.EXE RUN
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"nwiz"=nwiz.exe /install

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=
"c:\\Documents and Settings\\jamie\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25777:UDP"= 25777:UDP:xfirevoice
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R2 CachemanXPService;CachemanXP;c:\program files\CachemanXP\CachemanXP.exe [2007-06-02 245248]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2007-05-23 547744]
R3 CBPMp50;CBPMp50 NDIS Protocol Driver; [x]
R3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\CBPSp50.sys [2006-11-29 27072]
R3 lne100v5;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\system32\DRIVERS\lne100v5.sys [2001-04-01 36013]
R3 SetupNTGLM7X;SetupNTGLM7X; [x]
R3 USB_RNDIS_51; USB Remote NDIS Device Driver;c:\windows\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
R3 XDva189;XDva189; [x]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-02-05 325128]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-05 298264]
S2 LtcyCfgSvc;PCI Latency Tool Service;c:\program files\PCI Latency Tool 3\LtcyCfgSvc.exe [2005-12-26 5120]
S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-05-25 537520]
S2 LxrSII1d;Secure II Driver;c:\windows\system32\Drivers\LxrSII1d.sys [2005-05-19 70016]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-20 603904]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 6656]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a90045f-c940-11dd-9c61-000c763c5b72}]
\Shell\AutoRun\command - G:\autorun.exe
\Shell\phone\command - G:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-12 02:36]

2009-04-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-10 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mycampus.aionline.edu/portal/server.pt?
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - ?p=zuzed009MJUS_ZZzer000
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\jamie\Application Data\Mozilla\Firefox\Profiles\e8mi8nfi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 23:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\jamie\LOCALS~1\Temp\Acrobat Distiller 8\[u]0[/u]00008DC
c:\docume~1\jamie\LOCALS~1\Temp\Acrobat Distiller 8\[u]0[/u]00008DC\dirlock.tmp 0 bytes
c:\docume~1\jamie\LOCALS~1\Temp\Acrobat Distiller 8\[u]0[/u]00008DC\Temp.msg 179 bytes


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-813497703-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:89,8c,77,85,03,ac,1b,dc,e3,57,87,02,1f,f1,73,d8,f7,78,2a,d9,d5,ac,1f,
93,01,c3,a2,d2,7e,39,54,3f,37,9c,27,53,c1,3a,f0,91,5b,e9,6a,26,f4,8c,be,71,\
"??"=hex:aa,ad,a2,78,c7,9b,4b,66,7f,22,df,68,81,4c,16,e6
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1900)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-28 23:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 03:35
ComboFix2.txt 2009-04-28 00:09
ComboFix3.txt 2009-04-27 04:47

Pre-Run: 23,910,793,216 bytes free
Post-Run: 23,892,209,664 bytes free

323 --- E O F --- 2009-04-17 06:46


Report •

#16
April 28, 2009 at 14:22:22
The Combofix log look ok. Did you run the Kaspersky scan?

Report •

#17
April 28, 2009 at 16:51:30
Yeah, the log was empty and said no malware was found. Took 9 hours to finish. :(

Report •

#18
April 28, 2009 at 17:43:48
How is the computer operating?

Report •


Ask Question